Leading CDN provider Cloudflare has released Turnstile, a free alternative to the “terrible user experience” currently offered by CAPTCHA services used by websites to verify authentic users online.
Announcing Turnstile in a blog post, the company claimed its CAPTCHA alternative would also increase user privacy on the web, as sites using it won’t have to provide user data to Cloudflare.
Cloudflare’s CAPTCHA replacement will use Private Access Tokens, which allow users on supported operating systems to have their humanity proved for them “without completing a CAPTCHA or giving up personal data”. The company had previously announced in June 2022 that iOS and macOS devices would be the first to benefit from the tech when visiting sites hosted on Cloudflare’s network.
Eliminating CAPTCHA
Cloudflare says it has already reduced the number of CAPTCHAs users seen online by 91% using a Managed Challenge platform that draws more data from a web browser before deciding whether or not to serve up a CAPTCHA puzzle.
Turnstile opens this platform up to any website owner who wishes to use it. Migrating from an existing CAPTCHA system - like Google’s reCAPTCHA, which currently enjoys a 98% market share - is as simple as creating a Cloudflare account and swapping out HTML code.
On the face of it, Turnstile is a fairer CAPTCHA system for several reasons.
For website owners, it offers an alternative to Google’s stranglehold on CAPTCHA services, although this won’t impact Google’s staggering popularity as a search engine, where it is free to use its reCAPTCHA tech to verify users.
For users, Cloudflare claims that Turnstile sidesteps a severe privacy violation that security researchers say Google commits with the latest version of reCAPTCHA - weighing the presence of a proprietary cookie in a browser while deciding if a user is malicious or not. It accuses Google of passing the collected data to their ad sales business, although Google has denied this.
Cookies weighting verification may cause headaches for users who are using firewalls to protect against cookie hijacking attacks, whereby malicious threat actors attempt to use cookies to gain access to web applications. Users who simply delete their cookies regularly to avoid being tracked across the internet also face difficulty using reCAPTCHA.
Allowing operating systems to help verify users before users are served up CAPTCHA puzzles should also just make the online browsing experience far less grating going forward.
Being a privacy-focused solution aimed at improving user experience, it’s hard to see Cloudflare’s Turnstile as anything but a good thing right now.
- Here's our list of the best identity theft protection right now
