A great day for non-robots: iOS 16 will bypass CAPTCHAs

A bot says what? Apple relies on IETF standards to remove annoyance, citing privacy and accessibility


Apple has introduced a game-changer into its upcoming iOS 16 for those who hate CAPTCHAs, in the form of a feature called Automatic Verification.

The feature does exactly what its name alludes to: automatically verifies devices and Apple ID accounts without any action from the user. When iOS 16 ships later this year, it will eliminate the frustrating requirement to select all the stops signs in a photo or decipher a string of characters.

The news was mentioned at Apple's 33rd annual Worldwide Developer Conference (WWDC) along with the usual slew of features designed to enhance the functionality of iPhones.

In a corresponding developer video, software engineer Tommy Pauly, who works on the networking stack for Apple's client operating systems, cited user experience, privacy and accessibility as reasons to move away from the old school CAPTCHA verification system.

"This kind of tracking is at odds with the direction of internet privacy being taken by Safari, Mail Privacy Protection, and iCloud Private Relay," said Pauly, who noted that someone interacting with a website through an app or browser has already performed actions that are hard for a bot to imitate.

"First, they have an iPhone, iPad, or Mac, and they've unlocked the device with their password, Touch ID, or Face ID. They're almost always signed into the device with their Apple ID. And they've launched a code-signed app," argued the Apple-ite.

To achieve this CAPTCHA-free utopia, available in both iOS 16 and macOS, Apple relies on Private Access Tokens, which use technology in the process of being standardized by industry organization Internet Engineering Task Force (IETF).

Servers request tokens using a HTTP authentication method called PrivateToken. The tokens use RSA Blind Signatures to cryptographically sign off on an attestation check, confirmed via certificates stored in the device without giving away user identities.

The attester also performs rate-limiting, so abnormal patterns – such as multiple repeat requests – are recognized as such.

Developers can use content delivery networks Fastly and Cloudflare to sign tokens validated by their servers as they've already invested in developing in the standards and made the CAPTCHA eliminating services available – but they won't be the only options. However Pauly noted that any token issuer would have to be a large service that works with, at minimum, hundreds of servers to protect privacy.

The Automatic Verification comes as an option in settings that is enabled by default – meaning authentication on a developer's site shouldn't block the main page load, but instead be treated as a secondary option for CAPTCHA lovers and legacy users alike.

After all, a very scientific Reg poll last year did determine that 32 percent of readers found them a necessary tool to inflict on users, while only 46 percent chose to nuke them from orbit. ®


Other stories you might like

  • Apple's guy in charge of stopping insider trading guilty of … insider trading
    He had one job

    One of Apple's most senior legal executives, whom the iGiant trusted to prevent insider trading, has admitted to insider trading.

    Gene Levoff pleaded guilty to six counts of security fraud stemming from a February 2019 complaint, according to a Thursday announcement from the US Department of Justice on Thursday.

    Levoff used non-public information about Apple's financial results to inform his trades on Apple stock, earning himself $227,000 and avoiding $377,000 of losses. He was able to access the information as he served as co-chairman of Apple's Disclosure Committee, which reviewed the company's quarterly draft, annual report and Securities and Exchange Commission (SEC) filings.

    Continue reading
  • FTC urged to probe Apple, Google for enabling ‘intense system of surveillance’
    Ad tracking poses a privacy and security risk in post-Roe America, lawmakers warn

    Democrat lawmakers want the FTC to investigate Apple and Google's online ad trackers, which they say amount to unfair and deceptive business practices and pose a privacy and security risk to people using the tech giants' mobile devices.

    US Senators Ron Wyden (D-OR), Elizabeth Warren (D-MA), and Cory Booker (D-NJ) and House Representative Sara Jacobs (D-CA) requested on Friday that the watchdog launch a probe into Apple and Google, hours before the US Supreme Court overturned Roe v. Wade, clearing the way for individual states to ban access to abortions. 

    In the days leading up to the court's action, some of these same lawmakers had also introduced data privacy bills, including a proposal that would make it illegal for data brokers to sell sensitive location and health information of individuals' medical treatment.

    Continue reading
  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading

Biting the hand that feeds IT © 1998–2022