Cloudflare supports hardware biometric authenticators as CAPTCHA replacement
CAPTCHAs are considered annoying by many if not most internet users, and as Cloudflare points out, they can be a barrier to use for people who do not read certain languages or are using a mobile device. Biometric authenticators can now be used by Cloudflare users to prove they are not bots in an expansion of the content delivery network’s Cryptographic Attestation of Personhood (CAP) trial.
The use of native device biometrics like FaceID and TouchID on iPhones and Android Biometric Authentication allows users to complete the same check in a five-second process with face or fingerprint biometrics, Cloudflare says in a blog post. The biometric data is not uploaded to Cloudflare, but kept on device in a FIDO-style transaction. Likewise, hardware USB and NFC tokens certified by the FIDO Alliance and without security issues known to the FIDO Alliance Metadata service (MDS 3.0) are now supported.
Hardware authenticators work slightly differently for Apple and Android devices, but rely on a Trusted Execution Environment (TEE) or Trusted Platform Module (TPM) to store and use biometrics without compromising user privacy, Cloudflare writes.
Hardware authentication in this model typically shares only information about the make and model of the device affirming the authentication. Cloudflare says it has gone a step further by using a form of zero knowledge proofs, making strides towards learning nothing about the user or their device, except for their possession of a valid security key.
“Our testing group tried our Cryptographic Attestation of Personhood solution using Face ID and told us what they thought,” writes Cloudflare Product Manager for Research, Wesley Evans. “We learned that solving times with Face ID and Touch ID were significantly faster than selecting pictures, with almost no errors. People vastly preferred this alternative, and provided suggestions for improvements in the user experience that we incorporated into our deployment.”
Further, Cloudflare notes that although biometrics were not enabled as a method of attestation in the first phase of the CAP rollout, it was the next most commonly-attempted method after YubiKeys.