In my use of the internet, CAPTCHAs have been those elements that sometimes serve as a respite — as they provide a change of pace and can be fun to solve — and at other times are mildly infuriating. Nevertheless, they exist and are an element that aims to keep the internet secure. But if you're part of the second group, when iOS 16 becomes publicly available this Fall, Apple has a solution to let you avoid CAPTCHAs on websites. Provided their owners have implemented the necessary background elements.

In this article, we will explore how Apple aims to avoid CAPTCHAs and the settings you must have configured on your iPhone to ensure you're ready to breeze past any puzzles.

How does Apple's CAPTCHA skip system work?

Before we delve into how the system works, here's a little background on why it exists. During the WWDC presentation which introduced the feature, Apple stated some reasons behind its decision to implement it; they were:

  • CAPTCHAs can make it difficult for people with disabilities to access websites.
  • CAPTCHA services don't always follow best practices and may even track users from one website to another.

Thus, to deal with these scenarios, Apple is implementing Private Access Tokens to create its CAPTCHA skip system.

The Private Access Tokens system is with technology standardized by the IETF Privacy Pass working group, meaning other platforms should also be able to implement a system to avoid CAPTCHAs. At the same time, Apple is also working with companies to make this system seamless. Cloudflare and Fastly were two CDNs mentioned during the presentation.

an image showing the last stage of the Private Access Token System

This image showcases the last step in this process, where the Issuer provides a signed token to iPhone.

Source: Apple

When a CAPTCHA-based scenario is set to be encountered, your iPhone will send a request to the website you want to visit over HTTP. If its server supports Private Access Tokens, it will send back a challenge in the background, including details of a Token Issuer.

Your iPhone will then pass this onto an iCloud-based element called the iCloud Attester. The Token Challenger is now blinded and can't be linked to the originating website.

The iCloud Attester then checks this data with certificates stored in the Secure Enclave on your iPhone to ensure your account is in good standing and not part of any farm.

Once validated, the token request is sent to the Issuer. Here the Issuer has no details about the client (your iPhone) and only has access to data about the iCloud Attester, which it already trusts.

The Issuer then signs the token generated by the server and passes it back to your iPhone, which unblinds the token and returns it to the server. Thus, completing the chain and allowing you to log in. This entire process takes place within a split second.

How to enable Privacy Access Tokens to skip CAPTCHAs on iOS 16?

To enable your iPhone to use Privacy Access Tokens, follow the steps listed below:

how to activate private access tokens in iOS 16

Source: Pocketnow

  • Open the Settings App and tap on your Profile/Apple ID, which appears at the top of the screen.
  • Next, tap on Password & Security.
  • Lastly, on the screen, scroll down to the bottom of the page and verify that Automatic Verification is toggled on.

Ensuring the Automatic Verification toggle's active state will let you skip CAPTCHAs on websites that support Private Access Tokens.