Stop making your users prove they're human by switching to Turnstile, an invisible CAPTCHA by Cloudflare
At Craftzing, we recently removed CAPTCHAs (completely automated public Turing test to tell computers and humans apart) from all the forms on our website and replaced them with Turnstile. This service is a CAPTCHA alternative made by Cloudflare, using their Challenge platform. In this article we'll delve into why the use of CAPTCHAs can be problematic, especially in terms of accessibility, how Turnstile works, and why we switched to this alternative.
The shortcomings of traditional CAPTCHA techniques
Let’s take Google reCAPTCHA for example, probably the most common one out there, asking us to identify objects in images.
Bots are better at solving CAPTCHA’s than humans
Bots are spamming us. So we put CAPTCHA’s up to separate the humans from the bots. But the bots keep getting better, they’re already better than us in solving them. This study revealed that human accuracy in solving CAPTCHAs ranged from a mere 50 to 85 percent, while bots scored between 85 to 100 percent.
Then why are we still being asked to identify objects in pictures? Because we’re training AI for free.
"Google’s parent company Alphabet is developing self-driving cars through a subsidiary named Waymo. But before a machine can drive, it needs to be able to recognize a wide range of objects like stop signs, traffic lights, crosswalks, and buses under various conditions. You’ve probably noticed that, in the past few years, most reCAPTCHA tests now ask you to identify where these objects are in grainy traffic photos taken from the perspective of a car.”1
They’re American culture based
Another complaint is that they are built by Americans, meaning that they mostly prove you know American culture. The typical American yellow taxi being the perfect example — what about London's Black Cabs? Or America’s red fire hydrants. They don’t look like that in other parts of the world.
They’re inaccessible
The most prominent issue lies in their inherent inaccessibility for individuals with disabilities. A substantial portion of the population faces insurmountable challenges in deciphering these puzzles due to their impairments. This critical flaw restricts their access to essential online services and platforms. For example, a person with low vision cannot identify objects like taxis. And if you’re hard of hearing as well, like many elderly, the audioCAPTCHA is not an accessible alternative.
Nobody likes them
They prevent you from doing what you’re there to do. They’re simply annoying.
How can Turnstile separate bots from real users without you solving a puzzle?
“First, we run a series of small non-interactive JavaScript challenges gathering more signals about the visitor/browser environment. Those challenges include, proof-of-work, proof-of-space, probing for web APIs, and various other challenges for detecting browser-quirks and human behavior. As a result, we can fine-tune the difficulty of the challenge to the specific request and avoid ever showing a visual puzzle to a user.”2
The description above shows how the tool works internally. Turnstile uses an alternative version of the technology used to protect websites from DDOS-attacks.
The screenshots above show what Turnstile looks like, by default. It presents a small checkbox. But Turnstile can also be used on your website without the user having to check a box. This invisible version requires no human interaction at all and is therefore the recommended setting from a user experience point of view. No distraction, no extra hurdle.
Turnstile aims to provide a seamless and accessible experience for all users, eliminating the need for visually-impeding puzzles or any other kind of user interaction.
Why Turnstile outshines traditional CAPTCHAs
It’s accessible
Turnstile aims to provide a seamless and accessible experience for all users, eliminating the need for visually-impeding puzzles or any other kind of user interaction. Initiatives like these not only improve accessibility for users with disabilities, they take away the frustration of CAPTCHA-solving tasks for everyone.
Instead of requiring human interaction, this new solution uses different aspects of your web browser to identify you as a human (as well as other challenges).
It respects your privacy
Google reCAPTCHA collects lots of user data. Cloudflare, together with Apple, has put a lot of effort into privacy protection. This was made clear when they announced Private Access Tokens. Using Cloudflare will limit the data you transmit to third parties, often giant tech companies such as Alphabet (Google).
You can start for free
Turnstile is free to use up to one million requests per month, which is the same as Google reCAPTCHA. Cloudflare released the tool for free in their mission to build a better Internet.
Excited to try it yourself? This Cloudflare article will help get you started.
References
By Sander Tirez
I am a web developer with ten years of experience, who loves building websites and apps with a focus on web standards, accessibility and lean code.
By Gijs Veyfeyken
I'm a certified accessibility specialist helping organizations improve their services for all people, including those with disabilities. Making it work. For everybody.