iPhone and Mac owners will soon be able to say goodbye to online CAPTCHA challenges that aim to test whether you’re human.
Instead, they get ‘Private Access Tokens’.
It looks like Apple will be the first to roll out the new technology, which is included in the first betas of iOS 16 and iPadOS 16, such as enabled by default according to Mac Rumors† Apple detailed the technology at WWDC 2022 earlier this month together with Cloudflare†
Private Access Tokens (PATs) are coming to iOS 16 and macOS Ventura with the promise of reducing the need for CAPTCHAs: iOS 16 is currently in beta and will be released later this year.
Google and many other companies uses CAPTCHAsor the “Fully Automated Public Turing Test to Tell Computers and Humans Apart,” as a challenge-response authentication to prevent bots from logging into new accounts or accessing services.
It’s a useful service for stopping fake access requests, but it can still be frustrating and inconvenient to see an object in grainy images when you sign up for a service.
As Apple emphasized at WWDC, CAPTCHAs can also pose a privacy risk. To reduce the complexity of CAPTCHA challenges, web servers often use tracking or browser/device fingerprinting. It is also a barrier to accessibility and unnecessary when a person has already unlocked a device with a password or Face ID.
Cloudflare, which has already left CAPTCHA, honey that “500 human years” [are] wasted every day – just for us to prove our humanity.”
Fortunately, Private Access Tokens (PATs) are not exclusive to Apple hardware. Apple and Google are shaping the authentication standard through the IETF Privacy Pass Working Group, which suggests it will come to Android at some point. But PATs also require the cooperation of hardware makers, and Google has not announced its plans for PAT in Android. The working group also includes members of Cloudflare and Fastly.
“By partnering with third parties such as device manufacturers, who already have the data to validate a device, we can abstract parts of the validation process and confirm data without collecting, touching or storing that data yourself† Instead of questioning a device directly, we ask the seller of the device to do it for us,” Cloudflare explains: of PATs.
On Apple’s side, PATs can help with privacy measures for its Safari browser, Mail Privacy Protection, and iCloud Private Relay.
The PAT protocol allows developers to request tokens from user devices using a cryptographically signed authentication method called ‘PrivateToken’. A web server can only use a token to verify their validity, but according to Apple, it cannot be used to discover the user’s identity or recognize a client device used to browse different websites. The service allows sites to verify a device and an Apple ID account without having to find every stop sign on a grid of grainy photos, for example.
“First, when the iOS or macOS client accesses a server over HTTP, the server sends back a challenge using the PrivateToken authentication scheme. This specifies a token issuer that is trusted by the server,” explains Apple.
When the client needs to retrieve a token, it contacts an iCloud attestation and sends a token request. This token request is “blinded” so it cannot be associated with the server challenge. The attestation performs device attestation using certificates that are stored in the device’s Secure Enclave and verify that the account is in good standing.”
The iCloud attestation also limits requests to prevent bots, and once a client device is validated, it sends a request for a new token to the issuer.
“When the token issuer receives the request, he doesn’t know anything about the client. But since he trusts the iCloud attestation, he signs the token,” Apple explains.
“The client then receives the signed token and transforms it in a process called ‘the blind’ so that the origin server can verify it. And finally, the client presents the signed token to the server. The server can verify that this token is signed by the Publisher, but he cannot use the token to identify or recognize the customer.”