With the release of iOS 16 this year, Apple is taking steps towards eliminating the need for those pesky CAPTCHAs around the web. A new feature called Private Access Tokens will use a combination of details about your device and your Apple ID to inform a website that you are a legitimate user rather than a robot. In turn, this allows you to completely bypass the CAPTCHA step.
No more CAPTCHAs in iOS 16
The feature, which was spotted on Reddit over the weekend and by AppleInsider, was detailed by Apple in a WWDC 2022 session titled “Replace CAPTCHAs with Private Access Token.” In its explanation to developers, Apple explains:
Private Access Tokens are a powerful alternative that help you identify HTTP requests from legitimate devices and people without compromising their identity or personal information. We’ll show you how your app and server can take advantage of this tool to add confidence to your online transactions and preserve privacy.
As you should expect from Apple, this process is done with privacy in mind. Servers are a blessing to request tokens using a new HTTP authentication method called “PrivateToken.” These tokens are then used as part of a cryptographic process to confirm to the server that the “client was able to pass an attestation check.”
Apple explains hat these cryptographic situations are unlinkable, which means “servers that receive tokens can only check that they are valid, but they cannot discover client identities or recognize clients over time.”
The process factors in certificates stored in your iPhone, iPad, or Mac Secure Enclave, then verifies that the Apple ID associated with those certificates is in good standing.
Apple notes that companies including Fastly and Cloudflare are already developing support for this new Privacy Pass standard. In fact, both of those companies have already enabled their issuer services. Other companies will be able to sign up later this year through Apple’s website.
This new “Automatic Verification” feature is enabled by default in the first betas of iOS 16, iPadOS 16, and macOS Ventura. You can find it by navigating to your Apple ID settings, choosing “Privacy and Security,” then looking for the new “Automatic Verification” toggle at the very bottom.
Apple’s user-facing explanation says: Bypass CAPTCHAs in apps and on the web by allowing iCloud to automatically and privately verify your device and account.
Because services like Cloudflare and Fastly have already enabled support for this new Privacy Pass standard, you should already be able to bypass CAPTCHAs on websites and apps that rely on those CDNs.
Author: Chance Miller