Spam. The cat and mouse game of advertisers seeking to reach more people for less cost, and, people seeking to spend more to not be reached. The current state of the art in proving “I am not a spam-sending robot” is the captcha. Do you love the captcha? Me neither. Do you sometimes fail it? Me too!
I was very intrigued to see that Cloudflare has decided to (mis-use? re-purpose?) the WebAuthN standard, and specifically, the security-key, to prove your humanity. You can head on over https://cloudflarechallenge.com/ and try it out with your YubiKey et al.
Its quite simple, if a bit inconvenient. On the web site you see a challenge button. You press it, it asks for permission to see your security key, you grant it, you press the button on the key in your USB hub, challenges are generated, and the web site appears. Is this better than the Captcha? Um, maybe? You are not doing the ‘labelling’ homework for some corporation. You don’t have to squint at the various boxes on the screen. Is that a hill? or a smudge? Is that a bus or an RV? So, I guess its more deterministic.
Now, I found this worked just fine with my YubiKey on my desktop. But when I tried to use the built-in trust store of my Google Pixel 4 I found that it was an ‘unsupported issuer’.
Cloudflare calls this “Cryptographic Attestation of Personhood“
Is this a good idea? Well, half of me things yes. More people with multi-factor authentication devices, getting used to using them, would be good. But, how can it take off? Which web site owner will turn away users without a speciality device?