Cloudflare wants to replace CAPTCHAs with Turnstile

Ahead of its Connect conference in October, Cloudflare this week announced an ambitious new project called Turnstile, which seeks to do away with the CAPTCHAs used throughout the web to verify people are who they say they are. Available to site owners at no charge, Cloudflare customers or no, Turnstile chooses from a rotating suite of “browser challenges” to check that visitors to a webpage aren’t, in fact, bots.

CAPTCHAs, the challenge-response tests most of us have encountered when filling out forms, have been around for decades, and they’ve been relatively successfully at keeping bot traffic at bay. But the rise of cheap labor, bugs in various CAPTCHA flavors and automated solvers have begun to poke holes in the system. Several websites offer human- and AI-backed CAPTCHA-solving services for as low as $0.50 per thousand solved CAPTCHAs, and some researchers claim AI-based attacks can successfully solve CAPTCHAs used by the world’s most popular websites.

Cloudflare itself was once a CAPTCHA user. But according to CTO John Graham-Cumming, the company was never quite satisfied with it — if Cloudflare’s public rallying cries hadn’t made that clear. In a conversation with TechCrunch, Graham-Cumming listed what he sees as the many downsides of CAPTCHA technology, including poor accessibility (visual disabilities can make it impossible to solve a CAPTCHA), cultural bias (CAPTCHAs assume familiarity with objects like U.S. taxis) and the strains that CAPTCHAs place on mobile data plans.

Cloudflare Turnstile

Image Credits: Cloudflare

“The biggest issue with CAPTCHA is that user experience is terrible. As computers have gotten better at solving them, the user experience has only gotten worse,” Graham-Cumming said in an email interview.

Cloudflare at one point moved to a service called hCaptcha — to mixed reviews. One frequent challenge asked users to enter their name, say whether they prefer eggplants or carrots and click every one of 27 images showing a train. The blowback — and the fees imposed by some CAPTCHA services — is part of what spurred Cloudflare to develop its own alternative, according to Graham-Cumming.

“We’ve been working on a solution for several years and blogged a few months back about how we have decreased our own CAPTCHA usage by 91%. Since we’ve proven it worked for us, we wanted to give everyone the option of getting rid of CAPTCHA,” he added.

Turnstile automatically chooses a browser challenge based on “telemetry and client behavior exhibited during a session,” Cloudflare says, rather than factors like login cookies. After running non-interactive JavaScript challenges to gather signals about the visitor and browser environment and using AI models to detect features and visitors who’ve passed a challenge before, Turnstile fine-tunes the difficulty of the challenge to the specific request — avoiding having users solve a puzzle.

To deploy Turnstile, web admins create a Cloudflare account and obtain the necessary embed code, which they then paste into their website’s code. After adding a server-side call to Cloudflare’s Turnstile API, the service goes live. Any site can call the API.

“If you’re using an existing CAPTCHA service today, it’s just a find and replace on the code string,” Graham-Cumming said. “It’s compatible with any other network provider … You don’t have to use any other Cloudflare services, like our content deliver network, to use Turnstile.”

Cloudflare Turnstile

A diagram showing how Cloudflare’s Turnstile system works. Image Credits: Cloudflare

Cloudflare claims that Turnstile is just as secure as CAPTCHA, taking advantage of features like private access tokens to minimize the amount of data that’s collected. Newly implemented in iOS 16 and macOS Ventura, private access tokens work by having a device send anonymized authentication information — tokens — to a compatible website without exposing any sensitive information about itself.

Cloudflare and rival service Fastly were among the first to announce support for private access tokens with Apple hardware.

The question is whether sites will be persuaded to deploy Turnstile over the incumbent CAPTCHA. By one measure, 97.7% of the top million websites by traffic use Google’s reCAPTCHA, currently the most popular CAPTCHA service on the market. Cloudflare says it’s working on plugins for major platforms like WordPress to make Turnstile easier to deploy, but it’ll likely take time to convince admins that it’s worth the effort  — assuming they’re ever convinced.

Graham-Cumming seemed mostly indifferent, noting that Cloudflare doesn’t have an obvious business incentive to drive adoption.

“We built an alternative, proved it works well for us and opened it up to other sites about as soon as we possibly could,” he said. “Since we’ve proven it worked for us, we wanted to give everyone the option of getting rid of CAPTCHA. Helping make the internet better really is our mission. We think giving this away to any website is a way to do that.”

As far as next steps are concerned, Graham-Cumming says that private access tokens are the best indicator for where Cloudflare would like to move in the future. The company tested a USB-based security system in the past, but requiring hardware adds a high degree of friction, he conceded.

“Customers and networks both care more and more about privacy and data segmentation. The ability for us to abstract portions of the validation to other parties without having to collect data ourselves is likely to continue,” Graham-Cumming added. “For example, [people] mention biometric authentication. I think it’s more likely we partner with hardware makers to use private access tokens to do biometric validation for us and pass an encrypted token proving that validation to us rather than doing biometric authentication ourselves.”