As spotted on Reddit (via 9to5Mac), a feature called ‘Automatic Verification’ uses ‘Private Access Tokens’ to confirm to websites that users are, in fact, real people and not robots. This confirmation will allow users to bypass CAPTCHAs on websites that support the feature.
Apple detailed how the feature works in a WWDC session called “Replace CAPTCHAs with Private Access Token,” explaining:
“Private Access Tokens are a powerful alternative that help you identify HTTP requests from legitimate devices and people without compromising their identity or personal information. We’ll show you how your app and server can take advantage of this tool to add confidence to your online transactions and preserve privacy.”
Those curious about how this all works should check out the WWDC session here. In short, web servers can use a new HTTP authentication method called ‘PrivateToken’ to request access to a token that confirms the user passed an ‘attestation check’ — in other words, proof that the user is legitimate. Apple devices with Automatic Verification generate these tokens through a combination of details, such as information about your device and Apple ID.
Crucially, Apple says the cryptographic signatures used in the process are “unlinkable,” which means that servers can only use the tokens to confirm that a user is legitimate. Servers cannot use the tokens to discover users’ identities or track users.
Put simply, Apple verifies that users are legitimate and then vouches for them to websites so users don’t need to complete CAPTCHAs.
Moreover, it’s worth noting that Automatic Verification utilizes a new industry standard called ‘Privacy Pass.’ That means the underlying tech isn’t an Apple-exclusive feature and we could see similar CAPTCHA bypass features come to, say, Android or Windows, in the future. Cloudflare has a whole blog post about Privacy Pass and how it works, including an explanation of how it improves privacy by reducing the need for websites to gather user data.
9to5 reports that companies like Fastly and Cloudflare are already building support for Privacy Pass and have enabled their issuer services. Later this year, other companies will be able to sign up for the feature through Apple’s website.
For now, Automatic Verification is only available in the first developer beta of Apple’s new software. Those trying out Apple’s new software may be able to test Automatic Verification on websites that support the feature. However, once iOS 16 and macOS Ventura become widely available, Apple users may see way fewer CAPTCHAs.