Apple took several steps towards a passwordless future at its Worldwide Developers Conference, but another part of its strategy will be to replace CAPTCHA (Completely Automated Public Turing Test to Differentiate Computers and Humans) with a more private solution.
Overview: Private Access Tokens
Apple works with Cloudflare (whom most believe developed the technology behind iCloud Private Relay with). It is also working with Google and Fastly to implement a standardized alternative to CAPTCHA called private access tokens.
Todos nos hemos acostumbrado a encontrar consultas CAPTHA cuando trabajamos en línea. The number of crosswalks and taxis that most people have identified in photographs must surely be in the billions, and sometimes it's an annoying extra step to go through the process when logging in or creating new accounts. online.
The process also challenges users with accessibility issues or language barriers.
Another issue is that CAPTCHA servers sometimes rely on fingerprinting/tracking customers using their IP address, which is not reflective of industry measures taken to protect user privacy. And while the process helps protect the services and their servers from fraudulent activity, it adds friction to the user experience.
Therefore, CAPTCHA serves its purpose, but at the expense of user experience, privacy, and accessibility.
Private access tokens try to find a better way.
What are private access tokens?
The theory behind private access tokens is that by the time you get to a website, you've already cleared hurdles that are hard for a bot to imitate. You are probably using a device that is already unlocked via biometric authorization or a passcode. On Apple platforms, users are likely to sign in to the device with an Apple ID and are likely to be using a code-signed app. Private access tokens use this information to establish trust within the technology currently standardized by the IETF Privacy Pass Working Group.
Apple displayed two devices accessing the FT.com website to demonstrate this. The first iOS 15 device had to fill in account details and then use CAPTCHA to log in; the iOS 16 device simply visited the site to connect, no interaction required.
When you consider how many times a day you or your customers need to log in for the first time, the benefits of Private Access Tokens seem clear.
What happens in practice?
If I understood correctly, this is the process that takes place:
- The device and the service/website must first introduce support for private access tokens.
- The servers will request tokens using a new HTTP authentication method called PrivateToken, which uses cryptographic techniques to verify that a user has passed what is called an "attestation check."
- An attestation check can be understood as a highly secure, private, and trustworthy statement that tells the server that the request came from a bona fide requester.
- The process hides personal information and relies (in Apple's case, though other implementations may vary) on an iCloud attestation service (a "token issuer") that verifies the user without sharing (or learning) personal information about them. .
- Cloudflare and Fastly now offer tokenization services for services and platforms.
- Cloudflare has already integrated support for Private Access Tokens into its Managed Challenge platform, so customers who already use this feature will automatically take advantage of this new technology to improve the browsing experience for supported devices.
- Once the certification process is complete, the server knows that the request is not fraudulent and is from a real person.
- And it lets them in without CAPTCHA.
There is much more to the process than this somewhat simplified explanation provides. For example, it also protects against access requests from compromised devices or bots. If you want to dig a little deeper, developers can check out this presentation from Apple, this note on Cloudflare, another from Fastly, and Google's introduction to a similar technology called Chrome Trust Tokens. Finally, for a deeper dive, this article describes the architecture of the system and gives Apple developers additional details to help implement/support the feature.
What future does this technology have at Apple?
Apple's iOS 16, iPad OS 16, and macOS Ventura beta testers may already be discovering the technology if they go to a site or service that already supports the technology, but unless they really don't like CAPTCHA queries, they probably won't. They will realize. . Of course, over time we will see more and more sites and services introduce support, with most Apple developers choosing iCloud for certification and third parties, including existing CAPTCHA technology providers, likely integrating support for private access tokens into their systems.
This technology is far from the only security and privacy enhancement announced by Apple at WWDC. The company will discuss tools today to further ensure DNS security within an application, and has also introduced next-generation authentication technology, Passkeys. Access codes are a highly secure way to access sites and services. The company has also implemented some impressive security and privacy improvements to Safari, including stronger protection against cross-site scripting vulnerabilities. More on that here.
What Fastly and Cloudflare say
Jana Iyengar, Product Manager, Infrastructure Services at Fastly, explained:
“Fastly is proud to invest in, engage in, and create technologies and products that exemplify our belief that security and privacy are essential to a more reliable Internet. We are actively working with our partners in the standards community to add more functionality to Private Access Tokens, such as rate limiting for media protection and certifications for more client properties. There are some interesting potential applications for this technology: think about what you could do with the cryptographic collateral that exposes only exactly what a website needs to know about a user, like her age. Providing an explicit guarantee about this type of data flow can protect both users and websites.
Reid Tatoris and Maxime Guerreiro of Cloudflare wrote:
"This is just the first step for us. We are actively working to get other customers and device manufacturers to use the PAT framework as well. Every time a new customer starts using the PAT framework, your site traffic from this customer will begin automatically requesting tokens, and your visitors will automatically see fewer CAPTCHAs We will be integrating PAT into other security products very soon.
What this means for you and your business
Along with Apple's many other solutions for protecting privacy online, the industry's intent to make it increasingly difficult to correlate device data with personal identity means that fingerprinting should be a thing of the past. Surveillance capitalists who trade in exfiltrated personal data of people without express consent will surely have to change their business models, and they should.
Taken together, these changes should deliver extraordinary benefits to all users while establishing additional shields for businesses to protect against sophisticated attempts to harvest personal data to undermine endpoint security or penetrate networks.
Follow me on Twitter or join me at AppleHolic's bar & grill and Apple discussion groups on MeWe.
Copyright © 2022 IDG Communications, Inc.