logoalt Hacker News

Show HN: Replace CAPTCHAs with WebAuthn passkeys for bot prevention

68 pointsby uday_singlr12/08/202440 commentsview on HN

I built Nocaptcha after getting frustrated with traditional CAPTCHAs both as a user and developer. WebAuthn passkeys offered a promising alternative that's both more secure and user-friendly.

What makes Nocaptcha different: - Uses WebAuthn standard instead of puzzle-solving - No need for users to remember passwords or solve puzzles - Open source

Current limitation: Working with W3C WebAuthn Community Group on true passkey disposal for this use case.

Looking for feedback particularly on: 1. Integration experience 2. User experience compared to traditional CAPTCHAs

Comments

jsnell12/08/2024

This is neither a new idea or a good one. Cloudflare did a PR launch of pretty much the same thing a few years back, and that you haven't actually seen it in the wild probably tells you all you need to know about how useful it is.

Webauthn is not an integrity attestation; it doesn't tell you anything about how trustworthy the client is. Nor is it a uniqueness attestation; an attacker can mint an arbitrary number of different identities at basically no cost. It's a primitive for building account security systems, not one for building abuse prevention ones.

Some relevant HN threads:

https://news.ycombinator.com/item?id=27141593

https://news.ycombinator.com/item?id=27153254

https://news.ycombinator.com/item?id=27500326

show 1 reply
itake12/08/2024

I'm confused how this works. I tried the demo and Bitwarden asked me if I wanted to save the passkey. From a UX experience, this felt weird.. Why do I need to create an account, and save that account? Why is passkey storage prevent bots? Just that bots haven't added that automation yet?

show 2 replies
Aachen12/08/2024

What part of webauthn can a computer not do?

I understand if you say bots are currently not programmed to, but is that why this will temporarily work or is there something more fundamental?

show 1 reply
iou12/09/2024

As other commenters have said, a better solution needs to be something that is prohibitively difficult for bots to mint.

I’m sure there are a few contenders in the space but one I’m aware of is [worldcoin](https://world.org/)

show 2 replies
Pxtl12/09/2024

Honestly I just want government backed digital ID for this stuff.

I know the concerns.

I no longer care. The benefits outweight the costs, imho. I want to be able to tell a site "yes I'm Martin here's proof either ban me or let me in but stop making me jump through hoops to prove ID.

And so that social sites I use will no longer have to deal with undesired non-unique accounts for bot swarms and sockpuppets and the like.

The political usefulness of swarms of bots and sockpuppets is why I have conspiracy theories about the conspiracy theories about digital ID.

show 3 replies
politelemon12/08/2024

It does nothing on Linux.

show 1 reply
Oras12/08/2024

It worked fine on Mac, curious how does it work on Windows?

show 1 reply
lofaszvanitt12/09/2024

No need for passkeys, just a back and forth between your physical secure key and the browser.

throwawayian12/09/2024

I don’t think you understand the problem space. Although, this is a great alternative for SMB’s who aren’t being targeted by attackers who are writing tools specifically for their business.

But, also.. A hardcoded “what’s 7\1=“ would also achieve the same outcome.

Barrier to beat is “can the attacker put together a webauthn emulator”. Low, but will work for many organisations for a long time.