If you hate matching images or typing letters for human CAPTCHA verification, you’ll love Apple’s latest software updates for iOS, iPadOS, and macOS.
Typically, CAPTCHAs can become a huge nightmare on mobile devices. They are used by websites for security purposes, to detect bots, prevent active denial of service attacks, and otherwise protect their servers, but they end up annoying their users.
- This slows down the user by adding another step to login or complete a task. Cloudflare estimates that it takes an average user 32 seconds to complete a CAPTCHA test.
- You can end up with bad images that make it hard to match boats, traffic lights, bikes, or anything else.
- Words can be mixed up in such a way that it is impossible to choose the right letter.
- Rendering data required for operation consumes excess bandwidth.
- This doesn’t work well with users who have accessibility issues.
- It can track your IP address and other personal data.
With the new iOS 16, iPadOS 16, and macOS 13 Ventura updates, Apple has implemented a new security feature that allows you to bypass CAPTCHA verification. It does this using iCloud and Private Access Tokens (PAT) to make sure your device is making HTTP requests. As a bonus, it will not reveal your identity or share personal data such as IP addresses.
CAPTCHA in iOS 15 (left) and privacy tokens in iOS 16 (right). Image via Apple
To implement PAT on a website or application, its servers must have the hostname and public key of a trusted token issuer, which can be a content delivery network (CDN) such as Cloudflare or Fastly, a web hosting provider, or a CAPTCHA provider. Fastly notes that site owners need to enable PAT, but for Cloudflare customers this happens automatically.
This information is then sent to users in the form of a “PrivateToken”call. This new HTTP authentication scheme uses RSA blind signatures to cryptographically confirm to the server that your device passes attestation verification.
These signatures are “unlinkable”, which means that servers receiving tokens can only verify their validity, but cannot discover client identities or recognize clients over time.
Private access tokens are not just for Apple devices, as they are part of a broader authentication standard called Privacy Pass, which is being developed by the Internet Engineering Task Force (IETF), which includes Apple and Google. Currently, Cloudflare and Fastly are the only CDNs Apple has worked with, but it is working with other companies to bring it to broad adoption on the web.
Apple’s iOS 16, iPadOS 16, and macOS 13 software is currently in beta, but you can join the beta if you’d like to test this new feature – along with a number of other new features. You may experience bugs, decreased battery life, and other glitches when running the beta, but you can always downgrade if necessary.
This feature is enabled by default, but you can double check if it is enabled. On iOS and iPadOS 16, go to Settings -> [your name] -> Password & Security -> Automatic Verification. On macOS 13, go to Settings -> Apple ID -> Password & Security -> Automatic Verification.
