With the release of iOS 16 this year, Apple is taking steps to eliminate those pesky CAPTCHAs on the Internet. A new feature called Private Access Tokens uses a combination of details about your device and your Apple ID to tell a website that you’re a legitimate user, rather than a robot. This in turn allows you to bypass the CAPTCHA step completely.
No more CAPTCHAs in iOS 16
The function, which was spotted on reddit on the weekend and against AppleInsiderused to be detailed by Apple in a WWDC 2022 session titled “Replace CAPTCHAs with Private Access Token.” In its explanation to developers, Apple explains:
Private Access Tokens are a powerful alternative that allows you to identify HTTP requests from legitimate devices and people without compromising their identity or personal information. We’ll show you how your app and server can take advantage of this tool to give confidence to your online transactions and maintain privacy.
As you would expect from Apple, this process is done with privacy in mind. Servers are a boon to request tokens using a new HTTP authentication method called ‘PrivateToken’. These tokens are then used as part of a cryptographic process to confirm to the server that the “client was able to pass an attestation check”.
Apple explains that these cryptographic situations cannot be linked, meaning that “servers that receive tokens can only verify that they are valid, but they cannot discover client identities or recognize clients over time.”
The process factors in certificates stored on your iPhone, iPad, or Mac Secure Enclave then verify that the Apple ID associated with those certificates is in good standing.
Apple notes that companies including: Fast and cloudflare are already developing support for this new Privacy Pass standard. In fact, both companies have already turned on their issuer services. Other companies will be able to sign up via Apple’s website later this year.
This new “Automatic Verification” feature is enabled by default in the early betas of iOS 16, iPadOS 16, and macOS Ventura. You can find it by going to your Apple ID settings, choosing “Privacy and Security,” then looking for the new “Automatic Verification” toggle at the very bottom.
Apple’s user-centric explanation says: Bypass CAPTCHAs in apps and on the web by letting iCloud automatically and privately authenticate your device and account.
Since services like Cloudflare and Fastly have already enabled support for this new Privacy Pass standard, you should already be able to bypass CAPTCHAs on websites and apps that rely on those CDNs.
FTC: We use auto affiliate links that generate revenue. More.