Cloudflare has announced the open beta of Turnstile, an invisible alternative to CAPTCHAs that anyone can use on their website by calling a simple API. It hopes that Turnstile will allow you to get onto websites quicker and in a less frustrating way than solving a CAPTCHA puzzle or entering a bunch of letters and numbers.
Instead of the user having to interact with a simple puzzle, the Turnstile system uses non-intrusive challenges based on telemetry and client behaviour during a session. Cloudflare said that as Turnstile challenges become less effective, they will be rotated out for new ones, keeping malicious actors at bay. Explaining how it works in a bit more detail, Cloudflare said:
“With Turnstile, we adapt the actual challenge outcome to the individual visitor/browser. First we run a series of small non-interactive JavaScript challenges gathering more signals about the visitor/browser environment. Those challenges include proof-of-work, proof-of-space, probing for web APIs, and various other challenges for detecting browser-quirks and human behavior. As a result, we can fine-tune the difficulty of the challenge to the specific request.
Turnstile also includes machine learning models that detect common features of end visitors who were able to pass a challenge before. The computational hardness of those initial challenges may vary by visitor, but is targeted to run fast.”
Setting up Turnstile on your website is very easy, just create a Cloudflare account and go to the Turnstile tab on the navigation bar. Here you can get a sitekey and secret key. You’ll then need to copy some JavaScript code from the dashboard and use it to replace your existing CAPTCHA JavaScript. Cloudflare then says you need to update the server-side integration by replacing the old siteverify URL with Cloudflare"s.