Skip to content

Rejoice, devs and all! Privacy Pass standard nukes CAPTCHAs

Richi Jennings
Blog Author

Richi Jennings, Independent industry analyst, editor, and content strategist. Read More...

large-captchaApple is to support the new Privacy Pass standard, to “attest” that its users aren’t robots. Google is expected to be close behind.

As security-conscious devs know, to resist bots and DDoS attacks, you sometimes need to use a CAPTCHA. But they’re ugly, unreliable, tricky to trust, lousy at I18N/A11Y and add UX friction. They can even cause abandoned sessions.

So it’s good news that Apple and Google are to kill the hated CAPTCHA. In this week’s Secure Software Blogwatch, we bleep boop whistle whir.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: The ground plane.

[ Get key takeaways from a survey of 300+ security professionals on software security. Plus: Download the report: Flying Blind: Firms Struggle to Detect Software Supply Chain Attacks ]

IETF says I’m human

What’s the craic? Andrew Orr reports—“Kill CAPTCHAs with Private Access Tokens”:

Web users won’t notice a thing
Private Access Tokens (PAT) can prove when an HTTP request is coming from a human instead of a bot. CAPTCHAs are the current form of authentication. … Known as the Completely Automated Public Turing test to tell Computers and Humans Apart, a CAPTCHA is an image or puzzle.

[But] these tools are an annoyance. CAPTCHAs can also be compromised, such as being used to steal login information. … PATs authenticate an HTTP request automatically in the background. … Using a new HTTP authentication method called PrivateToken, a server uses cryptography to verify a client passed an … attestation check.

[A] signed token is eventually sent to the server in a multi-step process. The server doesn't know anything about the device or the person accessing it. But it trusts the attester and validates the token, and the person is taken to their destination web page. … Web users won't notice a thing.

Tell me more? Take a Chance Miller—“Rid the web of pesky CAPTCHA verification puzzles”:

Support for this new Privacy Pass standard
This new “Automatic Verification” feature is enabled by default in the first betas of iOS 16, iPadOS 16, and macOS Ventura. You can find it by navigating to your Apple ID settings, choosing “Privacy and Security,” then looking for the new “Automatic Verification” toggle at the very bottom.

Companies including Fastly and Cloudflare are already developing support for this new Privacy Pass standard. In fact, both of those companies have already enabled their issuer services. [So] you should already be able to bypass CAPTCHAs on websites and apps that rely on those CDNs.

So it’s a new standard? Cloudflare’s Reid Tatoris and Maxime Guerreiro hint it’ll also be in Android soon—“Private Access Tokens: eliminating CAPTCHAs … with open standards”:

Verify if a visitor is faking
Apple announced that [Privacy Pass] will be incorporated into iOS 16 … and macOS 13, and we expect additional vendors to announce support in the near future. … Visitors using operating systems that support these tokens … can now prove they’re human without completing a CAPTCHA or giving up personal data. … If you’re a web or application developer, [you can] know your user is coming from an authentic device and signed application, verified by the device vendor directly [and] validate users without maintaining a cumbersome SDK.

Over the past year, Cloudflare has collaborated with Apple, Google, and [others] to extend the Privacy Pass protocol with support for [PATs]. These tokens simplify application security for developers and security teams, and obsolete legacy … approaches to determining if a human is using a device. … By partnering with third parties like device manufacturers, who already have the data that would help us validate a device, we are able to abstract portions of the validation process … without actually collecting, touching, or storing that data.

We don’t actually need … the underlying data. … We just want to verify if a visitor is faking their device or user agent. Private Access Tokens allow us to capture that validation state directly. … They allow us to be more confident in the authenticity of important signals, without having to look at those signals directly ourselves.

There’s a lot more to that post. But with the tl;dr, here’s u/mattartist:

It essentially boils down to:
  1. You make a request to a site.
  2. The site silently asks your device for a token.
  3. Your device … will contact Apple servers, basically asking for Apple to verify your device is legit.
  4. Apple's server contacts the site's issuer (in Cloudflare's example it's Cloudflare [but] it can be any authority that issues tokens) and asks them to issue a token for your device.
  5. Your device receives this token and forwards it to the website.
  6. Website goes, "Oh okay this person is legit, no need for CAPTCHAs," and lets you in.

Feeling a little déjà vu? Fastly’s Jana Iyengar and Jonathan Foote tell you why—“The privacy-respecting, CAPTCHA-less future we were promised”:

CAPTCHAs seem to be everywhere
If you’re familiar with Chrome Trust Tokens, Private Access Tokens might seem familiar. … It is a more accessible and capable iteration of the Privacy Pass protocol. … An IETF working group is currently developing and standardizing this technology in the open. Best of all … developers can try it out right now.

CAPTCHAs seem to be everywhere. Anyone who uses the web is painfully familiar with them. [They] make the web less accessible: Some users don’t care to solve them (and move on), while other users have difficulty solving CAPTCHAs altogether – and are prohibited from accessing content.

But will users flock to it? The aptly named registrations_suck calls it a “Rare Useful Feature”:

It is very rare that a new OS has a feature that I would find useful. Hell, it's rare for a new OS to debut a feature that I can imagine anybody having any use for. But this seems like an actual, bona fide useful feature. Congratulations!

Oh, CAPTCHA. How do I hate thee? The Oncoming Scorn does a passable Kent Brockman impression:

I for one am heartily sick of trying to squint to see the number letter combination or if there is a bus, bicycle, car train, bridge, traffic light in some far distant part of a picture and if it overlaps into a adjacent square(s) and if I should click on it as it's part of the item being asked to identify.

Let me count the ways. nospam007 reminds us that not everyone shares the same culture:

194 countries have no yellow taxis, [so] they don't recognize taxis in blurry stamp-sized photos.

And Eddygraphic has a more “niche” reason:

This is game changer for sneakerheads, no more losing time verifying you’re a human while entering quick sneaker drops.

Meanwhile, this Anonymous Coward counts down to an unintended consequence:

Spammers and scammers building their own easy CAPTCHA bypass facility for their bots out of walls and walls of iPhones in 3… 2… 1…

And Finally:

Bill’s electronic punnage


Previously in And Finally

You have been reading Secure Software Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Keep learning

Image sauce: Google