"Totally not a bot!" - iOS 16 will let you bypass CAPTCHAs on some apps and websites

[Lightwreather]

Summary

 

When iOS 16 comes out later this fall, you may notice that you don’t have to deal with as many annoying CAPTCHAs asking you to slide a puzzle piece or distinguish between a hill and a mountain. That’s because Apple’s introducing a feature for its iPhones and Macs called Automatic Verification, which let some sites know that you’re not a bot without you actually having to do anything

 

 

Quotes

Quote

Apple has worked with two major content delivery networks, Fastly and Cloudflare, to develop the system. When it launches with iOS 16 and macOS Ventura, sites that use either of the services to defend against spam should be able to take advantage of the system and stop showing you so many CAPTCHAs. If you’re attentive to how many sites go down when either Fastly or Cloudflare start to have issues, you’ll know that’s a solid chunk of the internet that may become significantly less annoying (especially to those who see CAPTCHAs more often than average because they use a VPN or clear their cookies frequently).

The underlying system, which Apple calls Private Access Tokens, is vaguely reminiscent of its system to replace passwords. Here's a very simplified idea of how it works: your device looks at a variety of factors to determine whether you’re a human. When you go to a website that would normally ask you to fill out a CAPTCHA, that site can ask your phone or computer if a human is using it. If your device says yes, you’ll be let right on through.

Thankfully for Android and Windows users, Apple isn’t the only one working on this tech. According to Fastly, Google also helped develop it, and the concept of having a trusted party vouch that you’re a human is being built into internet standards

 

My thoughts

There's a deeper dive into how this works in the WWDC video linked if that interestest you.

Also, FINALLY. This is honestly something I really am looking forward to. No more extential dread resulting from failing an "Are you a robot?" Question for the 100th time. Apple claims this isn't privacy invasive, and while I am mildly skeptical about that claim, I'm inclined to believe them.

Well, Hopefully with apple's scale, this tech actually takes off.

Also lemme leave you with this gem:

Sources

TheVerge (Quote)

WWDC

Fastly

Macrumors

AppleInsider

[williamcll]

Can this be spoofed?

[Video Beagle]

36 minutes ago, J-from-Nucleon said:

According to Fastly, Google also helped develop it

Doesn't Google own/run one of the major captcha services?

[Zodiark1593]

Me: Was hoping Apple developed a good enough AI to simply trick the Captchas. 

[wamred]

5 hours ago, J-from-Nucleon said:

Summary

 

When iOS 16 comes out later this fall, you may notice that you don’t have to deal with as many annoying CAPTCHAs asking you to slide a puzzle piece or distinguish between a hill and a mountain. That’s because Apple’s introducing a feature for its iPhones and Macs called Automatic Verification, which let some sites know that you’re not a bot without you actually having to do anything

 

 

Quotes

 

My thoughts

There's a deeper dive into how this works in the WWDC video linked if that interestest you.

Also, FINALLY. This is honestly something I really am looking forward to. No more extential dread resulting from failing an "Are you a robot?" Question for the 100th time. Apple claims this isn't privacy invasive, and while I am mildly skeptical about that claim, I'm inclined to believe them.

Well, Hopefully with apple's scale, this tech actually takes off.

Also lemme leave you with this gem:

Sources

TheVerge (Quote)

WWDC

Fastly

Macrumors

AppleInsider

Wouldn't this mean that a robot is telling the computer that it's user isn't a robot?

[RedRound2]

2 hours ago, wamred said:

Wouldn't this mean that a robot is telling the computer that it's user isn't a robot?

Yup, the trusted robot sees if the user is a robot and tells to the other robot that the user isn't a robot, if indeed the user isnt a robot of course

[bcredeur97]

so what if I build a robotic arm that taps things on a screen in a repeating manner, wouldn't that get around this? It probably just goes off the fact that software isn't manipulating the device and since the screen is a human interface device, all things touching the screen are considered "human".

[Montana One-Six]

I solve maybe one of those a month maybe even less. So is captcha even used that much anymore?

 

Also it's probably just a matter of days after the feature gets implemented until people add that functionality to bots to circumvent the whole captcha thing. Which in return means the functionality gets ignored by captcha and you still have to solve it. So what exactly is that feature accomplishing?

[wanderingfool2]

1 hour ago, Montana One-Six said:

I solve maybe one of those a month maybe even less. So is captcha even used that much anymore?

More likely using a VPN...since a shared IP and a lot more traffic going through it...and specifically a bit of that traffic will malicious traffic which triggers captchas.

 

The thing I wonder about is what mechanism are they using to try avoiding ID'ing an user.  I'm assuming there will be communication with a secondary server that does the actual verification.  With that said though, you then would have some company knowing the sites you are accessing...which for some would defeat the point of a VPN (as now they have your device fingerprint)

[hishnash]

On 6/21/2022 at 9:11 PM, williamcll said:

Can this be spoofed?

If you get hold of apples private keys yes but if you can do that then there are a load of other issues, spoofing a real user is not going to be top of your list I expect selling these keys to some Govs might make a little more money than creating a few bot accounts.

[hishnash]

7 hours ago, wanderingfool2 said:

The thing I wonder about is what mechanism are they using to try avoiding ID'ing an user.  I'm assuming there will be communication with a secondary server that does the actual verification.

I expect they are using the same infra that devs on the platform can use to validate the app is running on an modern apple device and has not been modifed (used by game devs so they don't need nasty kernel drivers for anti cheat) its a cryptographic handshake between the secure enclave of the device, the application hash that you can then validate server side is from a valid apple device and is for a binary signature that you trust.  This does not leak any info about the user just that the user is using a modern apple devices and the app talking to you has not been tampered with, I expect they could build ontop of this api to provide a web api with a signed signature providing the same prof.