Cryptographic Attestation of Personhood
CAP lets you prove that you are a legitimate website visitor by touching a hardware key, instead of solving a CAPTCHA puzzle.
This article provides answers to common questions about usability and privacy concerns.
The answer to most privacy concerns are summarized in this table:
|Collect biometrics (fingerprints or face pictures)
|Collect information about your hardware authenticator
|Yes, limited to the number of keys in your batch
|Yes, when available
No, Cloudflare cannot collect biometrics. Our CAP process uses the WebAuthn API, which prevents the collection of . When your device asks for a biometric authentication — such as via a fingerprint sensor — it all happens locally.
As such, we never see your biometric data: that remains on your device. Once your device confirms a match, it sends only a basic attestation message. In effect, your device sends a message proving “yes, someone correctly entered a fingerprint on this trustworthy device” and never sends the fingerprint itself.
Yes, Cloudflare does collect a limited amount of data about your key. We store the manufacturer of your key and batch identifier ( keys per batch) for verification purposes. From our perspective, your key looks like all other keys in the batch.
What devices are and are not allowed?
CAP supports a wide variety of hardware authenticators:
- Roaming (cross-platform) authenticators:
- Platform authenticators:
- Examples: Apple Touch ID and Face ID on iOS mobile devices and macOS laptops; Android mobile devices with fingerprint readers; Windows Hello
Most combinations of of web browsers and WebAuthn-capable authenticators will work, but there are some known compatibility issues with WebAuthn attestation that may prevent CAP from working successfully:
- Basic CAP:
- macOS desktop: For TouchID, browser must be Safari
- Android: Browser must be Chrome
- CAP with Zero-Knowledge Proof:
- Apple platform authenticators (e.g., iPhone with Touch ID/Face ID) are incompatible with the . If this fails, you will immediately be redirected to basic CAP route without having to take any further action. Since Apple uses a privacy-preserving to show that an authenticator is valid while blocking tracking, this method maintains a high standard of privacy.
We are updating this list as the ecosystem evolves and as we continue to test different combinations.
Can hackers bypass the Cryptographic Attestation of Personhood?
CAP is one of many techniques to identify and block bots. To date, we have seen some attempts to test CAP’s security system, such as . The blog post discussing the test specifically calls out that this method does not break the Cloudflare threat model.
This does not mean that CAP is broken, but rather shows that it raises the cost of an attack over the current CAPTCHA model.
What happens if I lose my key?
If you do not have the necessary hardware (such as a Yubikey), you can still solve a regular CAPTCHA challenge (e.g., selecting pictures).
What are the common error codes and what do they mean?
- Cause: Your authenticator is using an unsupported attestation format (combination of browser and key). Also occurs when you use Firefox and select the option to “anonymise your key”.
- Solution: If this error occurs during , you will automatically be redirected to the basic CAP flow. If basic CAP fails, try a different combination of supported hardware device and browser or opt for a CAPTCHA.