Could Cloudflare consider an alternative to reCAPTCHA?


#1

See title please :slight_smile:

The issue basically was, today Cloudflare insisted on imposing a captcha on any of my login attempts. Usually reCAPTCHA does not prompt one when logged in with a Google account, this time however it insisted on a captcha being solved.

Usually this still disappears after a reload or two, but today Google got suspicious straight away and barred me from solving a captcha in general, effectively keeping me from logging into my Cloudflare account, which did not only affect the community login but particularly the dashboard login. Fortunately I did not need to connect to the dashboard :slight_smile:


#2

I’ve never had this happen. Are you using 2FA?

Either way, reCAPTCHA is really irritating. I’ve lost track of how many storefronts, cars, bridges, hills, street signs, etc. I’ve identified.


#3

Recaptcha is a necessary evil to be honest. Even with a JS browser check, someone could just run puppeteer to programmatically act like a browser and click and send keyboard events to the email/password box (example), and running self-made captchas are usually easy to OCR unless you have a dedicated team constantly changing and tweaking the captcha algorithm.

There is a difficulty selector in the recaptcha admin - it may be likely CF increased it because they saw spam/brute force logins coming in.


#4

Neither to me, up until yesterday :slight_smile:

I am not. If it was only for the dashboard I’d activate it, but being linked to the forum I dont feel like fishing out the the phone all the time when logging in.

True, but to be fair it usually doesnt bother you if you have a session for a Google account. Yesterday was the exception, particularly with the subsequent locking out.

Just to be clear, I was not talking about the challenge captcha when accessing a website, but about the login captcha. I was effectively locked out of my account the whole day.

That might be the case.

I guess Cloudflare might have reached a point where they could pull off their own captcha, which they have full control over and where they do not have to rely on a third party.


#5

I use 2FA, and I rarely have to plug in my code to access the dashboard or the forum. I believe they use the same cookies.


#6

They do and if stayed logged in it wouldnt be an issue either, but I am one of those tin foil hats who has the browsing data purged when the browser closes :slight_smile:


#7

That’s why I have my trusted browser (with cookies) and my tin-foil browsers for everything else.


#8

I’d confuse them all the time :laughing:


#9

@cscharff @cloonan @ryan Any chance of a change here? :slight_smile:


#10

Just sayin’ … reCAPTCHA is locking me out once more again :frowning:

Posting via a tunnel right now, no idea when I am allowed back in again :man_shrugging:


#11

What kind of difference a change of IP can make :slight_smile:


#12

Exactly.


#13

Recaptcha can really be annoying as fuck sometimes. I‘d say in 50% it lets me through, 30% is 1 test, but the last 20% are REALLY testing my patience with Google. It is completely unnecessary to let me solve like 10+ challenges.


#14

Captchas in general are annoying but I understand their necessity, my main concern here is when Google insists on solving the captcha (even though I am logged in with a Google account) and, in particular, when Google blocks me completely. The latter effectively locks me out of my Cloudflare account.


#15

I can only confirm what other already said, adding that recaptcha seems completely broken for many people right now.

From the same static and non-shared IP, I have completely different trust scores in the morning than in the afternoon. I see different trust scores between Chrome and Firefox. Even worse, when I’m logged into my Google account, 4 out of 5 times I have a terrible trust score (making it nearly impossible to complete the captcha), while I am more trusted when I’m not logged into the Google Account (where I’m registered with all my personal data, including verified credit cards). And yes, I mean it that way, not the other way around (which would be logical for a captcha service).

You can check out this link to see the current trust score:
https://recaptcha-demo.appspot.com/recaptcha-v3-request-scores.php

Try with different browsers and with/without Google Account login.

I used to use the Incognito mode of my browser to avoid having to logout from my Google Account, for the sake of solving recaptchas. I now switched to Firefox with Multi Container to restrict Google/Facebook accounts from interfering in other websites, so I don’t need that any longer.

Recaptcha Googleforums and support are basically useless, no one relevant ever responds to any problems.

And no, the IP space I am using is not in any way dirty or blacklisted, it is a completely clean RIPE assigned IP subnet (I am a senior network engineer with that LIR). It’s not new either. And I can see people all over the place having the same problems, even outside of this network.

It is my strong opinion that recaptcha has become a totally unreliable service. That’s unusual for a Google service, but it is what it is.


#16

Lukas made a few very good points.

@cscharff @cloonan @ryan Any chance of having recaptcha superseded by something Cloudflarish? Being completely locked out is not so much fun :slight_smile:

:laughing: My primary Google account, used for most services including Android has a lower score than not being logged in :man_facepalming: - that does explain a bit now.


#17

Cough, cough


#18

Really, no feedback for almost two weeks? Thats disappointing.


#19

I suspect the reason they don’t just use a JS browser check is that JS browser checks are getting cheap to perform - Currently using puppeteer, you can bypass the “under attack” mode interstellar page since you’re running a complete chrome JS engine. the only reason this isn’t an issue for most Cloudflare customers is that the cost of running chrome to DDOS a web server is fairly expensive and takes more CPU/resources than it’s worth.

However, when you factor it logins and the potential to destroy infrastructure or brute force passwords, the ROI for a chrome attack is much greater. Sure, you’re wasting a lot of resources running a full browser, but if you brute force your way into an account you could cause millions in damages or pivot to other systems with the password you just guessed.

This is why ReCaptcha is a thing. Scoring based on how “trustworthy” a google account is, how human-like the mouse movement is on the page, and how often it’s hitting the captcha is the only proven way to defend against these attacks. I agree that ReCaptcha isn’t perfect, but, at least for now, there are no real alternatives that match up to ReCaptcha’s level of overall success.

My only suggestion for a solution to the problem is a “magic link” system like Tumblr uses. When trying to log in you’ll receive an email containing this “magic link” that removes the need to log in with a password at all and bypasses any Captcha checks since you’re now relying on the email provider’s security.


#20

I agree with your points, but unfortunately it does not solve the issues I am having with that setup. The problem with reCAPTCHA is you are at the mercy of Google. Something like the issue mentioned above (a Google account having a lower score than anonymous access) should never happen and can effectively lock you out of your Cloudflare account (and actually did so).

Medium uses the same approach (even though they couple even that with reCAPTCHA) and that would be a viable solution in my opinion. If Cloudflare could adopt that (or offer it additionally) without the reCAPTCHA “insanity” it might be just the fix I was looking for :slight_smile: