What should be the principal conclusions of this version of the document?

[jasonjgw]

It has been proposed in Task Force meetings that we should suggest shifting responsibility for establishing the personhood of the user attempting to access a resource, so far as possible, to the user agent and to content providers' networks.

This could be achieved by a combination of measures: delegation of trust via Trust Tokens (or a similar mechanism); the use of WebAuthn to establish personhood via a known to be reliable authentication device; use of risk analysis and behavioural analysis, etc.

It has also been suggested that something other than (or short of) establishing that the user has human cognition should be sufficient to satisfy the purposes for which a CAPTCHA would be used. It could be offered as an alternative - permitting the user to bypass any CAPTCHA challenge that would otherwise be issued by the service with which interaction is sought.

At this point, the conclusions have not been worked out in detail; the purpose of this issue is to document progress and to record discussion.

[lwolberg]

Janina and I investigated the use of WebAuthn to establish personhood via a known to be reliable authentication device, here is some progress.

I read the Cloudflare proposal and did the test. It worked very smoothly on my iPhone using FaceID without any preliminary registration. This is huge step forward from the first versions which seemed to indicate that users would need a hardware key e.g. Yubico.

You can try the test here
https://cloudflarechallenge.com/

============

Some useful sources for the above:

Webauthn Level 2 (which seems to incorporate Level 1)
https://www.w3.org/TR/webauthn-2/

Cloudflare's readable overview of the issues and their approach
https://blog.cloudflare.com/introducing-cryptographic-attestation-of-personhood/
By Thibault Meunier

Cloudflare's list of common hardware authentication devices: Apple Face ID and Touch ID, Microsoft Windows Hello, Google Android Biometric Authentication.
https://blog.cloudflare.com/cap-expands-support/
By Wesley Evans and Tara Whalen

A technical review of the standard
https://support.cloudflare.com/hc/en-us/articles/200170136-Understanding-Cloudflare-Captchas-Managed-Challenge-and-Challenge-Passage

[jasonjgw]

It isn't entirely clear from the documentation whether CloudFlare's WebAuthn-based technique has now been deployed widely to their clients, but one of the pages cited in Lionel's comment suggests it may have been.

Implementing this or a similar solution in place of, or even alongside any form of CAPTCHA would seem to me to address the accessibility problem for users with disabilities. There is a sufficient variety of hardware devices supporting WebAuthn that no single biological characteristic need be relied upon for biometrics - as is required for accessibility. Non-biometric authentication devices are, I assume, also supported. Of course, the user can choose the authentication device, as long as the vendor is trusted by the Web site operator whose services are to be accessed.

Would such a solution meet the security requirements of Web-based service providers? If specific security devices are good enough for authentication, are they sufficient in cases of potentially anonymous access as well (the central use case for which CAPTCHA is especially well suited)?

[jasonjgw]

As discussed at the meeting, the results of my testing the cloudflarechallenge.com application are as follows.

• Mac OS: no success with Chrome or Safari.
• Windows 11: successful response to the challenge with Chrome and Windows Hello.
  Lionel reported similar results for Mac OS, and, as above, positive results for iOS.