Cloudflare’s CAPTCHA replacement lacks crosswalks, checkboxes, Google
Cloudflare has recently made an audacious claim: We could all be doing something better with our lives than deciding which images contain crosswalks or stop lights or clicking an “I’m not a robot” checkbox. Now the cloud services company is offering up a free CAPTCHA alternative, Turnstile, available to anyone, Cloudflare customer or not, and specifically calling out Google’s role in the existing “prove you’re a human” hegemony.
Turnstile utilizes Cloudflare’s Managed Challenge system, which takes cues from user behavior, browser data, and, on Apple devices, Private Access Tokens, to distinguish human visitors from bots and scripts. Cloudflare claims that its Managed Challenge system was able to reduce 91 percent of CAPTCHAs served to its customers’ visitors over a year.
Turnstile integrations run “a series of small non-interactive JavaScript challenges” to investigate the visitor, including proof of work and space, probing for web APIs, and “various other challenges for detecting browser-quirks and human behavior,” Cloudflare’s post states. The challenges vary by visitor, and machine learning can update the model with the common features of visitors who previously passed a test. The user only sees a “Verifying …” widget for a moment, then “Success!”