This article is more than 1 year old

A great day for non-robots: iOS 16 will bypass CAPTCHAs

A bot says what? Apple relies on IETF standards to remove annoyance, citing privacy and accessibility

Apple has introduced a game-changer into its upcoming iOS 16 for those who hate CAPTCHAs, in the form of a feature called Automatic Verification.

The feature does exactly what its name alludes to: automatically verifies devices and Apple ID accounts without any action from the user. When iOS 16 ships later this year, it will eliminate the frustrating requirement to select all the stops signs in a photo or decipher a string of characters.

The news was mentioned at Apple's 33rd annual Worldwide Developer Conference (WWDC) along with the usual slew of features designed to enhance the functionality of iPhones.

In a corresponding developer video, software engineer Tommy Pauly, who works on the networking stack for Apple's client operating systems, cited user experience, privacy and accessibility as reasons to move away from the old school CAPTCHA verification system.

"This kind of tracking is at odds with the direction of internet privacy being taken by Safari, Mail Privacy Protection, and iCloud Private Relay," said Pauly, who noted that someone interacting with a website through an app or browser has already performed actions that are hard for a bot to imitate.

"First, they have an iPhone, iPad, or Mac, and they've unlocked the device with their password, Touch ID, or Face ID. They're almost always signed into the device with their Apple ID. And they've launched a code-signed app," argued the Apple-ite.

To achieve this CAPTCHA-free utopia, available in both iOS 16 and macOS, Apple relies on Private Access Tokens, which use technology in the process of being standardized by industry organization Internet Engineering Task Force (IETF).

Servers request tokens using a HTTP authentication method called PrivateToken. The tokens use RSA Blind Signatures to cryptographically sign off on an attestation check, confirmed via certificates stored in the device without giving away user identities.

The attester also performs rate-limiting, so abnormal patterns – such as multiple repeat requests – are recognized as such.

Developers can use content delivery networks Fastly and Cloudflare to sign tokens validated by their servers as they've already invested in developing in the standards and made the CAPTCHA eliminating services available – but they won't be the only options. However Pauly noted that any token issuer would have to be a large service that works with, at minimum, hundreds of servers to protect privacy.

The Automatic Verification comes as an option in settings that is enabled by default – meaning authentication on a developer's site shouldn't block the main page load, but instead be treated as a secondary option for CAPTCHA lovers and legacy users alike.

After all, a very scientific Reg poll last year did determine that 32 percent of readers found them a necessary tool to inflict on users, while only 46 percent chose to nuke them from orbit. ®

More about


Send us news

Other stories you might like