Image: Cloudflare

Leading web infrastructure and website security company Cloudflare has published an article claiming that humanity wastes about 500 years per day solving CAPTCHAs—those annoying, predominately picture-based security checks that users have to click on to convince websites that they aren’t bots. The mind-numbing process has driven Cloudflare to propose an alternative to CAPTCHAs called “Cryptographic Attestation of Personhood,” which leverages USB security keys (e.g., YubiKeys) to confirm that the user is human. Users with the appropriate hardware can check out how Cloudflare’s new security check works by visiting

Image: Cloudlfare

The short version is that your device has an embedded secure module containing a unique secret sealed by your manufacturer. The security module is capable of proving it owns such a secret without revealing it. Cloudflare asks you for proof and checks that your manufacturer is legitimate.

Sources: Cloudflare, The Verge

Don’t Miss Out on More FPS Review Content!

Our weekly newsletter includes a recap of our reviews and a run down of the most popular tech news that we published.

Join the Conversation


  1. I am entirely and universally opposed to their proposed solution. It would essentially kill any little bit of internet privacy we have left.

    I would propose a legal ban on ever trying to tie a site request to a device or person in order to protect privacy.

    We don’t need captchas. There is no reason an automated bot shouldn’t be able to access a site, other than if it is trying to break into an account, and that is easily solved by solutions like fail2ban which easily defeats any brute force attach by increasing the amount of timout to the next account login based on the number of incorrect attempt.

    This is just a bullshit attempt to try to get in on even more of the tracking advertising money pie, which IMHO should be completely illegal. Any and all collection and/or monetization of data on a person should be completely illegal. I don’t care if that kills all of silicon valley.

    Maybe effing cloudlfare can also propose a solution to their shitty ass AI that automatically blocks VPN exit point IP’s based on multiple requests coming from them.

    Cloudflare is the goddamn bane of my existence.

    We need to put the genie back into the bottle to where serverlogs exist only for server troubleshooting, and cookies are only used on a single site to remember website settings, or we need to burn the entire thing down and start from scratch.

  2. I don’t mind proving I’m human – clicking a pic isn’t a huge ask. I do mind being used as slave labor to train up Google’s picture AI though, and it’s clear that’s what a lot of their captures are. I can certainly think of better ways to accomplish it.

    The more I think about it… the more I think Zath is probably right. I can’t think of many page loads that should be bot prohibited. But I can think of a lot of transactions that should. Unfortunately, a lot of web activity has come to equate a transaction with a page load.

    As far as Cloudflare’s idea — yeah, it’s blatant attempt at tracking. May as well use your SSN or credit card info, and it does nothing to stop a bot, who could just as easily have a dongle/token plugged into their computer as well…

Leave a comment