How does CloudFlare determine if you are human?

Factual Questions
1

There is a website I log into regularly that uses CloudFlare to determine if you are a human or not. Up until about a month ago, on both the login page and the password page the little CloudFlare widget would spin a bit and then show a green checkmark on the Verify you are human checkbox. It was rare that I ever had to actually check the checkbox manually. But in the last month or so it’s been exactly the opposite - it always makes me check the checkbox on both pages. So I’m curious how this is supposed to work and why I didn’t used to have to check the checkbox but now I do.

One thing that may be a factor is that I recently got a new work laptop. But if that has something to do with it, I’d expect the website to maybe give me a “remember me on this device” option so I don’t have to check the checkboxes every time I log in.

(This website also makes me enter a 2FA code after I enter my userid and password, which seems like overkill, but that’s outside the scope of the OP.)

2

In theory, though I am not privy to CloudFlare’s algorithms, the website tracks mouse movements.

Humans are a little erratic about steering the mouse to the checkbox, and take a little time to do so. Part of the test is a timer. Too fast? You fail.

A bot is capable of doing the same in milliseconds, although it might have been programmed to be a bit slower and more convincingly erratic.

I am not involved much in front-end internet security (I am a back-end nerd) so I don’t tend to deal with these very much.

3

I don’t know about this specific website, but some security systems also look at your browser history to see the mix of sites you’ve been looking at is consistent with normal human usage of a web browser. (Of course you could be human but just use your browser in an unusual way - e.g. looking for pictures of raccoons wearing hats - in which case you might have to do the CAPTCHA)

4

I just did that. Naturally, all the photos are A.I.

I want a real raccoon wearing a hat.

5

This has been an ongoing arms race for decades, so Cloudflare can’t share the exact implementation details (or bots would just start to use them).

However, this is what they publicly disclose:

Cloudflare challenges:

Challenges are security mechanisms used by Cloudflare to verify whether a visitor to your site is a real human and not a bot or automated script.

When a Challenge is issued, Cloudflare asks the browser to perform a series of checks that help confirm the visitor’s legitimacy. This process involves evaluating client-side signals (data gathered from the visitor’s browser environment) or asking a visitor to take minimal action such as checking a box or selecting a button.

Challenges are designed to protect your application without introducing unnecessary friction. Most visitors will pass Challenges automatically without interaction.

Cloudflare does not use CAPTCHA puzzles or visual tests like selecting objects or typing distorted characters. All challenge types are lightweight, privacy-preserving, and optimized for real-world traffic.

And on a related blog post (Turnstile uses Cloudflare Challenges):

With all of our emphasis on how easy it is to pass a Turnstile challenge, you would be right to ask how it can stop a bot. If a bot can find all images with crosswalks in grainy photos faster than we can, surely it can check a box as well. Bots definitely can check a box, and they can even mimic the erratic path of human mouse movement while doing so. For Turnstile, the actual act of checking a box isn’t important, it’s the background data we’re analyzing while the box is checked that matters. We find and stop bots by running a series of in-browser tests, checking browser characteristics, native browser APIs, and asking the browser to pass lightweight tests (ex: proof-of-work tests, proof-of-space tests) to prove that it’s an actual browser. The current deployment of Turnstile checks billions of visitors every day, and we are able to identify browser abnormalities that bots exhibit while attempting to pass those tests.

For over one year, we used our Managed Challenge to rotate between CAPTCHAs and our own Turnstile challenge to compare our effectiveness. We found that even without asking users for any interactivity at all, Turnstile was just as effective as a CAPTCHA. Once we were sure that the results were effective at coping with the response from bot makers, we replaced the CAPTCHA challenge with our own checkbox solution. We present this extra test when we see potentially suspicious signals, and it helps us provide an even greater layer of security.

It ain’t much, but it boils down to “secret heuristics we use to try to guess whether you’re a real boy”.

Practically, from my experience (as a web developer and normal user), you are more likely to encounter these if:

  • You use a lesser-known browser (really, anything other than Chrome)
  • In any sort of anti-tracking mode
  • If you’re behind any sort of VPN other than Cloudflare’s own (WARP)
  • If you’re from a part of the world, or share a network with, devices and users that have known to be part of past bot behavior

There is a Cloudflare browser extension you can use to help attest to your humanness: Cloudflare Privacy Pass

This may help you get fewer challenges. But note the date on that: 2020, right before the dawn of AI.

These days, bot traffic is so much worse now (because of LLMs and fully automated fake browsers and real-device farms) that Cloudflare has to work overtime to try to detect and stop them. Us puny humans are just collateral damage in the great bot vs bot wars :frowning:

6

I guess I’m not trying to figure out CloudFlare’s methods as much as I’m trying to figure out why it used to consistently auto-check me as I was logging in and now it doesn’t.

As a sanity check, I tried it from my personal laptop instead of my work laptop, and it auto-checked me on the login page as I was typing my user name, in both Chrome and Edge. And since this is a site I use for work, I’m fairly certain I have never logged into it before on my personal laptop. So it must be something about the new work laptop.

7

It could’ve just fingerprinted your old laptop/browser and secretly stored it as a “likely human”. The work laptop is relatively unknown to it, for now. Or maybe it has some security/anti-tracking/VPN stuff on it that makes it look more suspicious?

There’s no way to know for sure. The challenges are basically a grumpy, occasionally drunken border agent who might just not like the way you looked at the page.

Give Privacy Pass a try if you’re really bothered. It may or may not help.

8

As @Reply says, you won’t get a definitive answer for the same reason the mods here won’t share exactly how they identify socks. But his guesses are all well-informed and good.

I’d add to it: once it has determined you are a human, Cloudflare will set a cookie in your browser so it can bypass the security check for some length of time. If your work laptop is refusing cookies from the domain in question, you’ll be stuck with verification every time.

And specifically why you have to check a box now: like Reply says, something about your laptop is more suspicious, so Cloudflare goes to “phase 2” of verification. It could be an ad blocker, some browser extension, VPN, browser settings, who knows.