To create an account here, you must click on images of palm trees, unless they are traffic lights. To connect there, you have to drag a square in an image, quickly but not too much. To fill out a form further, you need to decipher the Rosetta Stone by hopping. Rest assured, Apple engineers are at least as annoyed by CAPTCHAs as you are.
These Turing tests claim to distinguish humans from computers, but are regularly defeated by advances in computer research. Whether they present characters or images, they maintain the same interest, that of making you work for free. Text CAPTCHAs were used to control the output of OCR tools, and photo CAPTCHAs help classify data used in the machine learning and autonomous driving.
Google wants to fend off criticism with its new reCAPTCHA mechanism, which is supposed to use sophisticated technologies to analyze browser behavior, and reduce CAPTCHA to a tick. Except that these techniques are mainly based on tracking the IP address and fingerprinting the browser, and do not replace more traditional tests, which remain difficult to access for people using screen readers.
With the help of Fastly and Cloudflare, but also Google, Apple wants to standardize the Privacy Pass protocol to permanently replace CAPTCHAs. The Cupertino company thinks that having a device, a fingerprint or a face to unlock it, and an account to download apps from the App Store or sync data from Safari is sufficient proof. of humanity.
The Privacy Pass protocol involves two actors, a provider who provides the tokens attesting to the reliability of the browser, and a validator who verifies the token produced by the provider. Apple is inspired by the Oblivious DoH system, designed in partnership with Cloudflare, to anonymize exchanges via an iCloud attestation server.
Before offering a CAPTCHA, a site can use the HTTP PrivateToken method to require a personal access token, which is an authentication token from a trusted provider. In iOS 16 and macOS Ventura, the browser will be able to forward the request to the iCloud attestation server, removing the information that identifies the site making the request.
Apple verifies the request: if thousands of other requests come from the same IP address, the device is part of a server farm, and if hundreds of requests come from the same device, it was probably hijacked by a botnet. If everything appears to be in order, the attestation server signs the request and sends it to the token provider, this time removing information to identify the device making the request.
The provider implicitly trusts Apple: the request goes the other way, the credentials are gradually reintegrated, and finally the site validates the token and lets the user in. Apple knows the identity of the user but does not know that of the site, the supplier knows the identity of the site but not that of the user, the confidentiality of exchanges is preserved.
Fastly and Cloudflare have already implemented the Privacy Pass protocol, which you can also test on the hCaptcha service site. Other token providers will be able to register on the Apple Business Register portal by the end of the year. Only one condition, a supplier must operate at least one hundred servers, to prevent the identification of a site by its choice of supplier.
Apple already uses the Privacy Pass protocol to authenticate private relay users. Google implements this technology under the name of Trust Tokens, but refuses to consider it as a replacement for CAPTCHAs. Instead, the largest advertising network on the planet uses them to verify that the user is indeed human… so as not to spoil advertising displays in the face of robots.
Passkeys: the future without passwords meets the present
Advertising tracking: fingerprinting in Apple’s sights
Cloudflare wants to (again) replace CAPTCHAs