Apple took several steps toward a password-free future at its World Developers Conference, but another part of its strategy is to replace Captcha (a fully automated public Turing test to separate computers and humans) with a more personalized solution.
Introduction: Personal access token
Apple is working with CloudFlare (with which most people think it’s the technology behind iCloud Private Relay). Google is working hard to deploy a standard alternative to captcha called Private Access Token.
We have all become accustomed to facing captcha interrogation while working online. The number of crosswalks and taxis that most people have identified in the photograph must be counted in billions, and working through the process when logging in online or setting up a new account is sometimes a tedious extra step.
The process challenges users’ accessibility issues or language barriers.
Another problem is that captcha servers sometimes rely on fingerprint / tracking clients using their IP address, which does not reflect the industry’s steps to protect user privacy. And the process helps protect services and their servers against fraudulent activity, adding friction to the user experience.
Thus, CAPTCHA serves its purpose, but at the cost of user experience, privacy, accessibility.
Trying to find a better way to access personal access tokens.
What is a personal access token?
The theory behind private access tokens is that by the time you reach a website, you have already overcome some of the hurdles that are hard for a bot to emulate. You may be using an already unlocked device using biometric authentication or a passcode. On the Apple platform, users can sign in to the device with an Apple ID and probably use a code-signed app. The Private Access Token uses this information to build trust in technology that is currently being standardized by the IETF Privacy Pass Working Group.
Apple shows access to two devices FT.com This is the display website. First you need to fill in the account details on iOS 15 device and then use CAPTCHA to log in; The iOS 16 device visited the site just to log in, no interaction required.
When you consider how many times a day you or your customers need to log in the first way, the benefits of private access tokens seem obvious.
What happens in practice?
As I understand it, this process happens:
- The device and service / website must first introduce support for personal access tokens.
- Servers will request for tokens using a new HTTP authentication method called private tokens, which the user has passed for verification using cryptographic techniques called “authentication checks”.
- An attestation check can be understood as a highly secure, personal, and trusted statement that tells the server that the request is from an authentic requestor.
- The process obscures and relies on personal information (in Apple’s case, though other applications may be different) relies on an iCloud Attester service (a “token issuer”) that verifies users without sharing (or learning) personal information about them.
- Both CloudFlare and Fastley now offer token service services and platforms.
- Cloudflare has already included support for personal access tokens on its managed Challenge platform, so customers who already use that feature will automatically take advantage of this new technology to enhance the browsing experience for supported devices.
- Once the authentication process is complete, the server knows that the request is not fraudulent and came from a real person.
- And it allows them to enter without captcha.
There is more to the process than just giving this somewhat over-simplified explanation. For example, it also protects access requests from compromised devices or bots. If you want to go a little deeper, developers can review this Apple presentation, this note from CloudFlare, another from Fastley and Google’s introduction to a similar technology called Chrome Trust Token. Finally, for the deepest dive, this article describes the architecture of the system and provides additional details to help Apple developers install / support the feature.
What’s next for Apple technology?
Apple’s iOS 16, iPad OS 16 and macOS Ventura beta testers are already keeping an eye on the technology if they access a site or service that probably already supports the technology, although if they don’t really like the captcha query, they probably won’t notice. Of course, as time goes on, we’ll see more sites and services introduce support, with most Apple developers certifying iCloud and opting for third parties – including existing Captcha technology providers – probably building support for personal access tokens on their systems.
This technology is far from the only security / privacy improvement Apple has announced at the WWDC. The company will discuss tools to further enhance DNS security in an application today, and will also introduce next-generation authentication technology, Paskey. Paskis are a very secure way to access sites and services. The company has also added impressive security and privacy enhancements to Safari, including strong protection against cross-site scripting vulnerabilities. Here’s more of that.
What Fastley and Cloudflare say
Fastley at Jana Iyengar, Product Lead, Infrastructure Services, explains:
“Fastly proud to invest, hire, and create technology and products that exemplify our belief that security and privacy are important for a more trusted Internet. We are actively working with our partners in the Standards Community to add more features to private access tokens – such as limiting rates for media protection and certification for more client assets. This technology has exciting potential applications: Consider what you can do with a cryptographic guarantee that you only and exactly want to know about a website user – such as their age. Providing a clear guarantee of this type of data flow can protect both the user and the website. “
Reed Tatoris and Maxim Guerreiro of Cloudflare wrote:
“It simply came to our notice then. We are actively working with other clients and device manufacturers to use the PAT Framework. Any time a new client starts using the PAT Framework, the traffic from that client to your site will automatically start asking for tokens and your visitors will automatically see fewer captchas. We will soon include PATs in other security products. ”
What it means for you and your business
Together with Apple’s many other solutions to protect online privacy, the industry’s intent to make device data increasingly difficult with personal identities means fingerprints should become a thing of the past. Surveillance capitalists who trade in personal data extracted from people without public consent – and should – must change their business model.
Overall, these measures will provide tremendous benefits to each user and also provide additional shields to protect enterprises from sophisticated attempts to collect personal data to undermine endpoint security or enter the business network.
Follow me TwitterOr join me at AppleHolic’s Bar & Grill and Apple talks Groups on MeWe.
Copyright © 2022 IDG Communications, Inc.