Challenged by CAPTCHAs? Cloudflare thinks it has a solution

Website owners can stop annoying visitors with Google’s CAPTCHA, with Cloudflare opening free beta access to its challenge-free replacement, Turnstile.

Instead of inspecting the user’s browser for a Google cookie, or asking visitors to pick an image showing a particular object, Turnstile combines private access tokens (PATs) with a limited amount of browser fingerprinting to validate that the user is a human.

Cloudflare has spent a year working with Apple, Google and other tech companies to create PATs as an extension to an Internet Engineering Task Force draft standard, The Privacy Pass HTTP Authentication Scheme.

It has been trialling PATs with Apple since June.

“By collaborating with third parties like device manufacturers, who already have the data that would help us validate a device, we are able to abstract portions of the validation process, and confirm data without actually collecting, touching, or storing that data ourselves,” Cloudflare said in a blog post. 

“Rather than interrogating a device directly, we ask the device vendor to do it for us.

“While Turnstile has to look at some session data (like headers, user agent, and browser characteristics) to validate users without challenging them, Private Access Tokens allow us to minimize data collection by asking Apple to validate the device for us.

“In addition, Turnstile never looks for cookies (like a login cookie), or uses cookies to collect or store information of any kind.”

To work beyond the world of Apple, Turnstile runs “a series of small non-interactive JavaScript challenges gathering more signals about the visitor/browser environment.”

Challenges like proof-of-work, proof-of-space, specific web APIs, and detecting “browser quirks and human behavior” help it fine-tune its behaviour.

Turnstile also uses machine learning to identify visitors who have passed a challenge before, the company said.

As well as reducing frustration for end users, Cloudflare said, it also believes displacing Google’s nearly-ubiquitous CAPTCHA denies the search giant one data collection opportunity.