Cloudflare Wants to Replace CAPTCHAs with FIDO Keys

Originally published at: https://brian.carnell.com/articles/2021/cloudflare-wants-to-replace-captchas-with-fido-keys/

Cloudflare is testing a system to allow users to use FIDO keys to skip CAPTCHAs. From a user perspective, a Cryptographic Attestation of Personhood works as follows:1. The user accesses a website protected by Cryptographic Attestation of Personhood, such as cloudflarechallenge.com.2. Cloudflare serves a challenge.3. The user clicks I am human (beta) and gets prompted for a security device.4. User decides to use a Hardware Security Key.5. The user plugs the device into their computer or taps it to their phone for wireless signature (using NFC).6. A cryptographic attestation is sent to Cloudflare, which allows the user in upon verification of the user presence test.Completing this flow takes five seconds. More importantly, this challenge protects users’ privacy since the attestation is not uniquely linked to the user device. All device manufacturers trusted by Cloudflare are part of the FIDO Alliance. As such, each hardware key shares its identifier with other…