Apple plans to replace CAPTCHAs with a new approach


Don’t like clicking pictures of crosswalks and bikes? You might get lucky. In iOS 16, iPadOS 16, and macOS Ventura, Apple is releasing a handy new feature that will reduce the amount of CAPTCHAs you’ll need to complete to verify you’re human and not a bot. New technology promises to be useful and should make the web more usable and accessible to everyone.

CAPTCHAs are one of the most annoying parts of the modern internet. Do you want to buy a concert ticket? Click on all the bridges. Login to your email account? It’s time to spot the bike. It’s slow, boring and easy to get wrong. Do you click on every square that contains a tiny bit of crosswalk, or just the ones where it’s mostly? And it’s even worse for people who rely on tools like screen readers to access the Internet.

So what is a CAPTCHA for?

They serve a purpose. They offer problems that are more difficult for computers to solve than for humans (the name means completely automated public Turing test to tell computers and humans apart). Because these tasks can be a challenge for computers and are easier for us, it is a good solution to check if someone is human or not. And yes, they’re annoying, but they make it harder for bots to buy concert tickets before you, hackers to try to automatically log into your accounts in case of a password breach, and dozens of ‘other problems that website operators need a way. Stop.

Meanwhile, Google’s reCAPTCHA program (which is its implementation of the more generic CAPTCHAs) seems to have improved a lot in recent years. It does more behind the scenes to verify that you are human, using signals like your IP address and your activities on the website you are using, rather than forcing you to identify traffic lights. Just click on the “I’m not a robot” box, much more often than before.

But overall, it’s still far from a perfect system and is riddled with privacy issues.

What is Apple’s solution?

Earlier this month at its annual developer conference, WWDC, Apple unveiled a feature called Private Access Tokens (PATs), developed in conjunction with engineers from Google, Fastly and Cloudflare, that would allow users to completely bypass CAPTCHAs on Supported Sites and Apps. (These tokens are different from access keys, which are meant to replace passwords.) It works by moving the human verification process from the server to your device, which ideally makes things more smooth, secure, and private.

When you use your iPhone, you perform actions like signing in with Face ID or Touch ID, actions that are nearly impossible for a computer to fake. Combine that with rate limiting (a term that refers to the fact that you can only make a certain number of retries before being forced to slow down or perform an additional check) and Apple can verify much more easily who is a human using their device in a normal way and who is a bot (or user in an iPhone click farm) than a website you only interact with for a few moments. The certificates stored in your device’s secure enclave would keep a record of all your regular human antics.

PATs allow websites and applications to automatically authenticate users in the background. When you try to sign in, they would send an attestation request to iCloud which would verify the certificates stored on your device. Assuming you’re using your iPhone or Mac normally, this would attest that you’re human and provide a cryptographically signed token so you can proceed without further challenge.

While this is undeniably more convenient, it also offers some nice privacy benefits. Websites would not need to log your IP address or otherwise track your activity in order to verify that you are human. This would all happen privately on your device. You could even do things that are sometimes considered suspicious, like using a VPN, without having to automatically solve a CAPTCHA.

Automatic verification will be launched in iOS 16 and macOS Ventura. It’s currently on by default in betas, though it can also be found in the Settings app by going to Apple ID > Privacy & Security, then scrolling down to Automatic Verification. With Google, Cloudflare, and Fastly all collaborating on this, support will hopefully be mainstream when it officially launches later this year.


Comments are closed.