Cloudflare launches campaign to ‘end the madness’ of CAPTCHAs Cloudflare has called on the world to “end this madness” by consigning Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHAS) to the dustbin of history. The internet-grooming firm’s beef with CAPTCHAS - specifically those that require users to identify images - is that they take 32 seconds to …
"...we proposed that rather than them paying us we pay them. This ensured they had the resources to scale their service to meet our needs. While that has imposed some additional costs, those costs were a fraction of what reCAPTCHA would have."
From: https://blog.cloudflare.com/moving-from-recaptcha-to-hcaptcha/
Sure. They cheapened out on the solution. So now instead of reCapthca just working with 1 click from me, which takes me around 1 second, now I have to deal with hCaptcha.
And this post is indeed very ironic. I have NEVER spent so much time solving captchas for reCaptcha as I have had searching for Pictures of Boats in their hCaptcha shit.
So for them to come out with this is indeed very ironic.
I rarely see CAPTCHAs any more. Sites appear to have responded to their users/visitors and dumped them. I'd estimate only dealing with less than five in the last year---so few that it always surprises that some site is *still* using one. I think Cloudflare is seeing the potential for making big Zorkmids in the hardware token market.
How quaint... A Google account. Well, you asked to be tracked just about everywhere you go so carry on and enjoy life feeding the Borg.
As soon as the few sites I use, get rid of Capchas then the sooner I can finally block google.com at my firewall.
The "tick a box, human" Captcha is reCaptcha v2. There is a Captcha v3 which is automated - no interaction - and gives a score, rather than a "yes/no". So it's likely you're still running captcha, you just don't realise it.
I've been testing both - sadly I find the fully automated one isn't great with what look like bots slipping through, although I'd prefer it. I have some resource-intensive operations on our website which I've moved back behind reCaptcha v2, where I absolutely, positively require a human to be present.
How quaint and very 80s.
Neither my laptop nor my phone would be able to use that. Although I have to admit that I have a hard time with CAPTCHAS anyway, but that is based on blocking java script.
And I really do wonder, what is the alternative for the visually impaired? There's sometimes a bunch on grainy pictures that I have a hard time to correctly identify. Now if you see less than I do, or just nothing at all....
The main problem with the few CAPTCHAS that I see is that they tend to be ambiguous street scenes from American suburbia. If you happen to live in American suburbs, like say the sort of people at US tech companies do, then they may make sense.
If you're not an American living in an American suburb, then you end up having to ask yourself "how would an American answer this question?" based on what you know about the US from American movies.
What they need is less ambiguous CAPTCHAS, but I suspect they are afraid that people will then use image recognition and AI to solve them.
Not that I think the Cloudflare proposal is a better solution. In fact I think it's worse.
I'm in doubt that Google CAPTCHA uses real photographs. I think they're composed. When asked to pick the squares with traffic lights for instance, there are maybe half a dozen dotted around the grid. Surely if a real road had traffic lights like that, chaos and carnage would ensue.
You've obviously not had the pain of "select the picture where the dice total X" so you have to peer closely at the dots on dice then add them up for the 4 or 6 image and inevitably it's the last image you find the correct answer on. It's not difficult per se, it's just time consuming and bloody annoying. Especially when the dumb thing asks you to do it 3 times or more because some algorithm has determined you're higher risk or whatever.
You just identified a major problem today with programmers. Since they like, since they understand it, and since it works for them, they assume that you will like it, that you will understand it, and that it will work for you. This attitude has given us Windows 10 with its horrible horrible UI. And then you have website designers where they assume everyone uses Chrome, like them, has a really fast computer, like them, and has really fast internet, like them. If none of those conditions are true, they blithely tell you to switch to Chrome and never think that some people cannot afford fast computers or cannot get fast internet.
Since Cloudfare is an American company, they assume everyone is like them and an American. It is no surprise that their CAPTCHAS solution assumes you are an American because all the programmers today assume everyone is like them. I call it myopia.
> And then you have website designers where they assume everyone uses Chrome, like them, has a really fast computer, like them, and has really fast internet, like them. If none of those conditions are true, they blithely tell you to switch to Chrome and never think that some people cannot afford fast computers or cannot get fast internet.
That's been a problem forever. One former employer hired people to create the company's first web site. It looked great in the conference room where they demoed it---just steps away from the data center where the web server sat. The trouble was that, at the time, there were huge (and I mean HUGE) numbers of internet user who were still using dial-up connections. The corporate web site was unusable over that type of connection. Sadly, the web site designers still got paid.
You missed a couple of problems with diaper brigade in programming. They assume you can read poor contrast between the text and background. There is reason black text (or very dark text) on a whitish background is used. Another is a fondness for very small font sizes that are difficult for those whose eyes are a wee bit old.
Buses look very different in different places, and the word "bus" is not well defined in many places (particularly non-English speaking). Is a taxi a bus? What about a minibus taxi? What about one of those long wheelbase tuktuks that fit 8 passengers with people getting on and off at all the traffic lights?
As a Brit, I even distinguish a "bus" from a "coach"!
And don't get me going on fire hydrants (which are never visible in the UK - they are always underground or in the walls of buildings) and crosswalks (which we don't have at all -- we have Zebra crossings which look very different).
Even bike is not clear. Does it include motorbikes? Does it include pushbikes? Is there a difference between a bike and a 'bike (there is on the BBC).
Buses look very different in different places, and the word "bus" is not well defined in many places (particularly non-English speaking). Is a taxi a bus? What about a minibus taxi? What about one of those long wheelbase tuktuks that fit 8 passengers with people getting on and off at all the traffic lights?
And what of Pui Pui Molcars ?
Google should incorporate these.
A bike, fair enough.
A bus? Do you live in a country/region where most buses are single deckers, where most are double deckers, where most are minibuses, where most look more like long-distance coaches, where there's even a bus service against which you can hope to have any concept of what a "bus" looks like in your local area let alone in whichever part of the world the captcha images originated?
A fire hydrant? Here in the UK, hydrants are mostly, if not entirely, below ground level and accessed via a hatch in the pavement (or sidewalk, if you're a left-pondian who thinks the pavement is the thing the cars, sorry, automobiles, drive along), so the only way the average UKian will recognise the typical fire hydrant shown in a captcha is if they've spent enough time watching US TV shows or films, and are now able to associate "fire hydrant" with those odd lumpy looking bits of metal sticking out of the pavement (or is it now a sidewalk - I'm so confused...)
So whilst the name of such objects may (*) well be known across the globe, it's definitely not safe to assume that the physical manifestation of such an object from one region will be recognisable as such an object to someone in another region.
(*) though as someone else has already noted, some captchas ask you to identify crosswalks, which not only requires the user to be aware of what a crosswalk looks like in the US, but also to know what a bloody crosswalk is in the first place, because that's a term most assuredly NOT used globally...
I'm pretty sure that in future war against the US of A, autonomous Chinese and Russian drones will wreak havoc by zapping 100% of key US infrastructure elements: crosswalks, cars, traffic signs and lights, funny-yellow-coloured-mass-transport (?) vehicles, corner cones that the A-mericans seem to like to photograph...
...
oh, and hills! ('cause: Bunker Hill)
"Click all the pictures showing a parallel divergent crosswalk." A what?
"Click all the pictures showing a mixed utilities access cabinet."
Even when the target is something that's actually culturally generic, I still find them hard. Something about the way I think or perceive.
And does "traffic light" include the poles they are mounted on? What about the wires strung between them? Are there actually any squares in this picture that don't include some part of the traffic light system? Hmm... I can't quite make out that little grey box on the far corner...
just check 2 and click continue about 10 times and it will give you an image that contains a single object (like a fire hydrant) that occupies 2 verticlly adjacent squares.
And speaking as someone who used to do captchas (the text version) for fun in the old days, the new image captchas are shit.
And I really do wonder, what is the alternative for the visually impaired? There's sometimes a bunch on grainy pictures that I have a hard time to correctly identify. Now if you see less than I do, or just nothing at all....
Hello. The visually impaired here. Or at least one of them. Google at least have an alternative - it's an audio CAPTCHA. I don't think I've ever got one right though, and I have perfect hearing. So the answer is to repeatedly poke at the photo ones, until I guess right. I'd say I average somewhere between two and three goes. It would certainly help if their pictures were a bit bigger. Or less shit. Or less confusing. Or less low resolution and grainy. Or badly cropped so you've got a tiny sliver of what might be a bicycyle/traffic light (sorry, stop light)/car on the edge of the picture, hidden amongst the bushes. But I'm fucked if I can see what it is.
It is also interesting/ironic that I'm training the computers for Google's self-driving cars - which are allowed to drive, when I'm not...
Can't see the hassle of maintaining (and carrying around) some sort of identity dongle is going to be any lower though. At least for me. If you're totally blind, or deaf/blind I don't know how you handle it.
I await the comments from Shadow Systems, when he comes across this thread. Containing robust Anglo-Saxon language, no doubt...
Essentially yes. I read it, tried to write a post, realized I was vomiting vitriol like Vesuvius, so closed the tab to kill the attempted post & did something else to calm down. Once I was calm & could think straight once more, I came back & reread the story. Rinse & repeat.
The visual ones are obviously not accessible for the blind. The audio ones *might* be *IF* the audio is clear & unambiguous. Since that's almost never the case, they are pretty much not accessible either. Of course I'll pick out the few words you want me to regurgitate, just remove the echo, reverb, hiss, clicking, popping, & what sounds like a drunk bagpiper doing a speed metal solo in the background.
*Sigh*
I'm an American & even I couldn't do the visual concepts in all their images back when I could still see. A bike? Would that be an upright two wheeler, a recumbant two wheeler, an upright three wheeler, a recumbant three wheeler, one of the old fashioned massive front wheel & microscopic rear wheel, a forward swept two wheel racing (aerodynamic to the point of being anatomicly improbable), with or without a fairing, with or without paniers, with a regular saddle "banana" saddle, recumbant saddle, touring saddle, or some other sort? A child's tricycle? An old person's trike with the lumbar support seat & the wire grocery basket on the front? There are so many different styles & configurations that vary from location to location that just saying "bike" is akin to asking someone to point to the "boat" & pointing them to a seascape full of every design ever contemplated by a drunken sailor in the middle of an acid trip.
*Shakes head sadly*
99.99% of the time if a site drops a CAPTCHA in my path I'll simply close the tab & go elsewhere. If they include an email link then I'll give it to them with both barrels, but otherwise it's often not worth the hassle nor headache to explain it to the socially blind (versus physical blindness) idiots why they've just lost my business.
That "check this box if you're Human" is utter bullshit. It's not an element I can navigate to, it's not an actual element I can interact with, and since I don't use a mouse there's no way to toggle the bloody thing. I *AM* Human you fucking pile of steaming Howler Monkey shit, but you don't seem to give SweetFuckAll that your audience might not be of perfect vision, perfect hearing, & perfect motor controls. I hope your aged mother visits your site & promptly kicks your sorry ass for telling her that she's not Human because she's unable to jump your fucking hurdles.
*Deep breath*
I'll go away now. I can feel the urge to kill coming back strong. NURSE! Refill my dried frog pills please, STAT!
*Wanders off muttering darkly & tapping my cane as if trying to beat the pedestrian-using-concrete to death*
I'm entirely blind. Here's how the captchas currently work. Google's has an audio option which starts with a section of white noise, a clip of speech, and some more noise. You are supposed to transcribe the speech. This usually works. It is best not to think about where the speech comes from. Some of it is clearly phone call quality. This is what they switched to after their previous method, which was severely distorted computer voices reading numbers on top of each other which you were also supposed to transcribe. I tested several friends, both sighted and blind, and I was the only one who ever completed that one successfully.
For other providers, there may not be an audio version at all. They frequently have not replaced their captcha solution. For me, this is a zero-tolerance situation. If a service uses one of these, I will cancel my account immediately if at all possible. Also, for those who are both deaf and blind, there is as far as I know no captcha which will work.
I could be talking nonsense but I thought I read that the typical CAPTCHA just puts up one box to say "I'm not a robot" and watches mouse movements until you click on it, humanly. Only if that's doubtful does it start to ask for more proof. But I am tapping on a touchscreen tablet. It still usually works, though. Maybe it watches for you typing like a human, too.
I don't know what a deaf and blind user uses for computing on, but I expect that that device identifies itself as what it is. A catch would be if a billion hackers run a simulation of the same type of device.
An alternative is user password as authentication, but that has its own issues.
I don't know if that's what it's attempting, but I don't think so. I think it has more to do with what Google knows about you by the time you click the box--if you're a known account, they just add the site and any information to your advertising profile and let you through. If you just did a captcha, then it's probably safe and they'll let you through this one too. If you don't have either of those, click on all the [insert subjective category here].
I don't think I'm doing anything mechanical in my input, but I don't browse with any Google accounts active and thus get asked for the captcha on every site that has one. It could be worse though. At one point, I was accused of spamming Google's captcha because I was on a crowded network. If that happens, you have no method of bypassing it and just have to wait an hour and hope for the best when you try again.
At one point, I was accused of spamming Google's captcha because I was on a crowded network. If that happens, you have no method of bypassing it and just have to wait an hour and hope for the best when you try again.
That happens to me periodically, but I'm on a VPN and just switch to another VPN server (if I can do so without interrupting anything else my computer is doing), or to a different browser that bypasses the VPN..
>>>That happens to me periodically, but I'm on a VPN
Apparently Google doesn't like my VPN anymore.
the last few months, whenever I try to use Google search I'm confronted with multiple image selection challenges. What irritates me is that there doesn't appear to be no rhyme or reason to the number of challenges I must complete before I'm allowed to proceed to my search results.
(On average must deal with 10 challenges... talk about madness)?
So... I've set my default search provider to DuckDuckGo.
Occasionally I still want to run a search thru Google and just deal with the related annoyance.
At least picture challenges work eventually whereas text based captchas never seem to end (for me, my VPN)
Trying to find a phone today that can't do NFC would be quite difficult. Not impossible but very difficult.
Remember this is to make captchas easier, not be the only option. As I already have a yubikey I look forward to using it instead of clicking on traffic lights.
And no bits can't fake it as per the original article. Cloudflare uses the fact that the original device manufacturer of the keys signs the keys in batches of 100,000 and Cloudflare has a whitelisf of vendors. A bit could emulate the security key in general but won't be signed by a reputable manufacturer of security keys and thus will be rejected.
Oh? What's to stop miscreants obtaining a few of them legitimately, breaking them down, and figuring out how they work so that their bots can emulate them (or at the very least, copy the abilities of the legit keys they do obtain)? What man can create, man can usually recreate.
Hardware Dongle = TRACKING - you identity is NOW KNOWN to the web site, uniquely so.
As IRRITATING as a CAPTCHA is, I'd rather use CAPTCHA than GET TRACKED on that level...
Only an ad-slinging over-present cloud network would come up with THAT as a "solution".
(at least cache clearing and VPN can anonymize you a little bit, even with CAPTCHA)
Either there is something missing from the description, or the idea is pointless. How does the presence of a YubiKey or the like tell you there is someone physically at the computer and it's not a bot? Anything a person can do with a YubiKey a bot can do.
And how is the "attestation is not uniquely linked to the user device" if they are using a device whose whole point of existence to uniquely identify itself? I'm not sure I'd want to have Cloudflare tracking me all over the Internet using a YubiKey they would make me buy.
I see CAPTCHAS very rarely, and only on sites which are especially concerned about not allowing bots to DDOS them. CAPTCHAS would be far less of a problem for me than buying a YubiKey and using it would be. Whatever problem they are trying to solve is one that I don't have.
It seems from the description that you are to plug in the security key only when prompted for it. Software can't really do that. On the other hand, ... I started that sentence yesterday, and I've forgotten what was on the other hand. Does anything come to mind?
Ah - probably that I may as well mention how tiresome it is when a USB port or plug wears out, and so what a good idea it is to use a detachable hub on your PC or laptop, so you are mainly wearing out the ports on the hub, which is cheaper to replace.
And yet... that undermines my first point, but to not help bots out, I won't say why. And if you see it... the same should apply. Thank you.
Anyway, I assume that Cloudy tells the web site that you're a human, but not which human. And possibly most of your internet access goes through Cloudflare already, so they are able to have a pretty good idea of who you are if they want to. But why would they want to?
I trust Cloudflare less than Google, and I don't trust Google. How is the new proposal going to stop malware from infected user devices?
If Cloudflare wanted to stop botnets, they could stop providing so many services to them. C&C, phishing pages, fake stores, bots for hire, PayPal merchant pages, etc.
> Oh, I was mistaken, it is not about the user.
It's never about the user; Such a quaint last-century notion!...
Competing for market share and trying to seduce customers is tiring and expensive. It's so much easier to strong-arm them to compliance and make it very difficult (ideally impossible) for them to take their custom elsewhere. As an added bonus you haven't to pretend you care anymore (well, apart from some standardized empty formulas).
When I see a captcha I simply close this web page, I did not visit it to waste my time solving puzzles and 99.9% of the content they protect is useless anyway. From my experience, most of the time the catcha turns on because they detect Javascript is blocked so they cannot show me ads and I am a useless freeloader for them too.
If I see an especially annoying captcha where I am a paying customer (some airlines are notorious for that, well, used to be when the airlines were still flying) I just call their customer support and ask them to solve their puzzles on my behalf. Most of the time they are able to shortcut the whole nonsense right to the payment and send me the direct payment link.
Online supermarkets seem to be doing it lately post-login. I suppose airlines and supermarkets both attract bots trying to book slots, scrape prices constantly, or something like that?
I'd like to suggest I get a pound every time a company I'm paying makes me do a captcha, to help motivate them to find less irritating solutions to their bot problem (maybe they should just put up with it?). But the truth is they can probably already see a greater loss of sales than that in their usage stats and yet they're still doing it.
The amount of bots ANY web form gets is frankly just insane these days.
Finding and blocking all possible bots would be an insane issue to tackle, and just too costly.
Imagine spending millions of dollars every month on bot blocking techniques (because bots change and adapt constantly) when you could simply implement reCaptcha (mostly for free) and call it a day.
That Cloudflare 'solution' is 'We once had some humanish behaviour and accepted it. Now the same source of keystrokes(verified by some e-key) is calling again.' So, fool the system once and you have unlimited free access. So (a)pointless (b)coach-and-horses fail.
This is the same as giving Cloudflare an 'I am not a bot password.' That is easier to think about. It means (a) somehow I proved I wasn't a bot once (b) I 'remembered' my not-a-bot password. Same coach-and-horses fail.
Back to the drawing board. My solution is a microphone that listens for "I AM NOT A FUCKING BOT GET ON WITH IT!"
I doubt using a hardware key is going to catch on to replace CAPTCHAs, they might be annoying but they don't require you to buy and carry around a separate piece of hardware, which I assume if you don't have available will fall back to using CAPTCHAs anyway.
I particularly find the Microsoft CAPTCHA on outlook.com annoying as it doesn't give me enough time to complete it before it times me out, so i have been going through the option for the audio CAPTCHA instead as at least that doesn't time me out. But i wonder how long it will be before bots can complete the audio CAPTCHAs and they are no longer effective.
There is always a solution for the Bad Guys if they want to get past difficult CAPTCHAs: Sweatshops in 3rd world countries where real living humans solve CAPTCHAs for a couple cents and register user accounts for the bots to use.
It doesn't matter if it's a picture or a sound, they are humans like any legit user, so all it changes is the Bad Guys have to spend a couple cents to get their bots in. You know when that happens because it takes weeks/months between the moment the new account is created and the moment it becomes active. I even think people registering aren't the ones using those accounts, they're just flogging them to those who need them for spamming or their bots.
"The user plugs the device into their computer or taps it to their phone for wireless signature (using NFC)... A cryptographic attestation is sent to Cloudflare, which allows the user in upon verification of the user presence test."
OK, I need to check I'm not misunderstanding something here. Their proposal for humans to identify themselves as human and not a computer, is to get a computer to do it for them automatically. I'm really not clear on how this is supposed to help.
do it automatically while revealing your current cell phone number and IP address along with other personally identifying information that was gleaned the last 92 times you used this method.
Would the 'app' that you would need to make this happen ALSO upload GPS tracking data from your location over the last several days so that "they" will know where you've been?
yeah no tracking going on here. Nothing to see, move along...
[it's bad enough when you use a credit card in a store AND online and when you visit the online page you see your in-store shopping history along with online history...]
"OK, I need to check I'm not misunderstanding something here. Their proposal for humans to identify themselves as human and not a computer, is to get a computer to do it for them automatically. I'm really not clear on how this is supposed to help."
It's supposed to help because it's an expensive computer that does it for them. If users all have to buy these, then it is more expensive to run automated attacks through them. Also, individual users won't buy multiples so they won't have multiple identities, meaning it's really easy to track their activity. This works until somebody gets their devices trusted and sells a block of keys to a botfarm, which should take a long time, maybe even a whole month. But if that ever happens, the company that did it gets delisted from the service, which cuts off the botfarm. Oh and also the people who legitimately bought and used that company's devices, too bad for them. Now we just have to find a new provider of keys so there's sufficient supply. I'm sure they won't do the same.
This is a transparent attempt for Cloudflare to make more money from the web sites: this proposal doesn't do anything for proving there is a real person there, but it does allow Cloudflare to offer the site a permanent tracking ID for every visitor, based on this dongle/tab, even for people who disable javascript and cookies.
What on earth makes them think that someone who disables javascript, uses an ad blocker and uses a fingerprint defender (which are the things that prompt the Captcha in the first place) will plug in a unique ID to let Cloudflare track them?
Came to say this. NO WAY will I hook up a dongle with a unique signature linked to me that any web site can inspect. That would make Google and Facebook's tracking look positively pedestrian.
And how is that going to work on a mobile device, are you supposed to hook a dongle up to that? Yeah, that sounds super convenient!
A FIDO token has first to be enrolled with the service you intend to authenticate with - this generates a key pair, with the public key being retained by the service (in order to identify the token with a particular user the next time around) along with a "key handle" provided by the device to identify the service. Subsequently, the keys are used as a form of user authentication.
This is done through a JavaScript API in the browser, which talks to the FIDO token. So the first thing any self-respecting bot-herder is going to do is replace the API with one that doesn't require a token and does the crypto in software - in fact it can probably fake most of it out.
Meanwhile, for the blameless user, ideally, the U2F token would store the private key securely - in which case the storage space would soon be exhausted by multiple enrolments. In practice, most of the keys generate the "key handle" so that it contains the private key (encrypted under a master key on the token), meaning that the private key is actually stored by the service and not on the token (though the key is supposedly inaccessible without the master key). However, if the master key to your token subsequently turns out to have some cryptographic flaw, then potentially all your private keys are recoverable by any service you have enrolled with. And, of course, it means the next time you use the service, it knows you're a return visitor, because that's what the tokens are supposed to do. So, out of an abundance of caution, you probably don't want to use FIDO tokens except where there is a valid reason to prove your identity.
So it's not just that you'd have to have a FIDO token to hand, you'd have to enrol that specific token in advance of using the "protected" service and present the same token the next time around, which would allow you to be tracked. [Edit: as Graham wrote above while I was being longwinded...]
Apart from that, I'm sure it's a great idea.
Because once something like that exists and works, Google will have to give up on making humans teach its image classifier and it will be the end of CAPTCHA!
Then those poor old advertisers will have to contend with all the fake impressions/clicks making online advertising worth less and hitting everyone involved in that shitty industry in their pocketbooks!
Dare to dream, right?
What's to stop them just making harder CAPTCHAs that your supposed extension can't break?
Someone needs to demonstrate, conclusively, that there is NO way to tell way a human from a well-trained bot, for the two simple reasons. One, the use of a computer limits the inputs. And two, a bot, being a computer itself, can simply master and then fake ALL of them.
4.5bn users times $20 is $90bn. Quite something created there, more than 10 times the UK music industry.
So I'm saving 15 minutes per year, on average. That assumes it takes 0 seconds to find the device which is certainly not the case for me.
Then add the time to select and buy the device. Then add the time to make this work on every single device which likely adds up to a few hours. Then the time to troubleshoot when it doesn't work. Then the efforts to take a tiny device with me anywhere because we don't already have enough in chargers, cables, adapters etc. Then add the time and cost to replace it when it gets lost.
Seriously?
How do I put this device on our home LAN so that it can be used to allow everyone in the family to browse from any computer -- and any TV -- that I wire up or connect to our WiFi?
People have been pushing the idea of dongles since PCs were invented. I had coworkers that had multiple dongles connected to their printer port (one for AutoCAD, another for... you get the idea). Either the same thick-headed folks are still pushing the idea or a new generation is re-discovering the idea... and forgetting or ignoring how it failed in the past.
Towards having everyone implanted with a biochip at birth.
Maybe the industry needs to come up with software to be used for browsing the internet that doesn't permit the use of bots. Unlike all servers and browsers today.
Of course that would block all tracking, sniffing, and probably most advertisements on the web. It will never happen.
I'm slightly disturbed by this article and comment section - do people seriously not know that hardware security tokens exist and how they work?
I've been using a yubikey for years for security reasons. It's fantastically convenient and virtually unbeatable security wise. Way better than sms or 6 digit nunbers for multi factor authentication.
Sure if you don't have a yubikey already you aren't going to rush out to buy one just to beat some captchas, but I would have assumed a lot of this audience would already have them. Or they should be seriously thinking about getting one at least.
I do have one already. They're great, as you've said, for authentication. Very key word, authentication. Where I wish to prove my identity to a service so they can identify that I'm me. That's their use case.
I don't want to authenticate to a bunch of random sites with a unique key which identifies me particularly. I can access them anonymously now. Most don't even have captchas, but since it's Cloudflare suggesting this and they provide hosting for a lot of sites, it's not unreasonable to expect they'll expand the use of it. Also, the key I have doesn't work with a phone, because I don't tend to log into sensitive pages on it, but I do browse from it so I'd have to buy another key for that. So the general complaints apply to my situation without my having to have any problem with the keys themselves.
I'm wondering if it'll eventually have to come down to just that (authentication and identity at every site) simply due to the Tragedy of the Commons. Anything free will be exploited due to human nature, meaning some kind of restriction or regulation will become necessary just to keep things sane.
...then we lose the device. Yay!
I foresee a nightmare of cancelling old private keys and applying for new ones to store in our replacement devices when this happens. Or, are they suggesting there will be an in-built facility to back-up and replicate the hardware token that uniquely identifies me?
(I see nothing about what happens when you lose your device on the fidoalliance web site)
So this is a system that swaps several minutes trying to work out what is in some fuzzy pictures, with many minutes trying to find your U2F key from wherever you put it after Google last asked you to sign in with it.
Ok... And which of my two keys (and two backups) should I be using?
I'm not completely certain, but I'm sure that leaving the key permanently installed in your computer's USB socket is not secure behaviour.
Still, it's at least better than having to dig out your phone, start the Authenticator app and copy across the six digit code. If you can remember the right one to use.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
