In this article, we will take a look at Cloudflare Turnstile, a CAPTCHA service provided by Cloudflare, and explore potentially superior alternatives to it. We will discuss the features and limitations of Cloudflare’s CAPTCHA service from various perspectives, particularly with regard to universal browser support, accessibility, and privacy compliance.
Overview of Cloudflare CAPTCHA
Cloudflare Turnstile is a relatively new CAPTCHA solution on the market and hasn’t seen widespread adoption outside of existing Cloudflare customers. Cloudflare offers a wide variety of services and solutions for website owners, but most are only available to Cloudflare customers of Cloudflare DNS.
Cloudflare’s main product is Cloudflare DNS, which is a reverse proxy with inbuilt DDoS and bot protection. Cloudflare CAPTCHA has been part of this all-in-one solution by Cloudflare for a while but has recently been made available to everyone. While Cloudflare DNS is a powerful solution for many site owners, it requires all website traffic to be proxyed through Cloudflare, which acts as a man-in-the-middle. All traffic is routed through one of Cloudflare’s data centers, decrypted there, and then forwarded to your web server.
Cloudflare advertises their CAPTCHA service Turnstile as “Cloudflare’s smart CAPTCHA alternative” and that Turnstile “stops abuse”. It aims to eliminate the manual user tasks used by traditional CAPTCHAs, which seems to be more marketing than anything else. Many of the popular CAPTCHA options such as hCaptcha and Google reCAPTCHA have already adopted similar so-called passive CAPTCHAs or invisible CAPTCHAs, which come with non-intrusive browser challenges and only present visual challenges to web visitors they deem suspicious. They all aim to be frustration-free CAPTCHAs and enable so-called CAPTCHA-free web experiences.
The Need for an Alternative – Is Turnstile Cloudflare’s Smart CAPTCHA Alternative?
Cloudflare offers a massive conglomerate of features for businesses looking for an all-in-one solution for their website. Cloudflare’s CAPTCHA service Turnstile is only a specific part of that, and right now there is no financial incentive for Cloudflare to focus on its development. While it’s a free service, it’s in Cloudflare’s interest to make you switch to using their full Cloudflare CDN feature suite. It is a common strategy by companies to make their customers dependent and effectively lock them into their feature suite with no easy way to switch to a different service.
Not everyone uses the latest devices, operating systems, and browsers. There are many people using older browsers, computers, or devices such as smartphones running older versions of Android or iOS.
In order for Cloudflare CAPTCHA to work properly, website visitors are required to use a current version of a major browser. Cloudflare CAPTCHA does not support older devices, older versions of major browsers, alternative browser vendors, nor Internet Explorer. In short, Cloudflare CAPTCHA does not provide universal browser support. Site visitors using older browser versions or older devices, such as many Android smartphones, will effectively be locked out. This is a major problem that leads to the exclusion of Internet users who can’t afford or don’t want to use the latest devices.
While Cloudflare CAPTCHA does not use visual puzzles that have to be solved manually, it still requires the user to check a box to solve the CAPTCHA, depending on whether it deems the user suspicious. Because this can be a problem for web visitors who rely on screen readers or other accessibility tools, Cloudflare advertises that visually impaired web visitors can obtain a pre-clearance token from an external service. This token confirms visitors have passed the CAPTCHA without any interaction, but this still creates a barrier for valid users, and it’s unclear where these tokens can be obtained.
Cloudflare is a US company that operates data centers around the world. As a Cloudflare customer you typically have little control over which data center is serving your traffic. The same goes for Cloudflare CAPTCHA. While Cloudflare typically chooses the datacenter closest to the user, this is not guaranteed, and stored data is typically replicated across all locations. This makes it difficult to confidently define where data is stored by Cloudflare CAPTCHA, which can be a problem for site owners looking to comply with privacy standards such as GDPR, CCPA, and HIPAA.
Additionally, Cloudflare CAPTCHA doesn’t offer a separate privacy policy or terms of service. When using Cloudflare CAPTCHA, you have to read and understand the terms and privacy policy for the whole Cloudflare feature suite. This privacy policy covers many topics, including large amounts of personal data collected, and never explicitly mentions the use of Cloudflare CAPTCHA. Therefore, it is confusing and hard to tell what data is collected, how it’s processed, and where it’s stored. The privacy policy on the CAPTCHA itself, that web visitors will see on your site also leads to that privacy policy, which may unsettle your visitors. This can lead to data privacy concerns on the part of your web visitors and a loss of reputation.
Again, this shows that Cloudflare CAPTCHA is not a core product or focus for Cloudflare. It’s more likely a mechanism for them to get more websites onto Cloudflare DNS, further centralizing the web. In 2022, 19% of all websites were using Cloudflare, which creates a single point of failure for a huge part of the internet. If Cloudflare goes down, all of those Cloudflare customer websites will go down too. In the case of a separate CAPTCHA service, the website itself will continue to run even if this CAPTCHA service goes down. Outages happen from time to time, like on October 30, 2023, when a Cloudflare outage caused many popular sites that millions of people depend on, like npm.com, discord.com, shopify.com, or gitlab.com, to go down.
The Search for Cloudflare CAPTCHA Alternatives
What Are We Looking for in Cloudflare Turnstile Alternatives?
When looking for a superior CAPTCHA alternative to Cloudflare Turnstile to protect your forms from unwanted form submissions, there are a few factors that are important to consider. These include user experience, accessibility, privacy, availability, and overall security.
From a user experience and accessibility standpoint, we are looking for Cloudflare CAPTCHA alternatives that interfere with the user experience as little as possible, such as CAPTCHA-free web experiences. We don’t want visitors to have to solve visual puzzles by hand, and at best, not have to interact with the CAPTCHA at all. While Cloudflare Turnstile does not use visual challenges, it still requires the user to manually interact with the CAPTCHA in fallback cases. This leads to potential accessibility issues. CAPTCHAs that work completely in the background, do not slow down the user, and need no interaction would be optimal. This would provide the best user experience and make CAPTCHAs accessible to all visitors, including the elderly and those with health conditions and disabilities.
An important requirement for a CAPTCHA is universal browser support, which will ensure that it works on all browsers and devices. There are still people who use older browsers like Internet Explorer or older computers and smartphones like many Android devices or iPhones. It’s important to ensure that these users will be able to pass the CAPTCHA and not be locked out of your online services.
The privacy and data protection mechanisms are also important. We don’t want a third party collecting end-user information without transparency into how that data collection is handled and where it is stored. While Cloudflare Turnstile advertises itself as a privacy-preserving alternative to traditional CAPTCHA providers like Google reCAPTCHA or hCaptcha, it is not clear what this means in practice. Searching through a long privacy policy to find the sections relevant to the use of the CAPTCHA is a bad experience for website administrators and unacceptable for valid users.
The main job of a CAPTCHA is, obviously, to protect websites from unwanted requests, malicious traffic, bots, and spam. When choosing a CAPTCHA service, security is an important factor. We want CAPTCHAs to protect web forms like login pages, contact forms, registration forms, and checkout processes and prevent automated bot attacks.
Overall, we want CAPTCHA capabilities to be a central part of the business of the CAPTCHA provider’s business. We don’t want it to be a second-class citizen in a big pile of features that they aren’t interested in. There should be a real incentive for the company behind the CAPTCHAs to constantly maintain and improve it.
Introducing Friendly Captcha: A Cloudflare CAPTCHA Alternative
What is Friendly Captcha?
Friendly Captcha is an EU-based CAPTCHA service with a focus on universal browser support, accessibility and privacy. It relies on a sophisticated proof-of-work-based algorithm to generate invisible, cryptographic puzzles that the user’s device solves in the background to prove that it is not a malicious attacker, bot, or spambot. These cryptographic puzzles are used in combination with advanced risk signals and difficulty scaling to provide bot protection and spam protection for web interactions and forms such as logins, checkout processes, or contact forms.
Instead of visitors having to manually solve CAPTCHA challenges like clicking on cars or traffic lights, Friendly Captcha works completely in the background and is invisible. The impact on the UX is minimal, and human visitors should rarely have to wait more than a few seconds. Usually, the invisible CAPTCHA is solved before the visitor has even filled out the form.
This way, Friendly Captcha is accessible to all web visitors and doesn’t degrade the user experience, while still protecting you from unwanted spam entries and bots. For example, without protection, bots can take over accounts through credential stuffing attacks by testing stolen usernames and passwords.
How Friendly Captcha Compares to Cloudflare Turnstile
Let’s check if Cloudflare Turnstile is really Cloudflare’s “smart CAPTCHA alternative”. From a security standpoint, Friendly Captcha and Cloudflare Turnstile are similar. Cloudflare’s CAPTCHA uses risk signals to check for potential bots. Friendly Captcha uses cryptographic puzzles that the end user’s device must solve in the background and additional risk signals to scale these non-intrusive browser challenges.
Friendly Captcha and Cloudflare CAPTCHA can both protect your web forms from unwanted requests and malicious traffic. Both providers adapt the actual challenge outcome to the individual browser by using different technical approaches.
User Experience and accessibility wise there are differences between Friendly Captcha and Cloudflare CAPTCHA. While both will not demand the user to manually solve a visual puzzle, Cloudflare Turnstile may still ask the user to manually interact with the CAPTCHA. Cloudflare says most visitors will have a passive experience, but it’s not clearly defined how often manual interaction with Cloudflare Turnstile is required.
Not everyone uses the latest devices, operating systems, and browsers. Many people use older browsers, computers, or devices such as smartphones running older versions of Android or iOS. Cloudflare CAPTCHA does not support older devices, older versions of major browsers, alternative browser vendors, nor Internet Explorer. Site visitors using older browser versions or older devices, such as many Android smartphones, will be effectively blocked from using your services.
Friendly Captcha offers universal browser support and aims to support every browser and device released after Internet Explorer 11. This ensures that your website visitors don’t get locked out.
Cloudflare Turnstile scans visitors and automatically selects from a rotating set of CAPTCHA challenges based on telemetry and user behavior. When site owners use pre-clearance mode to integrate Cloudflare’s CAPTCHA with the Cloudflare WAF, a cf_clearance cookie is used, which makes a fetch request to a special endpoint of the domain.
Friendly Captcha, on the other hand, can work without any user interaction or cookies. This makes it fully accessible to all visitors, including the elderly and people with impairments. Friendy Captcha is GDPR compliant out of the box. It doesn’t set any HTTP cookies and doesn’t store any local data in the browser’s persistent storage. Therefore, it doesn’t need user consent.
The main differentiator between Friendly Captcha and Cloudflare CAPTCHA is privacy. While Cloudflare advertises Cloudflare Turnstile as a privacy-preserving alternative to traditional CAPTCHA providers, it is unclear what this means in practical terms. There is no privacy policy specific to Cloudflare’s CAPTCHA, but site visitors must read and make sense of the rather long privacy policy used for all Cloudflare products. This makes it difficult to understand what specific data Cloudflare’s CAPTCHA collects, how it’s processed, and where it’s stored. Friendly Captcha, on the other hand, focuses on privacy and is completely transparent about its privacy practices.
For websites looking to comply with privacy standards like GDPR, CCPA, and HIPAA, the fact that Cloudflare Turnstile uses data centers around the world and stored data is typically replicated across multiple locations and countries can be a problem. While requests are typically handled by data centers close to the user’s location, there is no guarantee which data centers will handle which requests and where personal information may be transferred and backed up. This can result in end-user data being transferred to hosting providers based in countries that are considered high risk under GDPR, such as the United States.
Friendly Captcha is completely focused on providing the best CAPTCHA solution. Cloudflare, on the other hand, has many different products and Cloudflare Turnstile is not a primary focus for them.
Advantages of Friendly Captcha over Cloudflare CAPTCHA
GDPR Compliance: The Benefit of an EU Provider
Friendly Captcha compared to Cloudflare CAPTCHA is fully GDPR compliant and doesn’t require additional user consent to be used. It’s transparent about what data it collects and where it’s stored, offers a detailed data processing agreement specific to its CAPTCHA service, a dedicated EU endpoint for European users, doesn’t use HTTP cookies, and doesn’t store any local data in the browser’s persistent storage.
Friendly Captcha is an EU CAPTCHA provider, built and hosted in the EU, and does not rely on any third parties outside of the EU to process end-user data. For international companies targeting EU users, as well as European companies, this means that end-user data never leaves the European Union, while your website and forms are protected from bots and spam. Compared to US-based Cloudflare, Friendly Captcha ensures that data from EU web visitors will never be processed outside the EU. No international data transfer is a huge advantage for companies looking to comply with data protection standards, such as GDPR.
Superior Usability: Making CAPTCHA Friendlier
In terms of usability and good user experience, Friendly Captcha is superior. It has little to no impact on the user experience and will never lock anyone out. While Cloudflare Turnstile doesn’t provide universal browser support and requires the user to manually interact with Cloudflare’s CAPTCHA in some cases, Friendly Captcha works in the background. Friendly Captcha automatically scales the difficulty of the cryptographic puzzles that the end user’s device must solve in the background. Most web visitors will not notice any slowdown or difference in the user experience as the CAPTCHA is often done solving before the user is even ready to submit the form or web interaction protected by Friendly Captcha.
This makes Friendly Captchas the more user-friendly alternative to Cloudflare CAPTCHA.
Full Accessibility: A Truly Inclusive Cloudflare CAPTCHA Alternative
While some challenges served by Cloudflare Turnstile still require manual interaction with its CAPTCHA service, Friendly Captcha works entirely in the background and is therefore accessible to everyone. It will never ask the user to check a checkbox, or worse, read distorted text. The challenges used by Friendly Captcha are solved by the user’s web browser in the background. It simply works for everyone.
As a Cloudflare CAPTCHA customer, you accept that people with disabilities or the elderly will be excluded from important website forms such as creating an account, logging in, or registering. As legitimate visitors, they are denied access to certain services because they may not be able to perform the manual tasks that are required in certain situations. The result is a poor user experience.
Privacy: GDPR Compliance of Cloudflare CAPTCHA
The Challenges with Cloudflare CAPTCHA and GDPR
GDPR compliance is important for websites targeting users within the EU, in order to protect their users’ right to privacy. Without GDPR compliance, companies operating in the European Union risk significant fines.
While Cloudflare CAPTCHA promises to be GDPR compliant, it does not provide a privacy policy and data processing agreement dedicated to Cloudflare’s CAPTCHA Turnstile to disclose what specific information this product collects, the extent to which the data collected is also used for other Cloudflare products, and does not limit locations and subprocessors to the EU in its policies, leading to GDPR risks of data transfers to third countries.
Additionally, in order to use Cloudflare CAPTCHA, website owners must embed a script that is dynamically loaded from Cloudflare’s servers. This means that the browser of every user visiting the website will request the Cloudflare servers, download the script, and execute it on their local computer.
This is a risk because this request is already sending personal information about the user to Cloudflare’s distributed servers in different countries, and it also creates an unnecessary attack surface. Attackers can potentially modify this script and inject arbitrary code into the browser while users are visiting the site to steal their information.
For EU end users, the fact that Cloudflare is a US company using data centers located outside the EU makes it more difficult for websites to be GDPR compliant. The globally distributed network of Cloudflare leads to uncertainty about what personal data is actually located in which locations and with which subcontractors in which countries.
Similar issues are faced by website owners using Google’s reCAPTCHA service. Making reCAPTCHA work involves transferring personal data to Google servers outside the European Economic Union, in the United States.
There have already been several rulings in this regard, such as the NS Card France case or Cityscoot case. The French privacy commission ruled that their use of Google reCAPTCHA did not meet GDPR transparency requirements and that they failed to obtain prior user consent for the US based CAPTCHA service. Both companies were fined over €100,000.
While Cloudflare CAPTCHA, unlike Google reCAPTCHA, only uses cookies based on the configured mode, such as pre-clearance mode, it is served from a subdomain of cloudflare.com, which can be a risk. Cloudflare could potentially track visitors across all websites that communicate with Cloudflare.
How Friendly Captcha Ensures GDPR Compliance
Privacy is one of the core strengths of Friendly Captcha, and it is GDPR compliant right out of the box. It doesn’t set any HTTP cookies and doesn’t store any local data in the browser’s persistent storage. Therefore, it doesn’t require user consent.
Friendly Captcha is a German company, and it only relies on data centers located in the EU. The same goes for all services that it depends on to process end-user data. This means that for EU websites embedding Friendly Captcha, no sensitive information is ever transferred to risky countries such as the US according to European regulations.
Friendly Captcha discloses what information is collected, how it is processed, and what third parties are involved. There are no secrets or hidden surprises when integrating it into your website. To comply with GDPR, all you need to do is add Friendly Captcha to your privacy policy.
Usability: A Key Factor in Choosing a Cloudflare CAPTCHA Alternative
Usability Challenges with Cloudflare CAPTCHA
While Cloudflare CAPTCHA claims to work completely in the background, it still requires manual user interaction with the CAPTCHA in some cases. Based on telemetry and client behavior during a session, it selects from a rotating set of browser challenges. Based on the challenge that is presented, users must take the additional step of manually performing a task required by the CAPTCHA.
Not every person is using the latest devices, operating systems and browsers. There are lots of people using older browsers, computers or devices like smartphones with older versions of Android or iOS.
For Cloudflare CAPTCHA to operate correctly, website visitors are required to use an up-to-date version of a major browser. Cloudflare’s sole solution if a website visitor encounters issues using a major browser, is to upgrade their browser. Cloudflare CAPTCHA doesn’t support older devices, older versions of major browsers, other browser vendors, Internet Explorer. Therefore Cloudflare CAPTCHA doesn’t offer universal browser support. Website visitors using older browser versions or older devices, such as many Android smartphones, effectively leading to lock-out of these users. This is a major issue leading to exclusion of Internet users that can not afford to or don’t want to use the latest devices.
Overall, this results in a sub-optimal user experience. To avoid interrupting the user, the CAPTCHA should work for all users and without any user interaction.
The User-friendly Approach of Friendly Captcha
The Cloudflare CAPTCHA alternative Friendly Captcha is configured to require no user interaction at all. Verification starts automatically when the user fills out a protected form, and in most cases is complete by the time the user is ready to submit. The cryptographic puzzles used by Friendly Captcha work completely in the background and most visitors will not even notice that a CAPTCHA is present. Friendly Captcha can dynamically increase the difficulty of its hidden cryptographic puzzles to fight more advanced bots.
This way, Friendly Captcha does not negatively affect the user experience. In most cases, the user will not even notice it and will be able to submit the protected form right away after filling it out.
Friendly Captcha offers universal browser support, including older browsers, operating systems and devices. There are still people using older browsers like Internet Explorer or older devices like many Android devices or iPhones. Friendly Captcha aims to support every browser and device released after Internet Explorer 11, resulting in optimal support for a wide range of browsers and devices. This ensures that users don’t get locked out of your services.
Accessibility: Making CAPTCHA Available for All
Accessibility Issues with Cloudflare CAPTCHA
Cloudflare CAPTCHA does not use image tagging or text-based challenges for the user to manually solve, but it still requires the user to manually interact with the CAPTCHA in some cases. This makes it more accessible than traditional CAPTCHA options, but it’s still not perfect. People with visual or motorical impairments may have difficulty with manual tasks, and it also detracts slightly from the user experience.
While Cloudflare CAPTCHA promises that web visitors with visual or motorical impairments can obtain a pre-clearance token from an external service to bypass the CAPTCHA, it is not clear how this works and which external services are meant.
How Friendly Captcha Ensures Full Accessibility
Friendly Captcha works on making the web open and accessible to everyone. It has all the requirements for full accessibility built-in and is a WCAG compliant CAPTCHA alternative.
Unlike Cloudflare CAPTCHA, it never uses challenges that require manual solving by the user or any interaction at all. With Friendly Captcha, the puzzles are solved in the background and are not visible to users. As a result, valid users have a seamless experience while unwanted spam and bots are defeated. By using Friendly Captcha you contribute to an open and accessible web.
How to Transition from Cloudflare CAPTCHA to Friendly Captcha
Step-By-Step Guide For Transitioning
Friendly Captcha can be a drop-in replacement for Cloudflare Turnstile and traditional CAPTCHA options. With its simple API, it will only take a few minutes to make the transition for most websites and applications.
Create an Account at Friendly Captcha
To use Friendly Captcha on your website you first need to create an account at https://friendlycaptcha.com/signup. While signing up you can choose between different plans, each of them offering a free 30-day trial period.
Create an Application and API key
After creating your free account, you can log into your Friendly Captcha dashboard at https://friendlycaptcha.com and create an application and an API key.
An application is used to configure how the CAPTCHA will work on your website. After you generate the application, copy the sitekey and keep it in a safe place, we will need it later.
The API key is used in your backend to talk to the Friendly Captcha API and verify the CAPTCHA options. After creating the API key, copy it and keep it in a safe place, we will need it later as well.
Swap Out the Client Code
To make use of Friendly Captcha in your site you first need to replace the JavaScript library provided by Cloudflare Turnstile with the Friendly Captcha one.
-
+
+
You can now swap out the widget code from Cloudflare Turnstile with the new one from Friendly Captcha. Make sure to replace <your sitekey> with the sitekey that you got after creating the application. If you have used Cloudflare’s CAPTCHA service Turnstile on multiple pages make sure to update all of them.
-
+
Change the Backend Verification
To verify the CAPTCHA service, you need some code in your backend that calls the Friendly Captcha API. It is very similar to the way Cloudflare Turnstile works but it has to be updated as well. This highly depends on which programming language and framework you are using on the backend, please take a look at our documentation to see what you have to change.
For a more detailed guide on how to integrate Friendly Captcha check out our documentation. If you are using a CMS like WordPress check out our list of supported integrations including guides for the installation.
The Benefits of Making the Switch from Cloudflare Turnstile – Safeguard Your Contact Forms, Registration Forms and Login Pages
By following these steps and taking a few minutes to swap out Cloudflare Turnstile with Friendly Captcha you can harness the benefits of choosing the friendliest CAPTCHA out there. Your users will see an improvement in usability and accessibility by not having to interact with the CAPTCHA anymore and you will have an easier time complying with privacy standards like GDPR, CCPA, and HIPAA.
Conclusion
Summarizing the Advantages of Friendly Captcha Over Cloudflare CAPTCHA
Friendly Captcha is the friendlier Cloudflare CAPTCHA alternative. It achieves this by focusing on usability, accessibility, and privacy while not compromising on security.
Seamless user experience because users don’t have to solve manual puzzles by hand.
Universal browser support and no lock-out of Internet users with older browsers or devices.
Fully WCAG compliant and accessible to everyone by completely eliminating manual tasks for users.
Easy compliance with privacy laws like GDPR and CCPA.
For EU users, GDPR compliance is maintained as personal user data never leaves the EU.
No HTTP cookies, no persistent browser storage, and no fingerprinting.
Works out of the box without the need for user consent.
Final Thoughts on Why Friendly Captcha is a Superior Cloudflare CAPTCHA Alternative
Friendly Captcha is superior to Cloudflare CAPTCHA in terms of usability, accessibility, and privacy. The cryptographic puzzles used by Friendly Captcha are truly invisible, solved in the background by the end user’s device, and have no impact on the UX. Friendly Captcha offers universal browser support, ensuring that Internet users aren’t locked out of your services. In terms of data protection and GDPR compliance, Friendly Captcha is transparent about what data is collected and where it’s stored, and has no incentive to collect more data than necessary.
If you want to try Friendly Captcha as an alternative to Cloudflare CAPTCHA, you can check out the live demo or sign up for a test month to integrate Friendly Captcha into your websites.
FAQ
Cloudflare CAPTCHA claims to be GDPR compliant, but there are significant concerns about its compliance. Specifically, Cloudflare does not provide a dedicated privacy policy or data processing agreement for its CAPTCHA service Turnstile, leaving uncertainty about what data is collected and how it is used.
For websites targeting EU users, the fact that Cloudflare is a US-based company with multiple data centers outside the EU complicates GDPR compliance. Cloudflare CAPTCHA’s reliance on external scripts loaded from Cloudflare’s servers introduces risks related to data transfers to non-EU countries and potential security vulnerabilities. Similar issues have led to significant fines for companies using comparable services to Cloudflare CAPTCHA, such as Google reCAPTCHA, that involve data transfers to the US without adequate transparency and user consent.
In summary, the lack of specific privacy disclosures for Cloudflare CAPTCHA and the global distribution of Cloudflare’s servers pose GDPR compliance risks.