Anti-robot tests are annoying, especially on mobile devices. Apple plans to make that obsolete with Private Access Tokens as part of an industry-wide initiative.
Captchas could will soon be a thing of the past for iPhone, iPad and Mac users. A new technology is intended to make the disruptive anti-robot tests on the web and in apps unnecessary: iOS and iPadOS 16 as well as macOS 13 Ventura support so-called “private access tokens” for this purpose, with which the device used and thus the user prove themselves to the service provider as legitimate as Apple explained at the WWDC 2022 developer conference. The manufacturer emphasized that this was done in compliance with data protection and without the transmission of personal data.
Google on board too
In addition to the general disruptive factor for end users, captchas also pose a serious problem with regard to the Accessibility of websites and apps, Apple explained. They can also pose a data protection risk because Captcha providers sometimes rely on fingerprinting via the IP address for security and at the same time know the URL called up, according to Apple. The private access tokens should enable service providers to trust the requesting client directly without using additional elements such as captchas. At the same time, the various parties should not gain any deeper insight into surfing behavior or users.
The Private Access Tokens are based on the Privacy Pass protocol, in which other industry giants are also involved, including Google. It can therefore be assumed that similar functionality will be integrated into Android and other operating systems.
How the private access tokens work in iOS 16
The tokens work as follows according to Apple’s description: Opens an iPhone user visits a website, it can request the new token. The device or Apple (with an “iCloud Attester”) then confirm that it is a real user (registered via Apple ID) with a real device. The examiner does not get an insight into the requested URL, Apple emphasized, and the Apple ID is not transmitted either. The attestor then asks a third independent body, the so-called issuer, who signs the token – without knowing anything about the device. The iPhone can finally transmit the signed token to the server or service. The issuers include large content delivery networks such as Cloudflare.
What exactly Apple uses to check the legitimacy of the user or Apple ID remains open for the time being. Presumably device data and certain usage patterns are recorded. To minimize fraud when shopping in its own stores, Apple already uses a “device trust score” that is calculated from information about device usage, which also includes the “approximate number of calls or emails sent and received”. The company emphasizes that Apple cannot draw any conclusions about the actual numbers.