Connect with us


The science behind how iOS 16 can bypass CAPTCHA

Apple’s CAPTCHA-elimination option sounds a bit technical to the average person. Thankfully, we’ll break it all down here.

Screenshot of ios 16 showing automatic verification for captcha
Image: KnowTechie

You’ve almost certainly encountered CAPTCHAs when trying to log into a website or access online content. The acronym stands for completely automated public Turing test to tell computers and humans apart.

As the full name indicates, CAPTCHAs present computerized challenges that people can solve but computers can’t. 

Some might take you back to elementary school math class, asking you to answer what’s two plus four. Others make you squint at a string of distorted characters and type what you see.

Captcha i am not a robot screenshot on a purple background
Image: KnowTechie

Some CAPTCHAs show you several low-quality pictures and ask you to choose all the traffic lights or motorcycles.

However, some images are so blurry that it’s hard to differentiate the objects you need to find. 

These puzzles may slow your browsing activity as you try to click through them, but CAPTCHAs serve a relevant purpose by thwarting fraudulent activity online.

Computerized bots can’t solve CAPTCHA equations, so this technology helps weed them out. However, it can also present barriers for people with disabilities. 

The release of iOS 16, Apple’s new mobile operating system, will allow users to bypass CAPTCHA. Here’s a closer look at how the option works. 

Apple utilizes private access tokens

Screenshot of apple diagram of how private access tokens work
Image: KnowTechie

Apple developers pointed out that when people interact with websites for the first time, they’ve typically already done things that are hard for bots to imitate.

For example, they’ve unlocked the device with a password. They probably also used an Apple ID if they were on an Apple device. 

Private access tokens help web servers automatically trust users. Apple’s approach relies on a new HTTP authentication method called PrivateToken.

The tokens use cryptography to issue an unlinkable signature affirming that someone passed a security check.

Due to the unlinkable nature of the signatures, the servers can only verify they got through a check. However, they cannot learn client identities. 

A step-by-step look at the process

Apple privacy pass
Image: Apple

When a user’s compatible device attempts to access a server, the server responds with a token using the PrivateToken authentication scheme.

Apple then determines the person’s identity by checking it against certificates in the Secure Enclave. That’s the hardware-based key manager separated from the main processor to provide extra security. 

Apple’s attester can also carry out a process called rate limiting. It examines whether a user’s behavior follows expected patterns or may be associated with fraudulent internet activity, such as click farming. 

The signed token eventually gets to the server through a multi-step process. The server doesn’t know anything about the user or device but trusts the attester enough to validate the process.

Person holding iphone at desk using facebook
Image: Unsplash

All this happens quickly and in the background. The user notices nothing except a friction-free transition to their destination websites. 

Apple’s approach is one of the emerging strategies based on the move away from traditional security models and principles.

For example, there’s the zero-trust model, which has quickly gained traction in cybersecurity circles. It works on the principle that people’s identities must always be verified before they access the content.

They are never automatically trusted, even if they are the most senior person in the organization or someone who has worked there for decades. 

Automatic verification is easy to activate 

Ios settings password and security
Image: KnowTechie

Apple’s CAPTCHA-elimination option sounds a bit technical to the average person. However, the company makes it easy to turn the feature on or deactivate it as needed.

First, tap Settings and click on your name in the left-hand panel. Next, go to Passwords & Security. From there, switch Automatic Verification on or off.

You’ll find it under the Advanced heading of that section. You’ll also find it turned on by default in iPhone and iPad versions of iOS 16.

How to enable Automatic Verification

If you’re on the beta of iOS 16 right now, Automatic Verification is on by default. We’re not sure if that will be the case when the public builds come this fall.

  1. Open the Settings app
Ios settings app
Image: KnowTechie
  1. Tap on your Apple ID
Ios settings apple id
Image: KnowTechie
  1. Tap on Password & Security
Ios settings password and security
Image: KnowTechie
  1. Scroll down and toggle Automatic Verification to ON
Screenshot of ios 16 showing automatic verification for captcha
Image: KnowTechie

The end of pesky CAPTCHAs?

This progress represents a major step forward for Apple. Even when people know how CAPTCHAs work, they typically find them frustrating due to the way they disrupt the internet experience.

For now, this technology only works on Apple devices running iOS 16.

However, if this approach proves viable in the real world, there may soon be similar options for Android devices and other operating systems.

That’s especially likely since Apple makes it easy for people to turn the feature on or off.

Many less tech-savvy users won’t bother with CAPTCHA-free technology if they perceive it will be too cumbersome.

That’s not the case with Apple’s option, and hopefully, other technology companies will follow suit with user-friendliness.

Have any thoughts on this? Carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

Follow us on Flipboard, Google News, or Apple News

Staff writer at ReHack Magazine with a passion for cybersecurity, AI, and all things tech. Offline, you'll find me cruising the neighborhood on my motorcycle or bingeing the latest true crime documentary.

More in Mobile