A frequently used method for fraud prevention but often disliked by users, CAPTCHAs will soon cease to be a problem for iPhone users, as iOS 16 will support Private Access Tokens to bypass CAPTCHAs in supported apps and websites.
According to a video recently shared by Apple regarding the feature, Private Access Tokens are what allow your servers to automatically trust clients, new in iOS 16 and macOS Ventura. Private Access Tokens let servers avoid CAPTCHAs by using technology being standardized in the IETF Private Pass working group.
Using this protocol, servers can request tokens using a new HTTP authentication method, PrivateToken. These tokens use RSA Blind Signatures to cryptographically sign the fact that a client was able to pass an attestation check. These signatures are “unlinkable”, which means that servers that receive tokens can only check that they are valid, but they cannot discover client identities or recognize clients over time.
“Private Access Tokens are a powerful alternative that help you identify HTTP requests from legitimate devices and people without compromising their identity or personal information,” Apple says.
Also supported in macOS Ventura, Automatic Verification is enabled by default in early betas of iOS 16 and iPadOS 16. It can be found in the Settings app under Apple ID > Password & Security > Automatic Verification. All software updates that are currently in beta are expected to be released this year.
Apple says that its new feature will solve problems such as complex user experience, privacy risk and accessibility caused by CAPTCHAs.
“Even if someone is interacting with your website for the first time, if they are loading it through an app or browser like Safari, they’ve already performed many actions that are hard for a bot to imitate. First, they have an iPhone, iPad, or Mac, and they’ve unlocked the device with their password, Touch ID, or Face ID. They’re almost always signed in to the device with their Apple ID. And they’ve launched a code-signed app. This information can help your servers trust legitimate clients and prevent fraud, without relying on CAPTCHAs, and without compromising privacy by tracking clients. “