Cloudflare CAPTCHAs Will Be Replaced With Turnstile 
Reading Time: 3 minutes

Cloudflare CAPTCHAs will be replaced with Turnstile, the announcement was made by the company ahead of its Connect conference in October. 

With the CAPTCHAs used throughout the web to verify users will be replaced with Turnstile. It chooses from a rotating suite of “browser challenges” to check that visitors to a webpage aren’t, in fact, bots irrespective of you being a Cloudflare user or not. 

CAPTCHAs, challenges and responses on forms that have been around for decades, can’t keep up with sophisticated AI. Cheap labour, different flaws in each kind of CAPTCHA, and automated solvers have created holes in the system. Several websites offer human and AI backed services that solve thousands of CAPTCHAs for $0.50 a piece. The issue with them is they can’t keep up with the most popular websites’ challenges.

Cloudflare, once used CAPTCHA technology. Cloudflare CTO John Graham-Cumming, does not believe in CAPTCHA and has said so publicly. There are many aspects of CAPTCHA which are undesirable: poor accessibility for visually impaired people, cultural bias – CAPTCHAs assume people from around the world are familiar with taxis from the United States – and strains on mobile data plans.

Graham-Cumming said in an email interview said, “The biggest issue with CAPTCHA is that the user experience is terrible. As computers have gotten better at solving them, the user experience has only gotten worse.”

To make money, Cloudflare utilised a CAPTCHA service called “hCaptcha”. However, this generated mixed reviews. Users would have to provide their name and answer whether they prefer eggplants or carrots. They had to click every one of 27 images showing a train. Due to the criticisms and fees that CAPTCHA services like this trigger, Cloudflare created its own alternative.

MatchCaptcha is an AI that removes CAPTCHA for everyone, decreasing their usage by 91%. It’s proven to work for Reddit and now it gives the option to other sites.

Turnstile dynamically selects a challenge for the user based on their browser, to ensure that every visitor solves the correct puzzle.

With Turnstile, web admins need a Cloudflare account and an embed code. They then upload it to their website’s code or add server-side calls, and they are ready to go live

To use Turnstile, you only have to find and replace a few lines of code on your CAPTCHA service. It’s compatible with any other network provider and doesn’t have to be used with Cloudflare.

According to Cloudflare, Turnstile is just as secure as CAPTCHA, taking advantage of features like private access tokens to minimise the amount of data that’s collected. Newly implemented in iOS 16 and macOS Ventura, private access tokens work by having a device send anonymous authentication information — tokens — to a compatible website without exposing any sensitive information about itself.

Cloudflare and Fastly were among the first to announce support for private access tokens.

Cloudflare’s new reCAPTCHA replacement, Turnstile, is working to convince sites to use it. There are many tricyclopen-source plugins for major platforms being developed. This will make site conversion from Google’s CAPTCHA easier.

Graham-Cumming seemed mostly indifferent, noting that Cloudflare doesn’t have an obvious business incentive to drive adoption.

He added, “We found an alternative to CAPTCHA which we have its quality in mind. We are always thinking about how to make the internet a better place and after finding this, we don’t want to limit the option of not using CAPTCHA only to our site. The internet should be improved across the board.”

Cloudflare has tested and is still interested in a USB-based security system. Cloudflare reported that they are on the fence, waiting to see how customers will react to their proxy login service.

The privacy-focused mindset refers to the way customers and networks care about data segmentation and security. Graham-Cumming said companies would be more likely to partner with hardware companies and pass biometric information in an encrypted token, rather than authenticating themselves.

Related Articles:

Cloudflare Wards off the Largest DDoS attack involving 17.2 million rps
Akamai hit by second record-smashing DDoS Attack
Twilio Breach Compromised Authy Two-Factor Accounts of Some Users