Apple took several steps toward a password-free future at its Worldwide Developer Conference, but another component of its strategy will be to replace CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) with a more private solution.
Introducing: Private Access Tokens
Apple is working with Cloudflare (with whom most think it developed the tech behind iCloud Private Relay). It is also working with Google and Fastly to deploy a standardized alternative to CAPTCHA called Private Access Tokens.
We’ve all become used to encountering CAPTHA interrogations when working online. The number of crosswalks and taxis most people have identified in photographs must surely be counted in billions, and it is sometimes an annoying additional step to work through the process when logging into or setting up new accounts online.
The process also challenges users with accessibility problems or language barriers.
Another problem is that CAPTCHA servers sometimes rely on fingerprinting/tracking clients using their IP address, which does not reflect the industry’s moves to protect user privacy. And while the process does help protect services and their servers against fraudulent activity, it does add friction to the user experience.
So, CAPTCHA serves its purpose, but at the cost of user experience, privacy, accessibility.
Private Access Tokens attempt to find a better way.
What are Private Access Tokens?
The theory behind Private Access Tokens is that by the time you arrive at a website, you have already crossed some hurdles that are hard for a bot to emulate. You probably use a device that is already unlocked using biometric authorization or a passcode. On Apple platforms, users are likely to be signed into the device with an Apple ID, and probably use a code-signed app. Private Access Tokens use this information to establish trust within technology currently being standardized by the IETF Privacy Pass working group.
Apple showed two devices accessing the FT.com website to demonstrate this. The first iOS 15 device had to fill in account details and then use CAPTCHA to log on; the iOS 16 device simply visited the site to be logged on, no interaction required.
When you consider the number of times a day you or your customers are required to log in the first way, the advantages of Private Access Tokens seem clear.
What happens in practice?
As I understand it, this is the process that takes place:
- The device and the service/website must first introduce support for Private Access Tokens.
- Servers will request tokens using a new HTTP Authentication method called PrivateToken, which uses cryptographic techniques to verify a user has passed what is called an “attestation check.”
- An attestation check can be understood as a highly secure, private, and trusted statement that tells the server the request is from a bona fide requestor.
- The process obfuscates personal information and relies (in Apple’s case, though other implementations may vary) on an iCloud attester service (a “token issuer”) that verifies the user without sharing (or learning) personal information about them.
- Both Cloudflare and Fastly now offer token issuer services for services and platforms.
- Cloudflare has already incorporated support for Private Access Tokens into its Managed Challenge platform, so customers already using that feature will automatically take advantage of this new technology to improve the browsing experience for supported devices.
- Once the attestation process completes, the server knows the request is not fraudulent and comes from a real person.
- And it lets them in without CAPTCHA.
There is much more to the process than this somewhat over-simplified explanation provides. For example, it also protects against access requests from compromised devices or bots. If you want to get a little deeper, developers can review this Apple presentation, this note on Cloudflare, another from Fastly and Google’s introduction to a similar tech called Chrome Trust Tokens. Finally, for the deepest dive, this article describes the architecture of the system, and this one gives Apple developers additional detail to help deploy/support the feature.
What next for this tech on Apple?
Apple’s iOS 16, iPad OS 16 and macOS Ventura beta testers may already be surfacing the technology if they access any site or service that may perhaps already support the tech, though unless they really like CAPTCHA interrogations, they probably won’t notice. Of course, as time moves forward, we’ll see more sites and services introduce support, with most Apple developers choosing iCloud for attestation and third parties — including existing CAPTCHA technology providers — probably building support for Private Access Tokens into their systems.
This tech is far from being the only security/privacy improvement Apple announced at WWDC. The company will today discuss tools to further secure DNS security within an application, and also introduced next-generation authentication technology, Passkeys. Passkeys are a highly secure way to access sites and services. The company also fielded impressive security and privacy enhancements in Safari, including strong protection against cross-site scripting vulnerabilities. More on that here.
What Fastly and Cloudflare say
Jana Iyengar, Product Lead, Infrastructure Services at Fastly explained:
“Fastly is proud to invest, engage, and create technology and products that exemplify our belief that security and privacy are critical to a more trusted internet. We are actively working with our partners in the standards community to add more features to Private Access Tokens — like rate limiting for media protection and attestations for more client properties. There are exciting potential applications of this technology: consider what you could do with cryptographic guarantees that you’re exposing only and exactly what a website needs to know about a user — like their age. Providing an explicit guarantee on this sort of data flow can protect both users and websites.”
Cloudflare’s Reid Tatoris and Maxime Guerreiro wrote:
“This is just step one for us. We are actively working to get other clients and device makers utilizing the PAT framework as well. Any time a new client begins utilizing the PAT framework, traffic coming to your site from that client will automatically start asking for tokens, and your visitors will automatically see fewer CAPTCHAs. We will be incorporating PATs into other security products very soon.”
What this means for you and your business
In conjunction with Apple’s many other solutions to protect privacy online, the industry intention to make it increasingly difficult to correlate device data with personal identity means fingerprinting should become a thing of the past. Surveillance capitalists who trade in personal data exfiltrated from people without express consent will — and should — most certainly need to change their business models.
Overall, these moves should deliver extraordinary benefits to every user while also putting additional shields in place so enterprises can guard against sophisticated attempts to harvest personal data to undermine endpoint security or penetrate business networks.
Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.