There’s a uniquely bitter rage that comes from being asked to click every box that contains a parking meter only to then be told that you missed one because of a tiny sliver of gray that barely floated into the periphery of an otherwise empty, adjacent square. It’s a familiar fury, and one that captchas have been provoking across the web for years, but these maddening tools are important for blocking bots from conducting fraud and other abuse. Google’s reCaptcha, the dominant tool around the world for implementing these checks, came out with a version in 2018 that uses machine learning to silently check humanness behind the scenes and phase out the garbled, blurry strings of letters and grids full of traffic lights. This week, the internet infrastructure company Cloudflare is releasing a competitor.
Content
This content can also be viewed on the site it originates from.
Like reCaptcha, Cloudflare’s new alternative, dubbed Turnstile, is free, and you don’t have to be a Cloudflare customer to put it on your site. Turnstile is based on a tool called Cloudflare Managed Challenge that the company released for its own services in April. When you do a captcha, you are completing a “challenge” of your humanness. Managed Challenge, on the other hand, runs quick and silent checks of your browser’s technical behavior and other telemetry in an attempt to determine that you are human without asking you to do anything. Only when the tool lacks adequate confidence will it show you a “harder challenge” or a puzzle to solve. And Managed Challenge, which is an enterprise product for Cloudflare customers, is constantly testing different types of puzzles to find the options that are less frustrating for users.
Anyone can now implement Turnstile for free through an application programming interface. You can set it up to only run invisible challenges that don’t appear to the user at all or elect to have the system show a button for users to click as an additional humanness check. Unlike Managed Challenge, Turnstile never shows harder challenges or Captchas.
“If a person were walking down the street next to a robot, even without asking the person or robot any questions, you’d be able to observe differences between them just by watching them walk past,” says Cloudflare’s chief technology officer, John Graham-Cumming. “Turnstile can do that for the signals your computer sends to the website you’re accessing, which include what web browser you are using or what device this is coming from. In the case of a machine trying to impersonate a human user, they often don’t get all these details right—there’s usually something ‘off’ about the request.”
Invisible challenges include tests like complex equations that devices are asked to solve. Turnstile has data about how long it takes different devices—say, a Macbook Air or a Samsung Galaxy—to solve the challenge. If a device claims to be a Samsung Galaxy S22, but solves the challenge much more quickly than that device should be able to, it may indicate that the request is really coming from an automated system run out of a data center.