Comment by prima-facie
18 hours ago
What Google has done is incredibly clunky and only serves its own interests. We already have methods to prove that we're human.
1. lots of laptops have fingerprint readers & TPM2 build-in
2. lots of folks own Yubikeys or FIDO2 keys - if these became the norm then the price would come down significantly.
Both of these methods only require a tap to authenticate to a website. Both provide public-key authentication, and both provide some level of proof of work / require human interaction, without revealing the identity of the end-user.
Why not use or standardise these? because there's no benefit to Google of course.
Those don't prove that a human is present. A FIDO2 key can be automated by electronic relay. The only way to do this involves device attestation - locking devices down and utilizing hardcoded TPM/Secure Enclave esque chips. The best we can hope for would be an open standard for those chips so that people can use them with their own X.509 certificates that lets them choose their own CA.
Real hardware doesn't mean a human is present either, unfortunately. It just means that you have to spend on real devices to bypass these defences.
This was exactly my point as well. Everything that can be automated will eventually be automated.
Maybe Worldcoin really was the answer after all XD
neither 1 nor 2 can prove you're a human. sorry
neither can Google Cloud Fraud Defence, and yet we're here
ironically, some of the controls in gcfd have a good probability of detecting a human versus a robot!