If you hate matching images, typing letters and numbers, solving math problems, and pushing puzzle pieces apart for human verification with CAPTCHAs, you’ll love Apple’s latest privacy feature for apps and websites.
Typically, CAPTCHAs can become a huge nightmare on mobile devices. They are used by websites for security purposes, to detect bots, prevent active denial of service attacks, and otherwise protect their servers, but they end up annoying their users.
- This slows down the user by adding another step to login or complete a task. Cloudflare estimates that it takes an average user 32 seconds to complete a CAPTCHA test.
- You can end up with bad images that make it hard to match boats, traffic lights, bikes, or anything else.
- Words can be mixed up in such a way that it is impossible to choose the right letter.
- This doesn’t work well with users who have accessibility issues.
- People with color blindness may not be able to see certain text colors.
- Rendering data required for operation consumes excess bandwidth.
- It can track your IP address and other personal data.
In the new iOS 16 update, Apple has implemented a new security feature that bypasses the CAPTCHA check. This is done using iCloud and Private Access Tokens (PAT), which confirm that your device is sending HTTP requests. As a bonus, it will not reveal your identity or share personal data such as IP addresses.
To implement PAT on a website or application, its servers must have the hostname and public key of a trusted token issuer, which can be a content delivery network (CDN) such as Cloudflare or Fastly, a web hosting provider, or a CAPTCHA provider. Fastly notes that site owners need to enable PAT, but for Cloudflare customers this happens automatically.
This information is then sent to users in the form of a “PrivateToken”call. This new HTTP authentication scheme uses RSA blind signatures to cryptographically confirm to the server that your device passes attestation verification.
These signatures are “unlinkable”, which means that servers receiving tokens can only verify their validity, but cannot discover client identities or recognize clients over time.
Private access tokens are not just for Apple devices, as they are part of a broader authentication standard called Privacy Pass, which is being developed by the Internet Engineering Task Force (IETF), which includes Apple and Google. Currently, Cloudflare and Fastly are the only CDNs that Apple has worked with, but it is working with other companies to bring it to broad adoption on the web.
This feature is enabled by default, but you can double-check that it is enabled by visiting Settings -> [your name] -> Password & Security -> Automatic Verification. This change also appears in iPadOS 16 for iPad and macOS 13 Ventura for Mac, which are still in beta. The setup path is the same for iOS and iPadOS, but you need to go to Settings -> Apple ID -> Password & Security -> Auto Verification in macOS 13.
