Apple took a few steps toward a passwordless future at its Worldwide Developers Conference, but another component of its strategy is to replace CAPTCHA (a fully automated public Turing test for distinguishing between computers and Humanity).
Introducing: Private Access Tokens
Apple is partnering with Cloudflare (which most credits with developing the technology behind iCloud Private Relay with Cloudflare). It’s also partnering with Google and Fastly to deploy a standardized CAPTCHA alternative called Private Access Tokens.
We are all accustomed to encountering CAPTHA interrogations when working online. The number of crosswalks and taxis most people identify in their photos must be in the billions, and sometimes going through the process is an annoying extra step when logging in or setting up a new account online.
The process also challenges users with accessibility issues or language barriers.
Another issue is that CAPTCHA servers sometimes rely on fingerprinting/tracking clients using their IP addresses, which does not reflect industry efforts to protect user privacy. While the process does help protect the service and its servers from fraudulent activity, it does add friction to the user experience.
Thus, CAPTCHA serves its purpose, but at the expense of user experience, privacy, and accessibility.
Private access tokens try to find a better way.
What is a private access token?
The theory behind private access tokens is that by the time you arrive at a website, you have crossed some hurdles that are difficult for robots to imitate. You may be using a device that has been unlocked with biometric authorization or a passcode. On Apple platforms, users may log into the device with an Apple ID, and may use code-signed applications. Private Access Tokens use this information to build trust in a technology currently being standardized by the IETF Privacy Passports Working Group.
Apple shows off two device access FT.com website to prove it. The first iOS 15 device had to fill in the account details and then log in using CAPTCHA; iOS 16 devices simply visit the site to log in, no interaction required.
The advantages of private access tokens seem clear when you consider the number of times you or your customers need to log in the first way per day.
What happens in practice?
From what I understand, this is what happens:
- Devices and services/websites must first introduce support for private access tokens.
- The server will request a token using a new HTTP authentication method called PrivateToken, which uses cryptography to verify that the user has passed a so-called “proof check”.
- Attestation checking can be understood as a highly secure, private, and trusted assertion that tells the server that the request came from the real requester.
- This process obfuscates personal information and relies (in Apple’s case, although other implementations may vary) rely on the iCloud certifier service (“token issuer”), which does not share (or learn) about them Authenticate users without their personal information.
- Both Cloudflare and Fastly now offer token issuance services for services and platforms.
- Cloudflare has added support for private access tokens to its Managed Challenge platform, so customers already using the feature will automatically take advantage of this new technology to improve the browsing experience on supported devices.
- Once the attestation process is complete, the server knows that the request was not fraudulent and came from a real person.
- It lets them in without a captcha.
The process offers a lot more than this somewhat oversimplified explanation. It also prevents access requests from infected devices or bots, for example. If you want to dig a little deeper, developers can check out this Apple presentation, this note on Cloudflare, and another presentation from Fastly and Google on a similar technology called Chrome Trust Tokens. Finally, for insight, this article describes the architecture of the system, which provides additional details for Apple developers to help deploy/support the feature.
What’s next for Apple’s technology?
If Apple’s iOS 16, iPad OS 16, and macOS Ventura beta testers visit any website or service that might already support the technology, they’re probably already using it, but unless they really like CAPTCHA interrogations, they probably won’t notice arrive. Of course, over time we will see more sites and services introduce support, most Apple developers choose iCloud for authentication, and third parties (including existing CAPTCHA technology providers) may add support to their systems Build support for private access tokens in .
This technology is far from the only security/privacy improvement Apple announced at WWDC. Today the company will discuss tools to further protect DNS security in applications and introduce Passkeys, the next generation of authentication technology. Keys are a highly secure way to access websites and services. The company has also deployed impressive security and privacy enhancements in Safari, including robust protection against cross-site scripting vulnerabilities. More about it here.
What Fastly and Cloudflare say
Jana Iyengar, Head of Infrastructure Services Product at Fastly, explained:
“Fastly is proud to invest in, participate in, and create technologies and products that reflect our belief that security and privacy are critical to a more trustworthy Internet. We are actively working with partners in the standards community, Add more features to private access tokens – such as rate limiting for media protection and proof of more client-side properties. This technology has exciting potential applications: think about what you can do with cryptographic guarantees that you only expose Exact information that sites need to know about users — like their age. Providing clear assurances about this data flow protects users and sites.”
Reid Tatoris and Maxime Guerreiro of Cloudflare wrote:
“This is just the first step for us. We are actively working to get other customers and device manufacturers to use the PAT framework as well. Whenever a new customer starts using the PAT framework, traffic to your site from that customer will automatically start asking for orders sign, your visitors will automatically see fewer captchas. We will be integrating PAT into other security products soon.”
What this means for you and your business
Combined with Apple’s many other solutions for protecting online privacy, the industry intends to make it increasingly difficult to associate device data with an individual’s identity, meaning fingerprinting should be a thing of the past. Surveillance capitalists who trade personal data stolen from people without explicit consent will — and should — most certainly need to change their business models.
Overall, these moves should deliver extraordinary benefits for each user, while also setting up additional safeguards so businesses can guard against sophisticated attempts to harvest personal data to compromise endpoint security or penetrate business networks.
please follow me Twitteror join me at AppleHolic’s Bar and Grill apple discussion Groups on MeWe.
Copyright © 2022 IDG Communications, Inc.