The science behind how iOS 16 can bypass CAPTCHA
Apple’s CAPTCHA-elimination option sounds a bit technical to the average person. Thankfully, we’ll break it all down here.
You’ve almost certainly encountered CAPTCHAs when trying to log into a website or access online content. The acronym stands for completely automated public Turing test to tell computers and humans apart.
As the full name indicates, CAPTCHAs present computerized challenges that people can solve but computers can’t.
Some might take you back to elementary school math class, asking you to answer what’s two plus four. Others make you squint at a string of distorted characters and type what you see.
Some CAPTCHAs show you several low-quality pictures and ask you to choose all the traffic lights or motorcycles.
However, some images are so blurry that it’s hard to differentiate the objects you need to find.
These puzzles may slow your browsing activity as you try to click through them, but CAPTCHAs serve a relevant purpose by thwarting fraudulent activity online.
Computerized bots can’t solve CAPTCHA equations, so this technology helps weed them out. However, it can also present barriers for people with disabilities.
Apple utilizes private access tokens
Apple developers pointed out that when people interact with websites for the first time, they’ve typically already done things that are hard for bots to imitate.
For example, they’ve unlocked the device with a password. They probably also used an Apple ID if they were on an Apple device.
Private access tokens help web servers automatically trust users. Apple’s approach relies on a new HTTP authentication method called PrivateToken.
The tokens use cryptography to issue an unlinkable signature affirming that someone passed a security check.
Due to the unlinkable nature of the signatures, the servers can only verify they got through a check. However, they cannot learn client identities.
A step-by-step look at the process
When a user’s compatible device attempts to access a server, the server responds with a token using the PrivateToken authentication scheme.
Apple then determines the person’s identity by checking it against certificates in the Secure Enclave. That’s the hardware-based key manager separated from the main processor to provide extra security.
Apple’s attester can also carry out a process called rate limiting. It examines whether a user’s behavior follows expected patterns or may be associated with fraudulent internet activity, such as click farming.
The signed token eventually gets to the server through a multi-step process. The server doesn’t know anything about the user or device but trusts the attester enough to validate the process.
All this happens quickly and in the background. The user notices nothing except a friction-free transition to their destination websites.
Apple’s approach is one of the emerging strategies based on the move away from traditional security models and principles.
For example, there’s the zero-trust model, which has quickly gained traction in cybersecurity circles. It works on the principle that people’s identities must always be verified before they access the content.
They are never automatically trusted, even if they are the most senior person in the organization or someone who has worked there for decades.
Automatic verification is easy to activate
Apple’s CAPTCHA-elimination option sounds a bit technical to the average person. However, the company makes it easy to turn the feature on or deactivate it as needed.
First, tap Settings and click on your name in the left-hand panel. Next, go to Passwords & Security. From there, switch Automatic Verification on or off.
You’ll find it under the Advanced heading of that section. You’ll also find it turned on by default in iPhone and iPad versions of iOS 16.
How to enable Automatic Verification
If you’re on the beta of iOS 16 right now, Automatic Verification is on by default. We’re not sure if that will be the case when the public builds come this fall.
- Open the Settings app
- Tap on your Apple ID
- Tap on Password & Security
- Scroll down and toggle Automatic Verification to ON
The end of pesky CAPTCHAs?
This progress represents a major step forward for Apple. Even when people know how CAPTCHAs work, they typically find them frustrating due to the way they disrupt the internet experience.
For now, this technology only works on Apple devices running iOS 16.
However, if this approach proves viable in the real world, there may soon be similar options for Android devices and other operating systems.
That’s especially likely since Apple makes it easy for people to turn the feature on or off.
Many less tech-savvy users won’t bother with CAPTCHA-free technology if they perceive it will be too cumbersome.
That’s not the case with Apple’s option, and hopefully, other technology companies will follow suit with user-friendliness.
- iOS 16.0.3 is out – here’s what to know about the update
- Google rolls out iOS 16 lock screen widgets to iPhone users
- How to remove the background from images in iOS 16
- How to set up a dynamic weather Lock Screen wallpaper in iOS 16