iOS 16 Will Allow Users To Skip Some CAPTCHAs

Apple is introducing a new system for iPhones and macOS hardware that will allow users to bypass the CAPTCHA challenge that many webpages rely on for ensuring that the visitor is human, and not a bot. That respite from the CAPTCHA annoyance is called Private Access Tokens, which Apple is going to enable in partnership with Cloudflare and Fastly.

Private Access Tokens are essentially cryptographic tokens that work for browsers as well as API summoned by browsers and apps. Developed in collaboration with the likes of Apple and Google, the convenience to bypass the CAPTCHA challenge using these tokens will be available iOS 16 and macOS Ventura, while more vendors are expected to join soon. Aside from ending a hassle and easing things around for people with disabilities, Private Access tokens are also said to be more secure.

When users surf the web, both the website and the CAPTCHA service provider get access to information such as visited URLs, IP addresses, device information, interaction data, and even other websites that users may have looked up. The token system puts a limit on that. The entire process of requesting and generating a token, passing, and validating it happens without the user or the visited website knowing anything about it. "No one entity can link client identity to website activity. And yet, this authorizes access to a website – all while eliminating human interactions," says Fastly.

Ending CAPTCHA with a safer and quicker alternative

The idea here is that if a user is trying to sign in on a webpage, they already have a device like an iPhone, iPad, or Mac, which means they've already gone through a more stringent security protocol such as Face ID or Touch ID. Plus, the Apple ID is already signed in on the device that is allowing Safari to visit the webpage in question. The technical objective behind Private Access Tokens is to let servers avoid CAPTCHA, without allowing servers to track client identity.

The whole token system to bypass the CAPTCHA verification process relies on a new HTTP authentication layer and RSA blind tokens that throw in cryptographic protocols for added security. For those reliant on Google's Chrome browser instead of Safari, Private Access Tokens aim to do what Chrome Trust Tokens seek to achieve.

Another important aspect here is that the system will send authentication tokens when an app is running in the foreground. Throughout the entire process, the Apple ID signed in on a device isn't shared by any of the involved parties. As for the tokens required to bypass the captcha challenge and verify that the client is not a bot, they will be available for apps using WebKit and URLSession systems.