Cloudflare TV

🎂 Privacy Preserving Alternative to ReCAPTCHA. AKA Turnstile

Presented by Dan Gould, Reid Tatoris
Originally aired on 

Watch Cloudflare’s Director, Product Marketing Daniel Gould and Director, Product Management Reid Tatoris explain the announcement of Turnstile.

Read the blog post:

Visit the Birthday Week Hub for every announcement and CFTV episode — check back all week for more!

Birthday Week

Transcript (Beta)

Hey, everybody. Hello. Welcome to another segment of quality during Birthday Week.

My name is Dan from the product marketing team at Cloudflare.

I'm joined by my esteemed colleague Reid on the product management team.


Good to see you. Hey, thanks a lot for having me, Dan.

Yeah, of course.

Of course.

Well, you know, surprise, surprise, we're in the midst of Birthday Week and yet more innovation.

And actually today I know you've been heavily involved in this.

We made a really cool announcement and for anybody following Cloudflare, maybe this didn't come as a total surprise, but this really fits cleanly into our mission to help build a better Internet by helping move the world past catches.

And so we're going to talk about this.

I believe it's called Turnstile, right where we revealed today.

Yeah, that's right.


You know, we'll talk about that. But maybe as we think about captions, it makes sense to start at the beginning, right?

And discuss what captions are and how we sort of. We got to this point necessitating something to replace them in Turnstile.

So that said, how do you think of like, what is a caption?

Let's start there.


So I think almost every almost everyone has seen and interacted with a CAPTCHA.

But CAPTCHA is a very clunky acronym. It stands for Completely Automated Public Turing Test to tell computers and humans apart.

It's a really, really long acronym, but CAPTCHA was invented in 2000, and the intent was that when a visitor is hitting a website, this was a test you could give the visitor to tell if a website is a person or if a website is automation.

And so backing up just a bit to talk about automation, there are bots on the web that do things like, for example, crawl the web in order to categorize sites.

So Google search bot is the most common one.

It's it's a bot, it's automated, but it's really good.

It helps the Internet run better.

But that same automation can also be used by bad guys to either potentially detox the site by sending lots and lots of fake traffic or to scrape data from a website.

So if you're an e-commerce site, a competitor might write a bot to hit your product page, pull the most current prices so they can always undercut you.

And so for websites, they really want to know whether a visitor to the site is a human or a bot, and they'd like an easy way to block bot activity if they if they don't want those bots on their site.

And so when the CAPTCHA was invented, it was actually really great.

And this is one of the things that's hard for us to understand because at the time in 2000 a CAPTCHA was a little bit of slightly squiggly text.

If you look at an old original CAPTCHA, really easy for every person to decipher.

But image recognition at the time was really difficult for computers, so CAPTCHA was a way that you could throw up this test that people would get through in 2 seconds and no bot could get through.

The problem is that was 20 years ago, and for 20 years we've been in an arms race and every day attackers got a little bit better at image recognition and got a little bit better at solving those CAPTCHAs.

And then so every day has had to get a little bit harder and more difficult to the point now where many captures you see are easier for certain bots to get past than they are for humans because they're just impossible for us to solve because they've become so difficult.

And the next thing I want to talk about is the most familiar capture, I think to most people is known as reCAPTCHA.

It's about 90% of the capture market.

It's free to use and almost everyone is using it if you're using a free CAPTCHA tool.

ReCAPTCHA was actually really great. It was created in 2007, and what it did was take that activity of deciphering text that humans do and use that to digitize books.

So you took this activity that was useless and you put it towards a good use.

So every time a human was deciphering a CAPTCHA, they were helping to digitize books.

And that only lasted, though, because of that arms race for about six, seven years.

And now CAPTCHAs have evolved. They're almost never deciphering text anymore.

They've gotten to image recognition.

That becomes really, really difficult.

I'm sure you've seen ones that say, like, tell the car, choose images of a car or choose images of a smiling dog, as an example, as one of the really bad ones I've seen.

And so we had this tool that started out with really good intentions. It evolved to a tool that actually did something good in the world helping to digitize books.

And now it's turned into a tool that's really just obnoxious for people.

I didn't know that sort of fun fact about digitizing books.

When would you say like, when did the sort of visual puzzle that captured that really do feel very invasive?

When do those become the standard, would you say, for challenging humans to make sure they're people?

It's definitely been at least ten years.

So reCAPTCHA, which was invented in 2007, was acquired by Google in 2009, and that's when the usage started to take off.

So I think it was really early 2010s that this became a tool that lots and lots of people started using.

And I think around that same time is when it started, the difficulty for humans started to expand.

And one thing that's interesting, I think if you show a CAPTCHA to anyone, even your grandma's definitely going to recognize them and everyone universally hates them, right?

And they'll say, this is a terrible user experience. It's so annoying when I encounter one.

And so a question I often get is, Well, wait, does anyone still use these today because they're so noxious?


And unfortunately, the answer is yes.

And so, literally billions of times a day CAPTCHAs are shown to humans.

You know, the depending on which estimate you look at, something like 90% of the top 100,000 sites, use some form of CAPTCHA today.

And then I think the other question then comes up as well.

If this is so universal and it's so bad, why is it still universal?

Why write to something else?

And I think the biggest reason is that there is really only one free option, which is CAPTCHA that we've talked about.

And so if you're a small website, you can't afford a full bot management suite, you've really only got one option.

And that is the problem that we're trying to solve, is we want to go to those small sites that are only have one option today and give them another option that that is a lot less intrusive to their users.

Right, right, right.

And if you if you said you know we looked at and I think we've spoken about this in the past on any given day, how much time are we wasting ballpark with CAPTCHAs, solving CAPTCHAs.

I think we've done that math right.

Yeah, I mean, we've done really rough estimates.

And so if you think about the average capture for a person takes about 32 seconds to solve.

And then if you look at the frequency at which captures are shown every day, it's something like 500 years of human time that are put into collectively solving captions.

And that's only a little bit of time for each person. But if you think of all the ways that that time could be put to some better use, it's a huge waste.

And we talk a lot at Cloudflare about our mission being to make the Internet a better place.

That really is our mission. We talk about it a lot and if we can take that 500 years number and even move it down to 480 years, I think that would be.

A big improvement.

Yeah, we'd be. Really happy about that.

Yeah, that's.

That's 20 years a day. That's a lot of time.

20 years ago. So, okay, so we're familiar with the fact just by the given we're all Internet users that it's a time waste.

It's irritating sometimes.

It's even challenging trying to really pick out which images have stoplights in them.

Right. Does this border two images? So we know it's irritating. You know, privacy occasionally comes up also that this is potentially not great for privacy.

What why is that the case? Yeah.

The other complaint that people often don't think about as well, the user experience is annoying for a lot of us.

If you're visually impaired, it's not annoying, it's impossible.

And so any type of visual challenge that CAPTCHA puts up is just impossible for many Internet users to do, which is a really terrible experience.

And then I talked before about the fact that reCAPTCHA is really almost 100% of the market and.

If you're using it today, you're giving the data on your visitors to an ad sales company.

Now, Google has a lot of things in place. They say this is really totally separate.

We're not actually using it to track across the Internet.

But one of the things Google does is looks at do you have the Google login cookie installed in your browser?

And so if you're logged in and Google can track you across multiple websites, you're generally going to get a better score.

And so, you know, at the end of the day, even if Google has the best intentions, they're an ad sales company.

And one of the really nice things about Cloudflare is we're a security company and our customers are the websites that choose us directly to help protect them.

Our customers are not advertisers.

We don't make any money on ad targeting.

And so I like that we've got a very simple, very direct relationship.

And so you don't have to worry about sharing your data with a third party.

We kind of got it.

Got interesting. So we'll talk about what we've done.

But I guess last question, all in all, it seems like these aren't great across the board.

What is he? So to date, there hasn't really been an alternative to reCAPTCHA, short of just not using any way to challenge visitors.

Is that the case?


If you look at the timeline of Cloudflare, so two years ago we used reCAPTCHA as an option when our customers wanted to challenge a visitor and not actually just straight up blocked them and we didn't like it.

And we have spent two years trying to, to get rid of CAPTCHA.

And at that time Cloudflare alone, we showed billions of CAPTCHAs a day.


So we're talking lots and lots and lots. And so we had a team at Cloudflare that is dedicated to how can we reduce our reliance on CAPTCHA.

And in that time we have created a bunch of different tools that we use.

But at a high level, what we did is we created this platform that tested lots of different types of CAPTCHA alternatives.

So rather than just say instead of CAPTCHA, we're going to put up this one particular challenge.

We tested dozens and dozens of challenges over multiple years.

And by doing that, we've been able to slowly reduce the amount of time that we at Cloudflare Show to capture.

And so if you compare to two years ago today, we've reduced the amount of CAPTCHAs we've used by 94%.

So almost never compared to how frequently we used to use it.

And so that was a slow evolution for us.

And what we've done today is we looked at about six months ago, we talked about that process of us reducing our usage on CAPTCHA.

And we talked about that platform that we created to rotate through lots of different types of invisible challenges, test them against CAPTCHA to make sure that they're effective.

And then once we did that, we said, well, why don't we turn this same technology over to all of those small sites that aren't using a Cloudflare service today, but are using a CAPTCHA because that's the only option.

And so we spent time taking that platform, turning it and building an API that's really easily consumable.

And so now anyone can use that same technology that we've used to get rid of CAPTCHA on their own side.

That's amazing.

So that's today's news. Cloudflare Turnstyle and Reed, as you said, this is free for everyone, including non Cloudflare customers.

They really sign up.

It's just a snippet of code, right?

They just swap in and off they go.



And if you talk about the process of Cloudflare reducing our usage on CAPTCHA, what happens there is that if you are using the Cloudflare network, you as a customer can choose.

I want to challenge a user instead of blocking Cloudflare manages an interstitial page and we handle the decision for you of Do you want to?

Should you show some type of challenge to a user or not?

The problem is that you have to be on the Cloudflare network in order to use that technology.

And so what Turnstyle does is we've created an API, you log in, sign up for an account, we give you an account key, you copy a snippet of JavaScript code, you deploy that on your site and then you can call our API to embed a turnstile widget on your site that is available to anyone anywhere.

You don't have to use Cloudflare CDN, you don't have to use any of our security tools and, and you can start using that today.

And as you said, it's completely free.

That's that's amazing.

That's amazing.

So what we built before the past couple of quarters, I believe that's managed challenge, correct where we've got invisible challenges working in the back end to understand the request and then challenge as needed.

Now in the I guess, an early summer, we also did some work with Apple the paths private access tokens like that is also another sort of step in the right direction doing away with caches.

We want to talk about that a little bit.

Given that I feel like there's some really cool innovation there.


So I mentioned we have this team that has for two years been working on multiple initiatives to eliminate capture.

One of those initiatives is called Private Access Tokens.

Private access tokens are an open source IETF standard that anyone can use today.

We work with a couple of industry players, Apple being the biggest one, and what private access tokens do is allow us to validate a device that a user is on without collecting data from that device.

So if you look in the pre private access token world, when we are trying to validate is a request coming from a real user or not, if that's a mobile device, Cloudflare previously would do a couple of things.

We would try and identify what is the processor on this device, what iOS is, what OS version is it using, what security patches it on, what browser is it on?

Is this a real IMEI or is this just a spoofed emulator where someone's trying to mimic?

And so all of to do this validation, we would collect data from the device itself.

If you're a user, that means you have to give your data to another party, which is not ideal.

And so what we did is working with Apple.

Now, if you're on an iOS 16 device, we will detect that you're on that device.

And instead of doing any of that device interrogation, we will look for a private access token.

When we look for that token, what Apple does is they go and do all of those validations steps themselves.

So Apple as a device owner, already has information about your iOS.

They already know your IMEI.

They can come and tell us, is this a valid device?

And instead of sending us data so we can determine if the device is valid, they will just send us an encrypted token.

And so we can say token exists.

We know that Apple has done this validation.

We know that this is a valid device.

And that means we were able to do validation without collecting any device, any data from the device.

Even better, since Apple is actually the device owner, they can do additional types of validation that we previously couldn't do.

So, for example, Apple will check that a user is logged in to the device.

They'll also check that the browser window is in focus.

So this isn't just an app running in the background.

And so we get to eliminate data collection and we get additional validation from the device manufacturer.

So what we would love is a world six months a year from now where every device manufacturer uses private access tokens, and then regardless of the device you're on, when a request comes to Cloudflare, we can check for a private access token and we can say, Great, we know the device is valid.

We don't have to do any of these device level checks that allows data to be segmented and stay with the device manufacturer.

Really cool stuff.

Another really cool stuff. What was that?

So I said really cool stuff.

And it seems like just by merely if you are, say, an iPhone user by using iOS 16, you'll immediately start to see fewer captured.


And this is, I believe, also for Mac OS Ventura. It's both iOS and Mac OS.

They're really, really powerful stuff.

That's really awesome.

And of course, today the cherry on top is Turnstyle, what we're doing now.

And we were talking earlier, we thought maybe a picture is worth a thousand words in these sort of scenarios.

So I know you've we've been building something.

It's now in the cloud for cloud player dashboard.

And once people get signed up, this is one to show you what exactly you will see and how easy it is to get going.


Let me share my screen and I will walk you through. How you set up.

Turns out great. So can you see my screen all.

Right, Dan?

I sure can. Yeah.

All right, so when your Cloudflare customer, everyone will see this.

Now you log in, and on the left, you will see the domain.

You'll see the top of the navigation.

There is a new tab here called Turnstile.

And if you click on turnstile, it will take you to a turnstile site.

And the first step here is you click on the add site button and we get some information.

What do you want to call it? What's the domain?

And then we give you a couple of options to choose how Turnstile appears on your site so you can choose to a version that we call managed, where we have the option of asking the user to check a box that will be the only interaction they ever do.

There's no puzzle.

There's no clicking on images or deciphering text.

You can also decide I want a completely non interactive.

I never want the user to have to do anything on the page.

And then you can also decide I want to completely invisible.

I don't want them to see a widget or anything.

So total flexibility on how you want to do this.

Then when you click create.

It's going to take you to Settings page and we're going to give you a site key and a secret key.

This code here, this JavaScript is all you have to deploy on your site in order to start using Turnstyle.

Even better, if you are using a CAPTCHA today, the this code is going to look almost exactly like what you're using now.

So all you can do is go to your site, search for whatever JavaScript you have deployed for the your other CAPTCHA that you're using right now.

Copy and paste it over.

Really simple.

And in fact, I saw a couple of tweets this morning of someone saying, Wow, this took me less than 5 minutes to replace.

So it's really exciting to see that.

Then once you've actually deployed, I am going to give an example of this is just the dummy test page.

The most common places that we see customers using CAPTCHAs are in conjunction with an action.

So for example, before you log in, you want to show a CAPTCHA right now as an added layer of security.

Instead, you could show Cloudflare you could try a turnstile.

Same thing with maybe a form submission or before you post.

And so if I refresh the page here, what happens is users are going to see a loading page that we're actually currently validating your session, and then you're going to get a success when we do.

And that's it.

No CAPTCHA. No, No puzzle to decipher, No, no buttons to click on.

And then once you've deployed this and users are actually on your website interacting, we then also give you analytics.

And so if you come in and click.

On the particular site that you're deployed.

We are going to tell you how often we showed, how often a widget loaded out of page and then how often the customers actually solved.

And you can track this over time.

And so you can use this to see, Wow, if there is a large spike in the failure rate of turnstile, that's an indicator that a bot might be attacking your site.

You can also then look at the different solve types.

So before it I said you can choose, do you ever want to use it or have to interact if you want it to be completely invisible.

We'll show you how the analytics change for those different.

Different types of widgets.

And then lastly, I don't have this configured right now, but we also have this concept of actions.

And so when you call the API to actually render Turnstyle, you can give us a label for an action.

And so that means you can use the same widget on multiple places on a site.

So and you can give an action name like logging for example, or submission.

And so you can look and see how many calls am I having for each different action type.

So there's a lot of flexibility in how you can deploy this.

Really powerful stuff.

Again, it's almost hard to believe this is totally free, but indeed, you get all of this by merely signing up and taking three or four or 5 minutes to swap that code in.

Really, really powerful stuff. And congrats.

I know a lot of hard work has gone into this to really make this available to whole world so we can all move forward together in doing away with CAPTCHAs.

Yeah, I think sometimes we could get questions of Why are you doing this for free?

Why do you give away these tools? Like what's in it for Cloudflare?

And I think for us there's a few things.

One is we talked about this before, but making the Internet better, it really is our mission and this is technology we already built.

We're using it every day.

We've been using it for a year and it really doesn't cost us much to be able to let others use it as well.

So I really think it is the right thing to do.

And secondly, it is good for us because hopefully we get new people creating a Cloudflare account.

And let's say you come in and you use turnstile to replace CAPTCHA and then you might come in and say, Well, hey, what about Cloudflare Web Analytics tool?

Or what about using Workers? Or what about using pages?

And so for us, if we can take a technology we already have let some other people take advantage of it, make the Internet a little bit better, and then also get some other people get our other Cloudflare Services in front of a bunch of new customers.

We think that that's a win all around. Amen.

Amen. Yeah, I love that.

And that does really fit into our mission to help build a better Internet.

And I think it makes sense to have this news as part of Birthday Week.

So I think that is, is probably the highlights of what we're doing today.

Anything to add, Reed? I guess how would you suggest people get started?


Just go create a Cloudflare account. You walk through a little bit, but create an account.

Go get a site key, copy our JavaScript and then deployed on your site.

It really does take minutes to set up and then give us feedback.

We are just releasing this in beta and we'd love to have any input.

Love to see what customers would like to see next.

And yeah, please, please take a look and go to play.


This is so exciting. I think we'll leave it there.

We look forward to people again, as we said, signing up, getting this deployed and giving us some feedback.

So we thank you so much for walking us through what we're doing to sort of help move the world past CAPTCHA.

Thanks a lot, Dan, great to chat.

Take care.

We're betting on the technology for the future, not the technology for the past.

So having a broad network, having global companies now running at full enterprise scale gives us great comfort.

It's dead clear that no one is innovating in this space as fast as Cloudflare is.

With the help of Cloudflare, we were able to add an extra layer of network security controlled by Alliance, including WAF, DDoS.

Cloudflare Users CDN also allow us to keep costs under control and caching and improve speed.

Cloudflare has been an amazing partner in the privacy front.

They've been willing to be extremely transparent about the data that they are collecting and why they're using it, and they've also been willing to throw those logs away.

I think one of our favorite features of Cloudflare has been the worker technology.

Our origins can go down and things will continue to operate perfectly.

I think having that kind of a safety net provided by Cloudflare goes a long ways.

We were able to leverage Cloudflare to save about $250,000 within about a day.

The cost savings across the board is is measurable, it's dramatic, and it's something that actually dwarfs the yearly cost of our service With Cloudflare.

It's really amazing to partner with a vendor who's not just providing a great enterprise service, but also helping to move forward the security on the Internet.

One of the things we didn't expect to happen is that the majority of traffic coming into our infrastructure would get faster response times, which is incredible.

Like Zendesk just got 50% faster for all of these customers around the world because we migrated to Cloudflare.

We chose Cloudflare over other existing technology vendors so we could provide a single standard for our global footprint, ensuring sharing world class capabilities and bot management and web application firewall to protect our large public facing digital presence.

We ended up building our own fleet of proxy servers such that we could easily lose one and then it wouldn't have a mass effect.

But it was very hard to manage because we kept adding more and more machines as we grew.

With Cloudflare, we were able to just scrap all of that because Cloudflare now sits in front and does all the work for us.

Cloudflare helped us to improve the customer satisfaction.

It removed the friction with our customer engagement.

It's very low maintenance and are very cost effective and are very easy to deploy and it improves the customer experiences big time.

And Cloudflare is amazing.

The culture is such a relief.

It is very easy to use its first Cloudflare to replace the first level of defense for us.

Cloudflare has given us peace of mind. They've got our backs.

Cloudflare has been fantastic.

- I would definitely recommend Cloudflare.

- Cloudflare is providing an incredible service to the world right now.

Cloudflare has helped save lives through Project Fair Shot.

We will forever be grateful for your participation in getting the vaccine to those who need it most in an elegant, efficient and ethical manner.

Thank you.

Thumbnail image for video "Birthday Week"

Birthday Week
2023 marks Cloudflare’s 13th birthday! Each day this week we will announce new products and host fascinating discussions with guests including product experts, customers, and industry peers. Be sure to head to the Birthday Week Hub for every blog...
Watch more episodes