Cloudflare Docs
Cloudflare Fundamentals
Edit this page on GitHub
Set theme to dark (⇧+D)

Cryptographic Attestation of Personhood

Cloudflare developed an alternative to CAPTCHA authentication, the Cryptographic Attestation of Personhood (CAP).

CAP lets you prove that you are a legitimate website visitor by touching a hardware key, instead of solving a CAPTCHA puzzle.

This article provides answers to common questions about usability and privacy concerns.

You can also test CAP by going to the demo site.

​​ Privacy questions

The answer to most privacy concerns are summarized in this table:

PropertyCloudflare couldCloudflare does
Collect biometrics (fingerprints or face pictures)NoN/A
Collect information about your hardware authenticatorYes, limited to the number of keys in your batchYes, when available

No, Cloudflare cannot collect biometrics. Our CAP process uses the WebAuthn API, which prevents the collection of biometrics by default. When your device asks for a biometric authentication — such as via a fingerprint sensor — it all happens locally. 

As such, we never see your biometric data: that remains on your device. Once your device confirms a match, it sends only a basic attestation message. In effect, your device sends a message proving “yes, someone correctly entered a fingerprint on this trustworthy device” and never sends the fingerprint itself.

Yes, Cloudflare does collect a limited amount of data about your key. We store the manufacturer of your key and batch identifier ( minimum of 100,000 keys per batch) for verification purposes. From our perspective, your key looks like all other keys in the batch.

Some self-signed keys and keys from certain manufacturers have been found to not meet this requirement and should be avoided if you are minimizing your online privacy risk.


For more details on how we set up Cryptographic Attestation of Personhood, refer to the introductory blog post.


​​ What devices are and are not allowed?

​​ Allowed devices

CAP supports a wide variety of hardware authenticators:

  • Roaming (cross-platform) authenticators:
  • Platform authenticators:
    • Examples: Apple Touch ID and Face ID on iOS mobile devices and macOS laptops; Android mobile devices with fingerprint readers; Windows Hello

​​ Known limitations

Most combinations of of web browsers and WebAuthn-capable authenticators will work, but there are some known compatibility issues with WebAuthn attestation that may prevent CAP from working successfully:

We are updating this list as the ecosystem evolves and as we continue to test different combinations.

​​ Can hackers bypass the Cryptographic Attestation of Personhood?

CAP is one of many techniques to identify and block bots. To date, we have seen some attempts to test CAP’s security system, such as one thoughtfully-executed, well-documented test. The blog post discussing the test specifically calls out that this method does not break the Cloudflare threat model.

This does not mean that CAP is broken, but rather shows that it raises the cost of an attack over the current CAPTCHA model.

​​ What happens if I lose my key?

If you do not have the necessary hardware (such as a Yubikey), you can still solve a regular CAPTCHA challenge (e.g., selecting pictures).

​​ What are the common error codes and what do they mean?

  • Unsupported_att_fmt:
    • Cause: Your authenticator is using an unsupported attestation format (combination of browser and key). Also occurs when you use Firefox and select the option to “anonymise your key”.
    • Solution: If this error occurs during zero-knowledge version of CAP, you will automatically be redirected to the basic CAP flow. If basic CAP fails, try a different combination of supported hardware device and browser or opt for a CAPTCHA.
  • Unsupported_issuer:
    • Cause: Your key is currently not supported.
    • Solution: Use a supported key.