Apple Plans to Kill CAPTCHAs

Tech to Rid Us of CAPTCHAs

Anyone who uses the web on a pretty frequent basis is all too familiar with them. They’ve been around for years in one form or another be it a simple math problem, the “I’m not a robot” tick box, squished-up letters on a patterned background that are impossible to read or the infamous grid of images daring you to find all the palm trees. (Which just makes me want to go on vacation.)

They are called CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart). And as the name suggests, are “traps” designed to pick the humans out of the swarm of bots constantly trying to submit form and comment spam on any given website. Unfortunately they add a layer of frustration to the user experience and take precious time to complete.

We’re all tired of doing puzzles to submit a form

Fortunately, Apple may soon come to our rescue. They recently demoed new technology at the 2022 World Wide Developer’s Conference (WWDC) that could retire CAPTCHA from our online lives for good.

Enter the Private Access Token (PAT) that can determine if a request is coming from a human rather than a computer bot. The authentication is invisible to web users as the PAT runs quietly in the background. It is using a new HTTP authentication method called PrivateToken.

How does it work?

In the case of Apple’s demonstration, iCloud serves as the attester and when a client requires authentication, the server hosting the requesting site cryptically verifies that the user’s client has passed the attestation process using certificates stored in the devices secure vault.

The technology also allows for a process of rate-limiting which can reason whether a requesting client is following a typical user pattern, or if it is part of a bot net. This is done anonymously between the user, device and requesting server and no personal information is shared.

A pattern is created over and over with a user’s interaction on their device(s) that is actually very challenging for a bot to copy. This would be the actions leading up to visiting a requesting website such as logging into the device with biometrics, opening a web browser and then navigating the web to the eventual site.

A private process that is secure

The entire process is multi-stepped with the website requesting proof of humanity knows nothing about the user or the device and that information is isolated from each end. The requesting server does fully trust the attester and validates the PrivateToken and the end-user is carried on to the authenticated website.

The tokens are only good for a single use which removes the threat of brute force or repeated token submissions. The requesting website knows only the destination URL and the requesting IP address and learns nothing of the user or device behind that IP.

Currently the PrivateToken system is limited to those devices running either iOS 16 or macOS Ventura or a later and the user must be signed into their Apple ID for attestation purposes. No Apple ID account details are shared with any third-party. Because of the limited acceptance currently, web developers are encouraged by Apple to make this process optional for now and to not require it to access the main site home page.