This New iOS 16 Feature Will Make Annoying CAPTCHAs a Thing of the Past
Credit: McLittle Stock / ShutterstockToggle Dark Mode
There’s much more packed into iOS 16 than just the big tentpole features like the customizable Lock Screen and iMessage editing. Between Apple’s WWDC developer sessions and the first beta being in the wild for the past couple of weeks, we’ve been finding out about many more hidden gems.
In addition to leading the way into a passwordless future, it looks like Apple is setting out to eliminate CAPTCHAs — those annoying little popups on websites that require you to tap on pictures of crosswalks or buses or decipher barely intelligible text.
These CAPTCHAs are understandably essential to ensure that website visitors are humans rather than bots, but they’re still annoying at the best of times — and doubly so on an iPhone screen.
Fortunately, as usual, Apple has come up with a better way.
As discovered by the folks at MacRumors, iOS 16 includes a new Automatic Verification setting that will allow Apple to verify your humanity on your behalf.
This optional setting is located in the Password & Security section of your Apple ID in the Settings app.
Bypass CAPTCHAs in apps and on the web by allowing iCloud to automatically and privately verify your device and account.
When you visit a supported website with this enabled, your iPhone will communicate with the website in the background to confirm that you are indeed a human and not a bot. The website should ask for that authentication before displaying a CAPTCHA. If it passes muster, then no CAPTCHA is required. It will work on iPadOS 16 and macOS Ventura, too.
How Automatic Verification Works
Apple explained the technology behind this in a WWDC session earlier this month, explaining how its new operating systems can use “Private Access Tokens” to replace traditional CAPTCHA verifications.
It’s worth mentioning that this isn’t just a blanket acceptance. Apple recognizes that hackers and other malicious actors could try to set up a bot network using iPhones, iPads, or Macs. Hence, the process will use several other signals to detect when an Apple device is being used by a human.
Even if someone is interacting with your website for the first time, if they are loading it through an app or browser like Safari, they’ve already performed many actions that are hard for a bot to imitate. First, they have an iPhone, iPad, or Mac, and they’ve unlocked the device with their password, Touch ID, or Face ID.Tommy Pauly, Apple Internet Technologies Engineer
Other factors such as rate-limiting will also help verify that a human is at the helm. An iPhone bot farm isn’t likely to go slowly since the whole point of bot networks is to work as quickly as possible.
Benefits of Automatic Verification
While this will make things more convenient for all of us who are tired of dealing with CAPTCHAs, Apple has two even more important motivations for doing this.
First is a strong focus on improving accessibility. CAPTCHAs are enough of a pain for users who don’t have disabilities or language barriers, but they pose an even more serious problem for accessibility. It’s easy to see how avoiding CAPTCHAs entirely will make the entire web more accessible.
However, there’s also a privacy problem with CAPTCHAs that many folks don’t realize. CAPTCHAs often come with a whole lot of tracking and fingerprinting of clients. This is ostensibly done to make it easier to bypass a CAPTCHA or present a simpler one when you revisit the same website, but tracking is still tracking.
In order to determine if a client is trusted and can get an easier CAPTCHA, servers often rely on tracking or fingerprinting clients by using their IP address. This kind of tracking is at odds with the direction of internet privacy being taken by Safari, Mail Privacy Protection, and iCloud Private Relay.Tommy Pauly, Apple Internet Technologies Engineer
Automatic Verification removes the need for this kind of tracking. The Private Access Tokens don’t expose your IP addresses or other personal information. Since the whole process is transparent to the user, a site can ask for a new token every single time you return to it. There’s no need for it to track and store your IP or set cookies in your browser to bypass CAPTCHAs later on.
When’s It Coming?
Apple’s Automatic Verification is part of a broader Internet Engineering Task Force (IETF) initiative called Privacy Pass. As with other web technologies, Apple isn’t building anything proprietary here. Instead, it’s using its high profile and involvement in the IETF to drive web technologies that are more user-friendly and less privacy-invasive.
To give you an idea of how involved Apple is when it comes to web standards, Tommy Pauly, the engineer who presented the “Replace CAPTCHAs with Private Access Tokens” session at WWDC, also co-chairs two IETF Working Groups and serves as a member of the Internet Architecture Board.
Apple already has buy-in from two of the most prominent front-end security providers, CloudFlare and Fastly, which means that when iOS 16 and macOS Ventura land later this year, there will already be millions of websites on board and ready to handle the streamlined verification process.
