Why Cloudflare’s CAPTCHA replacement with FIDO2/WebAuthn is a really bad idea

  1. User gets FIDO CAPTCHA page.

What is attestation?

What is CAPTCHA?

So why FIDO Attestation is a bad idea as replacement for CAPTCHA?

1. Automation of FIDO security keys is really easy.

Yes, I know this is 60$ UNO, but trust me, you can do that with 5$ Nano clones https://twitter.com/agl__/status/1392876159591882755

2. Popups are optional for attackers.

3. Security Keys are quiet fast

4. Attestation is not a good mechanism for CAPTCHA

  1. Attestation does not prove anything but the device model — There is no magic in attestation. It does not proves user liveliness, because Cloudflare is simply does attestation check. That’s it. FIDO is really good against phishing and bots, because we know that user owns the device, and that it using FIDO moves attack from being remote bruteforce, to direct, personal attack on real human. Cloudflare CAPTCHA does not achieves that, because it does not authenticate user. It is simple verifies device model. That’s it.
  2. Privacy — FIDO mandates that attestation Batch Certificate usage is at least ONE batch certificate per 100,000 devices. So if you know that Alice has Security Key with this certificate, and you see this certificate on another site, there is 1/100,000 chance that this is Alice. This does not sound like a lot, but when you combine together with all other tracking info that sites may keep on you, this becomes another piece of info that can be used against you, and as we all know, everything is run by Cloudflare today.
    Now this does not mean that attestation is completely useless. It is a very important mechanism in high compliancy environments. Banks, governments do need it, and recently Czech government announced that FIDO certified FIDO2 authenticators can be used for their national ID with eIDAS, and L2 certified devices can be used as high assurance proof. This is what you need attestation for. The 1% of situations when you need attestation.
  3. User experience — Popups are pain, and a lot of people just disable them in them because there are just simple too many popups. Attestation is bad for UX, you should avoid it.
  4. Attestation is very hard to manage — You need to collect metadata for the devices(Somewhat solved by MDS). You need to know what fields do you need. You need to trust metadata. It’s a very hard problem, that requires good understanding of what you are doing.

In conclusion:

FAQ

--

--

--

FIDO, Identity, Standards

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

I would rather do an ECSA than OSCP

{UPDATE} rend?r b?nügyi nyomozó Hack Free Resources Generator

Why Do I Sometimes See Ads in the Windows Notification Area?

Veraswap brings a mix of different decentralized finance protocol under one platform with an easy…

Implementing The Power Of Continuous Authentication for Boundless Business Value

How secure is your electronic wallet? Not as secure as you think.

LoginRadius PIN Authentication With Enhanced Features

{UPDATE} ABC Alphabet Phonics Letters Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ackermann Yuriy

Ackermann Yuriy

FIDO, Identity, Standards

More from Medium

Using Supabase RLS with a custom auth provider

Meet Akula: the fastest Ethereum implementation ever built

ESP-IDF Logging: Remote control on logs

ESP-IDF Logging: Sample of logs using ESP_LOGx macro

Create a H.264 stream with FFmpeg