Thanks to iOS 16, you’ll never have to waste time with CAPTCHAs again

On By Garmin Philip
private-access-token-protocol-ios-16

iOS 16 will offer a feature to bypass annoying CAPTCHAs on the internet. Apple relies on private access tokens. These identify the user as a human being by transferring various pieces of information and allow access to a website without solving a CAPTCHA.

CAPTCHAs are a necessary evil on the internet to distinguish people from bots. However, it is quite annoying for users to always solve arithmetic problems or to look for traffic lights from several images before they are granted access to a website. With the so-called Private Access Token (PAT), there will now be an alternative way to identify yourself as a person in iOS 16, reports 9to5Mac.

How authentication works with PATs in iOS 16

Apple has already demonstrated how identification via PAT works at WWDC 2022. Usually, a server needs proof that a request to access a web page came from a human. By solving a simple task, a CAPTCHA, you identify yourself as a human being. However, you can also have an “examiner” (certificate) identify you as a human being. On iOS 16, this is the iCloud.

private-access-token-protocol-ios-16
 full screen

The iCloud attester can identify the user of a client as a human being.

Image: © Apple 2022

When a client wants to call up a website on a server, it sends back an identification request. The server requires a token that proves that a human is behind the client. The client requests this token, more specifically the PAT, from the iCloud attester. This now collects various information that proves that the user is human. First, the attestor fetches certificates that are in the device’s secure enclave (an isolated area of ​​the processor).

The attestor can also carry out what is known as rate limiting. In this way, he checks whether the usage behavior of the device is typical for a human being and can thus exclude devices from a bot or click farm. If the client passes all of the attester’s checks, it sends a signed token back to the server and the user can access the website without CAPTCHA.

The user’s data remain secret

As usual, Apple also uses this method to ensure that user data is protected. The server requesting the token does not get any information about the device or the user from the PATs. These are not relevant for him at all, he is only interested in whether the token was validated by an attestor.

Verification method already available in iOS 16 beta

If you don’t want to solve CAPTCHAs now, you can activate the new validation via PATs in the iOS 16 beta. The feature is located in the “Apple ID” menu item under “Password & Security”. The “Automatic verification” function must be activated there.

However, there is still a catch: The new verification method must also be supported by the web hosts. Cloudflare and Fastly already support the new method. Other providers are to follow in the future.

offer

Reference-www.turn-on.de