Building a WebAuthn Click Farm ? Are CAPTCHAs Obsolete?

With our current set of trusted manufacturers, this would be slower than the solving rate of professional CAPTCHA-solving services, while allowing legitimate users to pass through with certainty.After a bit of brainstorming and discussion on Slack, I decided it would be a fun weekend project to test this out with actual hardware and see just how difficult it would be.Because WebAuthn is an open standard it’s of course trivial to build a software token and use it to sign requests. Perhaps a better solution would have been to disable the “slot 1” TOTP behavior altogether (which is possible on a Yubikey), but I don’t believe it’s possible to reprogram this on the HyperFIDO keys.At this point, I have all the ingredients necessary to build an internet-facing web service with the ability to answer WebAuthn signing requests that “automatically” bypass the user presence test on-demand. Factors like the reputation of the source IP/network, capabilities of the browser (ex: is JavaScript enabled), user behavior on the site such as how quickly was a captcha solved or did the user actually click the element or trigger the function automatically can be used before a decision is made to allow/deny the request.Perhaps one of the reasons Cloudflare has confidence in this solution is brute-force hardware automation like the kind developed here is likely much easier to detect than you’d think, (and if not, here’s a free suggestion):While an attestation certificate is shared amongst at least 100k devices, an additional attribute is provided as part of the attestation called a “signature counter”, this is a unique counter that is incremented each time an operation is performed:Authenticators SHOULD implement a signature counter feature. Even a basic privacy-preserving detection blocking all requests (or sending to an alternate challenge) that denies requests when the signature counter is greater than a reasonable human threshold (ex: 20k) could be effective.It will be interesting to see if over time Cloudflare finds it necessary to implement additional detections for this type of physical automation, as well as how quickly and how broadly they disable entire batches of keys when inevitably an attestation private key is successfully extracted in the future.It is easy to build software that intercepts WebAuthn requests and sends them to a remote FIDO hardware key to be solved. With a bit of soldering, hardware FIDO keys can be modified so the user presence test (physically touching the key) is bypassed on-demand.By combining these components, it is possible to automate Cloudflare’s Attestation of Personhood challenge.