Skip to content
Home » Cloudflare Takes A Stab At A Captcha That Doesn’t Suck

Cloudflare Takes A Stab At A Captcha That Doesn’t Suck

There’s a uniquely bitter rage that comes from being asked to click every box that contains a parking meter only to then be told that you missed one because of a tiny sliver of gray that barely floated into the periphery of an otherwise empty, adjacent square. It’s a familiar fury, and one that captchas have been provoking across the web for years, but these maddening tools are important for blocking bots from conducting fraud and other abuse. Google’s reCaptcha, the dominant tool around the world for implementing these checks, came out with a version in 2018 that uses machine learning to silently check humanness behind the scenes and phase out the garbled, blurry strings of letters and grids full of traffic lights. This week, the internet infrastructure company Cloudflare is releasing a competitor.

Like reCaptcha, Cloudflare’s new alternative, dubbed Turnstile, is free, and you don’t have to be a Cloudflare customer to put it on your site. Turnstile is based on a tool called Cloudflare Managed Challenge that the company released for its own services in April. When you do a captcha, you are completing a “challenge” of your humanness. Managed Challenge, on the other hand, runs quick and silent checks of your browser’s technical behavior and other telemetry in an attempt to determine that you are human without asking you to do anything. Only if the tool doesn’t have adequate confidence will it show you a “harder challenge” or a puzzle to solve. And Managed Challenge is constantly testing different types of puzzles to find the options that are less frustrating for users.

Captchas are an important security defense across the web, but Cloudflare is billing Turnstile as particularly privacy-protective as well. The tool will look at some browser session data, like browser characteristics and data from website rendering mechanisms, but the service doesn’t check advertising cookies or login cookies. And the company plans to outsource as much data review as possible to minimize how much Cloudflare ever sees. For example, Turnstile will check for Apple’s “Private Access Tokens,” launched this year as a tool for attesting that a user is human and reducing the need for captchas.

Researchers have found in recent years that Google’s reCaptcha checks to see whether a user has a Google login cookie as one of the factors in determining whether they are human. Google denies that reCaptcha data is used for anything other than challenges, but some have pointed out that the data could be used in targeted advertising campaigns.

Cloudflare says that since launching Managed Challenge, it has reduced the number of captchas it serves by 91 percent. And the company adds that users previously spent an average of 32 seconds doing captchas on its own sites. Since implementing Managed Challenge, the average wait time is one second because of the new feature’s silent, behind-the-scenes challenges. In the Cloudflare dashboard, the captcha option is now called “Legacy Captcha.” The company says that, “this more accurately describes what CAPTCHA is: an outdated tool that we don’t think people should use.”

Turnstile is part of a broader industry effort to rework captchas and make them less frustrating for users. But reCaptcha’s ubiquity and familiarity may hinder adoption of new alternatives. As the field shifts, though, it may be ripe for a new player—especially one that doesn’t make you want to chuck your laptop into the sea.