Hilbert Hagedoorn:

According to Cloudflare, physical keys are also a more privacy-friendly way of authentication, although the company admits that the solution is not perfect. For example, Cloudflare still knows which security key and hardware a user has.

Well... This was the reason they have chosen the picture in the past... Another step back in privacy, and everyone will accept it just to have less click to do. A massive population of lamb.

rl66:

Well... This was the reason they have chosen the picture in the past... Another step back in privacy, and everyone will accept it just to have less click to do. A massive population of lamb.

Maybe it's not a privacy problem when it's Cloudflare who knows? In Cloudflare's opinion. If a competitor knows, then it's a major privacy problem.

Kaarme:

Maybe it's not a privacy problem when it's Cloudflare who knows? In Cloudflare's opinion. If a competitor knows, then it's a major privacy problem.

Nothing that is on a public facing server is safe though

scoter man1:

Nothing that is on a public facing server is safe though

I'm sure Cloudflare considers itself perfectly safe. You can trust your personal info to them! However, never trust it to any of Cloudflare's competitors!

This is such a stupid idea. First of all, I don't think most people see these every 10 days. You typically only see them when submitting inquiries or creating new accounts, which most people do but not regularly. So, aside from maybe secretaries, nobody is going to want a trinket like this. Second, hardware keys have proven over and over again to be effortlessly spoofed. All you have to do is create an emulated device that provides the key. Then, share that key with bots (the very thing captchas are supposed to prevent) and then you defeat the security. Or... just give the server containing the bot the key. Anything you could do to mitigate this it would still effectively make a physical key moot. At this rate, they might as well just have users create an account that uses 2FA. It's more secure, it doesn't require a dongle that you're just going to lose, and it could even be used to automatically fill in information, thereby speeding up the process even more. But even 2FA is a bad idea for this, because in the context that Captchas are used, it can still be abused.