In An Attempt To Create An Alternative To CAPTCHA, Cloudflare Launches 'Turnstile'

Cloudflare Turnstile

The internet is growing, and the web is still expanding.

While more and more people are using the web, bots are the majority of the internet population. To differentiate humans and bot users, the most popular method would be using what's called the CAPTCHA.

Short for "Completely Automated Public Turing test to tell Computers and Humans Apart," CAPTCHA asks users to identify images or attempting them to decipher the word hidden in unreadable text.

Google also has another CAPTCHA method, which it calls reCAPTCHA.

There are several types of CAPTCHAs owned by different companies/providers. Google for example, has what it calls the reCAPTCHA, which uses scanned books, roads, images, and pair the technology with AI.

This time, another CAPTCHA is created.

And it's from Cloudflare.

Cloudflare Turnstile

Cloudflare calls its the 'Turnstile.'

In an attempt to be the alternative, if not replacing CAPTCHAs, Cloudflare designs Turnstile to remove the need for users to complete a test at all.

Instead, Turnstile performs one of several "non-intrusive browser challenges based on telemetry and client behavior exhibited during a session." The process happens in the background, and users will only see a verification animation play as the test occurs automatically.

What this means, Turnstile system uses non-intrusive challenges, and that is made possible through telemetry and client behavior during a session.

And if Cloudflare detects that the Turnstile challenges become less effective, the puzzles will be rotated out for new ones, keeping malicious actors at bay.

Explaining how it works in a bit more detail, Cloudflare said in a blog post:

Cloudflare Turnstile
"With Turnstile, we adapt the actual challenge outcome to the individual visitor/browser. First we run a series of small non-interactive JavaScript challenges gathering more signals about the visitor/browser environment. Those challenges include proof-of-work, proof-of-space, probing for web APIs, and various other challenges for detecting browser-quirks and human behavior. As a result, we can fine-tune the difficulty of the challenge to the specific request."

"Turnstile also includes machine learning models that detect common features of end visitors who were able to pass a challenge before. The computational hardness of those initial challenges may vary by visitor, but is targeted to run fast."

Cloudflare Turnstile

Due to this advantage, Cloudflare is certain that its Turnstile ha a high chance of becoming a proper alternative to CAPTCHAs, with a possibility of succeeding or even completely replacing it.

Turnstile that is introduced initially in beta, doesn't require developers to be Cloudflare users to take advantage of this Turnstile API.

Those who wish to use the API, only needs sign up for free, receive "simple steps to get started" in an email, and then remove all remaining CAPTCHAs from their websites.

To encourage even more people to use Turnstile, Cloudflare said that Google's reCAPTCHA dominates the market, but requires people to share their data with Google.

This is why Cloudflare dumped reCAPTCHA back in 2020, and replaced it with Turnstile.

To preserve privacy, Turnstile uses data it has access to through collaborations with device manufacturers to perform the validation. This way, it can "confirm data without actually collecting, touching, or storing that data ourselves."

Cloudflare is providing this feature for free, simply because it believes it can help "build a better Internet."

This isn’t the first time Cloudflare built a free tool. Previously, the most notable free product from Cloudflare is its CDN tool, which allows websites to store caches for faster access.

Published: 
29/09/2022