DataDome

What is Turnstile and how does it work?

Table of contents
Paige Tester, Director of Content Marketing
10 Nov, 2022
|
min

Recently, Cloudflare released an open beta for a new CAPTCHA alternative tool, Turnstile. Turnstile is intended to deal with the known issues of traditional CAPTCHAs—that is, the terrible customer experience and privacy issues/conflicts of interest with Google (as the dominant CAPTCHA provider). 

Turnstile checks for bot behavior by choosing from a suite of browser challenges based on client behavior and telemetry. It can leverage Private Access Tokens (PATs), analyze some session data, run a small set of JavaScript (JS) challenges to gather more signals, and use the outputs of JS challenges to alter the difficulty of its challenge.

In essence, it’s a standalone “non-CAPTCHA” CAPTCHA that works in the background much like reCAPTCHA v3. (Unfortunately, relying solely on a CAPTCHA challenge for security creates several new challenges as bots continue growing increasingly sophisticated—enough to easily bypass behavior-based CAPTCHA tools alone.)

How is Turnstile better than a traditional CAPTCHA?

One of reCAPTCHA’s most well-known issues is data privacy. Excessive user information, especially personally identifiable information (PII), is gathered to decide whether a user is a human or a bot. Private Access Tokens, from Apple, began to pave the way for solutions that minimize data collection as part of the security process—and Turnstile claims to be similarly able to abstract parts of the validation process to confirm data without storing it. Additionally, they’ve integrated PATs in their product to minimize data gathering for users on the most recent iOS/macOS versions.

What are Turnstile’s limitations?

Turnstile faces many of the same limitations as other invisible CAPTCHAs and alternatives like Private Access Tokens.

False Positive Monitoring

How does something like Turnstile handle false positives or negatives? Let’s say it mistakenly stops real human users (which may happen given that the software is based on fingerprinting/behavioral analysis)—What options does a person have for being able to access the site? How would Turnstile not make the same decision to block the same human user again the next time they try to access the site?

Any CAPTCHA technology or alternative requires extra monitoring to find false positives, and update security accordingly where possible.

Bots Forging Fingerprints

Bots are becoming better at forging their fingerprints in attempts to fool fingerprint-based security. What happens when bots can forge fingerprints that appear completely human-like to Turnstile? Will suspected bots be shown a traditional CAPTCHA challenge? If so, we know bots can solve CAPTCHA challenges with CAPTCHA farms and machine learning.

Similar to monitoring human users who are blocked (false positives), any CAPTCHA or alternative needs to be able to handle false negatives—bots who can pass the challenges. Attempting to challenge fewer suspected bots, which Turnstile claims to do, shouldn’t come at the expense of undetected bots.

Single Point of Failure

Turnstile and other invisible CAPTCHAs are generally used as a single point of protection—and therefore, a single point of failure. The security of your entire system relies upon whether or not attackers can pass the challenge, be it a traditional CAPTCHA with user interaction, a proof of work, or a JS fingerprinting challenge.

If bots can pass the behavior-based analysis behind invisible CAPTCHA, they’re likely to be able to pass any challenges set by Turnstile as well. As soon as attackers forge the CAPTCHA alternative, your website, app, or API is open to all manner of attacks—credential stuffing, scraping, account takeover, etc.

What solution works best?

CAPTCHA and CAPTCHA alternatives like Turnstile and PATs are a useful part of a comprehensive security solution, but not comprehensive in and of themselves. They should never be your only protection against malicious attackers and bots, and they shouldn’t exist in a vacuum.

Bot Protection With Integrated CAPTCHA

CAPTCHA (and alternatives to CAPTCHA) works best when paired with sophisticated, powerful bot protection. When integrated with comprehensive bot protection, CAPTCHA challenges are used only in rare cases to help verify humans. Of course, an effective challenge should not be easily bypassed by bots. 

DataDome’s industry-leading bot protection solution now includes an integrated CAPTCHA that is only triggered in extreme cases and roots out bots in only a few milliseconds. The minuscule false positive rate of 0.01% means that 1 in every 10,000 CAPTCHAs might be shown to a human, so most users will never see a challenge, while being protected against bots.

DataDome CAPTCHA Features

DataDome’s CAPTCHA was developed with a goal of solving many of the limitations of traditional CAPTCHAs. User privacy was a primary concern, so our CAPTCHA only gathers the absolutely necessary data, which is protected with the highest security standards and used solely to improve upon detection and prevent future false positives. Our CAPTCHA is compliant with local data privacy laws in North America, EMEA, APAC, South America, and Africa.

User experience is also critical. Traditional CAPTCHA challenges take a few seconds to load and 20+ seconds to solve. DataDome’s CAPTCHA loads in less than one second, and is solved in under three seconds. The CAPTCHA is also very well designed for the visually impaired with audio challenges in 13 languages (and counting).

When it comes to security, DataDome believes in accuracy without compromise. Our solution’s behavioral detection models process 5 trillion signals per day and identify new bot techniques in real time—rendering CAPTCHA farms and CAPTCHA solve bots useless.

After a highly successful early access program with our customers, DataDome’s CAPTCHA is already fully complete and available as part of our bot protection solution—no more beta testing required.

Conclusion

While it’s unarguably good that more security providers are prioritizing privacy, many issues still plague any single-point-of-failure solution intended to replace CAPTCHAs. Turnstile, while good for privacy, is in essence an invisible CAPTCHA, and using it as your only protection against bots will not be effective. Turnstile: 

  • Cannot adequately check for and report false positives.
  • Can be fooled by sophisticated bots that forge fingerprints.
  • Acts as a single point of failure in your online security.

The best way to protect yourself and your business from malicious bots, while minimizing the user frustration and privacy issues associated with CAPTCHAs and similar alternatives, is to invest in a powerful bot protection solution with an integrated CAPTCHA only for the rarest of cases.

DataDome’s bot management solution, powered by machine learning, processes hundreds of signals in each request to determine whether it comes from a bot or a human. Among the many signals considered, DataDome can leverage signals from the first fully secure, privacy-focused CAPTCHA. And because DataDome’s CAPTCHA is integrated with the detection engine, false positives are easy to see and apply to improve bot detection capabilities.

Don’t let a single point of failure (including a CAPTCHA or any CAPTCHA replacements) be the only form of bot protection for your website, mobile app, or API. Stop malicious bots in their tracks and let humans enjoy a frictionless experience with DataDome.

DataDome
Paige Tester
Director of Content Marketing
Paige is the Director of Content Marketing for DataDome. With over a decade of expertise in content creation, she leads the development of in-depth, strategic content that highlights advanced bot detection and online fraud prevention techniques. Her work empowers cybersecurity professionals with actionable insights and cutting-edge knowledge, ensuring they stay ahead of emerging threats.

Related posts

DataDome
dd product home overview

Still exploring?

Start with an on-demand demo.

Watch a demo