Why Cloudflare’s CAPTCHA replacement with FIDO2/WebAuthn is a really bad idea

  1. User gets FIDO CAPTCHA page.

What is attestation?

Attestation is a FIDO protocol builtin mechanism that allows relying parties(websites) to obtain information about authenticator model and manufacturer.

What is CAPTCHA?

So why FIDO Attestation is a bad idea as replacement for CAPTCHA?

1. Automation of FIDO security keys is really easy.

The idea of CAPTCHA is that you can not easily automate task. Well meet 5$ Arduino and, oh God, WIRES!

Yes, I know this is 60$ UNO, but trust me, you can do that with 5$ Nano clones https://twitter.com/agl__/status/1392876159591882755

2. Popups are optional for attackers.

If you think it will be hard because user need to approve Popup, a bit of JS to modify browser request to be “none”, and a small browser modification to disable EraseAttestationStatement https://source.chromium.org/chromium/chromium/src/+/main:device/fido/attestation_object.cc;bpv=1;bpt=1?q=NoneAttestation&ss=chromium%2Fchromium%2Fsrc and you get popup bypass.

3. Security Keys are quiet fast

Security keys, on low level take about 700ms to 1700ms to do all exchanges from my experience. That’s approximately 30 potential requests a minute. And you make it super effectively with HID Click Farm!

4. Attestation is not a good mechanism for CAPTCHA

Attestation is not a perfect mechanism, and I would deeply discourage people from using it. The reasons for it are such:

  1. Attestation does not prove anything but the device model — There is no magic in attestation. It does not proves user liveliness, because Cloudflare is simply does attestation check. That’s it. FIDO is really good against phishing and bots, because we know that user owns the device, and that it using FIDO moves attack from being remote bruteforce, to direct, personal attack on real human. Cloudflare CAPTCHA does not achieves that, because it does not authenticate user. It is simple verifies device model. That’s it.
  2. Privacy — FIDO mandates that attestation Batch Certificate usage is at least ONE batch certificate per 100,000 devices. So if you know that Alice has Security Key with this certificate, and you see this certificate on another site, there is 1/100,000 chance that this is Alice. This does not sound like a lot, but when you combine together with all other tracking info that sites may keep on you, this becomes another piece of info that can be used against you, and as we all know, everything is run by Cloudflare today.
    Now this does not mean that attestation is completely useless. It is a very important mechanism in high compliancy environments. Banks, governments do need it, and recently Czech government announced that FIDO certified FIDO2 authenticators can be used for their national ID with eIDAS, and L2 certified devices can be used as high assurance proof. This is what you need attestation for. The 1% of situations when you need attestation.
  3. User experience — Popups are pain, and a lot of people just disable them in them because there are just simple too many popups. Attestation is bad for UX, you should avoid it.
  4. Attestation is very hard to manage — You need to collect metadata for the devices(Somewhat solved by MDS). You need to know what fields do you need. You need to trust metadata. It’s a very hard problem, that requires good understanding of what you are doing.

In conclusion:

I personally think that in a, very short term Cloudflare’s solution will help with some bot. But understanding FIDO market, and knowing that security keys are first and foremost enterprise and backup authentication solution, and that the future of FIDO lying in wide deployment of the platform authenticators, leads me to believe that current solution will be widely abused with wider deployment, as it is explicitly targeted those who need and can afford security keys, enterprise.


- Couldn’t Cloudflare just ban malicious security keys?



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store