With iOS 16 and macOS 13, Apple wants to kill captchas too

Alessandro Nodari

Apple is intent on revolutionizing the world of web as we know it now. Not only has it long since started a password fight and developed technologies such as iCloud Private Relay, Hide My Mail and Tracking Transparency, but ultimately WWDC 2022 announced a new technology, called Private Access Tokens (PAT)with the aim of permanently eliminating the CAPTCHA.

Telegram Channel Offers

Most of you will surely have met these pictureswhich announced by the wording “I’m not a robot” are used to determine if an HTTP request (access to a web page) comes from a user human or from a bot (a kind of simplified Turing test). THE PAT they will first of all avoid the hassle to go through the slew of images to choose from and secondly they will be much safer CAPTCHAs (which can be compromised).

But how do these work PAT? They send a request HTTP in the background through a new HTTP authentication method called PrivateTokenby which a server uses encryption to verify that a client has passed an iCloud attestation check.

The generation of the token and sending to server they work like this.

  • When the client needs a tokencontact a verifier, in this case Apple.
  • This performs the process using certificates stored in the device’s Secure Enclave. But not only that, it also does checks verifying that the client is not part of a farm of the iPhone, for example, through a speed limiterwhich is very difficult for bots to imitate.
  • Once got the signed (disposable) tokenthis is sent to the server in a multistep process.
  • The server knows nothing about the device or person accessing it, but obviously trusts the attester e validate the token
  • eventually, the user comes addressed to the target web page.

Obviously the process takes place automatically and the user doesn’t have to do anything. Cloudfare and Fastly they are already integrating it into their systems and the web servers accessed via Safari and WebKit will automatically work with PATs, while other devices may not recognize the token process, so Apple warns developers to make sure user authentication doesn’t block the main web page and to present it as optional. The new system will come with iOS 16 or macOS Ventura or later.

Leave a Reply

Your email address will not be published. Required fields are marked *