Security Keys Could Kill The CAPTCHA

John Lister's picture

Humans as a whole spend 500 years each day completing CAPTCHA challenges according to a new estimate. The company behind the claim says USB security devices would be a more sensible way to confirm somebody is a human.

The data from Cloudflare is about CAPTCHAs: Completely Automated Public Turing test to tell Computers and Humans Apart. It's tests such as recognizing a string of letters on an unclear background or picking out images that contain a particular thing such as a boat or traffic light.

The idea is to limit automated visits to a web page or form submissions, for example to limit attempts to bring down a web page or often as a way to prevent spam being submitted on a page with user generated content (such as comments). The tests are supposed to be something that's simple for a human but difficult for a computer, often combining image recognition and reasoning.

32 Seconds To Beat

Cloudflare says its studies show the average person takes 32 seconds to complete a CAPTCHA. It calculates that, based on assumption of users seeing one every 10 days, the total time spent each day is around 500 years. (Source:

It says this brings a string of problems beyond wasted time, including frustration on small-screen devices, accessibility challenges, and cultural confusion as the appearance and name of things like taxicabs and fire hydrants varies widely around the world.

"I Am Human" Test Remains

Instead, it's proposing a two-stage test. The first is the familiar ticking a box to confirm "I am human." That may sound a ridiculous test but in practice an online "robot" will usually move the cursor in a predictable manner without the slight unpredictable wobble of a human operating a mouse or tapping a screen.

The second stage would be for the user to either plug in (via USB) or tap (via NFC) a security device similar to a USB memory stick. The device wouldn't have any unique identifier but instead would simply contain code to confirm it was genuine. (Source:

While such a set-up should work in practice, it's likely to a be a chicken-and-egg problem. Users are unlikely to get such a device until it's widely accepted by websites. But websites are unlikely to require it (or even make it an alternative to CAPTCHAs) until a lot of users have the devices.

What's Your Opinion?

How often do you encounter CAPTCHA's? Do you find them frustrating? Would you be willing to use a security device as an alternative?

Rate this article: 
Average: 4.6 (8 votes)


doulosg's picture

At least with CAPTCHA I don't have to remember where the dongle is kept, which device it might be plugged into, which port is available, which version of USB it's compatible with, and how many times I'll need to reverse the insertion before I get it right.

Just typing that tells me I'd never want the device.

And those stats: Once every ten days. It feels roughly accurate, but probably only 1 in 5 to 1 in 10 are the complicated traffic signals, boats, crosswalks, etc. Most are just the Bad Robot checkbox.

Gurugabe's picture

For many corporate users this would be no problem. If a good 2Fa policy is set, usually a USB dongle is required to be able to login and when removed the computer gets locked. That would mean that those users would always have it plugged in while working. I have that at work so when I am not at work it stays in my pocket because I can't forget it the next day.
Now, for home users, that could be an issue trying to remember where their dongle is and getting it plugged in. Until it is widely adopted, they will rarely be used and could get lost in a drawer or just lost in between uses. I do have a personal set of Yubikeys, USB A and USB C, but they usually stay on my desk at work because I rarely need them at home. If one of my personal services like Google requests me to plug it in, it is usually on my phone while I am at work.

kitekrazy's picture

Dongles can be stolen or broken. They are also proprietary. Some of us have usb hubs dedicated to dongles. I'd hate to have an Apple system where you have to buy expensive attachments for what they deem as legacy. iLok has the option of not needing a dongle. This was once a form to protect from piracy but some developers felt it was wise in not letting a 3rd party come between them and a user.

Tech people seem to be out of touch with the average person on the street.

I do find it hard to believe the average person spends 32 seconds to complete a CAPTCHA unless its when they used blurry characters.