Cloudflare Releases Turnstile Challenge System As A Gridless CAPTCHA Alternative

cloudflare turnstile challenge system gridless captcha alternative news
Last year, Cloudflare, a company that provides DDoS mitigation, content delivery network (CDN) services, and many others, published a blog post declaring its intention to kill CAPTCHAs. Now about a year and a half later, the company is introducing an alternative to standard CAPTCHAs that should be much faster and fulfill the CAPTCHA namesake. CAPTCHA stands for Completed Automated Public Turing test to tell Computer and Humans Apart. However, CAPTCHA’s often don’t fulfill their promise to be completed automated, instead asking users to complete some kind of puzzle or task as proof they aren’t bots.

The grid-based image selection flavor of CAPTCHAs in particular can sometimes be infuriating. It can require users to complete the task multiple times—causing them to question whether to select the few pixels of a cross walk or stop light that bleed over into another tile. According to Cloudflare, it takes an average of 32 seconds for users to complete CAPTCHA challenges. Based on this metric, Cloudflare estimates that humanity collectively wastes a total of 500 years worth of time solving CAPTCHAs every single day.

In recent years, Google, the most prominent provider of CAPTCHAs by far, has changed its reCAPTCHA to better fulfill the promise of CAPTCHAs. reCAPTCHA v3 is intended to operate in the background on every page of a website, silently working in the background to assess whether visitors are legitimate users or not. While this background activity may be less intrusive to users than a puzzle, it elicits privacy concerns. The reCAPTCHA v3 system is embedded all over the web and collects user behavior data in order to learn how users interact with webpages. Using this data and machine learning, the system assigns a risk score to each user. One of the key indicators that reCAPTCHA v3 checks when assigning risk scores is whether users have active Google account cookies installed in their browsers. Google may then tie user behavior collected from reCAPTCHA back to users’ Google accounts, giving preferential treatment to those signed into their Google accounts by assigning them lower CAPTCHA risk scores.

turnstile verification process news
Cloudflare Turnstile verification process in action

In light of these privacy concerns, Cloudflare switched from reCAPTCHA to hCaptcha in 2020. While hCAPTCHA may have better user privacy practices, it doesn’t eliminate the frustration and time wasting caused by CAPTCHAs. Determined to address these issues, Cloudflare has been busy working on solutions and is now introducing an open beta for its alternative.

Dubbed “Turnstile,” this alternative human user verification system is designed to be completely automated, fast, and privacy preserving. Rather than ask users to provide proof of their humanity, Turnstile instead asks the operating system on users’ machines to perform the verification for them. Upcoming versions of Apple’s macOS and iOS will support this technique, which employs what are called “Private Access Tokens.”

Operating systems will perform their own automated validations of users’ humanity using device information, then issue tokens confirming this validation. Since the operating system is intended to perform the validation process, Turnstile isn’t predicated on mass data collection. Turnstile is designed to receive Private Access Tokens from the operating system, check some basic browser information, and let users continue on with without any additional checks or challenges. From the user’s perspective, a small verification widget will briefly say “Verifying…,” then switch to read “Success!”

Cloudflare’s blog post announcing Turnstile states that the tool is free to use, with the company affirming its dedication to a better Internet. Hopefully we’ll see websites adopt this new alternative to CAPTCHAs and a resulting reduction in frustration and wait times.