With the arrival of iOS16, presented at WWDC 2022 , Apple brings another big news: the elimination of captchas, completing them automatically at your poto . A new feature, in fact, will inform a website, which normally requires the completion of a CAPTCHA code, which is in front of a legitimate user rather than a robot.
The new feature, called Private Access Tokens, was explained in detail by Apple during a WWDC developer session entitled "Replace CAPTCHAs with Private Access Token":
Private Access Tokens are a powerful alternative that helps you identify HTTP requests from legitimate devices and people without compromising their identity or personal information. We will show you how your app and server can leverage this tool to add security to your online transactions and preserve privacy.
How will Apple solve the CAPTCHAs for us?
CAPTCHA codes (where CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart ) are small popups that appear upon login on many sites and applications, designed to confirm the human identity of whoever is trying to perform the access, and then block requests from automated systems such as scrapping scripts.
There are different types: the most classic is to transcribe alphanumeric codes present within images. The most modern, such as Google's reCAPATCHA , will ask you to locate and select all images containing a certain subject. An apparently simple solution, but which over the years (the idea was born in 1997) has entailed many hassles and wastes of time for users, who often find themselves facing puzzles that are too confusing and complicated.
We therefore have on the one hand some form of exaggeration due to the difficulty with which they are proposed in proportion to what should be an elementary operation, on the other hand there is the need to eliminate the possibility that automated scripts try to use services websites that require authentication. This last aspect, which concerns everyone's safety, is an aspect that cannot be done without, thus making CAPTCHAs an essential thing .
Apple's solution is to bypass the CAPTCHA verification by telling the website that whoever is applying is actually a user . Apple then takes care of verifying what a CAPTCHA code normally does, thus avoiding the user to verify it manually.
The verification process is carried out through a "challenge" . When a user (via a device with iOS 16) requests to access a website, the server responds with a challenge to be solved. A token provider is attached to the challenge request (which the server obviously trusts). The device with iOS 16 then receives the challenge and forwards it to iCloud, which will verify the legality of the client (for example, it verifies that the client is carrying out "normal" patterns, for example by checking when requests are made in a certain amount of time to make sure the client is not part of an illegitimate token farm). Once iCloud has confirmed the client's request, it forwards the token generation request to the token provider previously sent by the server. The token provider will then generate it and send it to the client who will then forward it to the server. The server will check with the token provider that the received token was indeed generated by that exact provider and thus confirm that the client is a human and not a robot.
All this procedure is put in place while maintaining the user's privacy. In fact, from the token there is no way to trace the client since no private information of the client is shared during this challenge.
The article Apple iOS 16 says goodbye to captchas: it will complete them for you was written on: Tech CuE | Close-up Engineering .