CAPTCHAs are one of the most annoying parts of the modern internet. Want to buy a concert ticket? Click on all the bridges. Logging into your email account? Time to spot the motorbike. It’s slow, annoying, and easy to get wrong. Do you click on every square that has a tiny bit of pedestrian crossing in it, or just the ones that it’s mostly in? And it’s even worse for people who rely on tools like screen readers to access the internet. 

So what’s the point of a CAPTCHA?

They do serve a purpose. They offer up problems that are harder for computers to solve than humans (the name stands for Completely Automated Public Turing test to tell Computers and Humans Apart). Because these tasks can be a challenge for computers and are easier for us, it is a good solution for verifying whether someone is a human or not. And yes, they’re annoying, but they make it harder for bots to buy concert tickets ahead of you, hackers to automatically try and log into your accounts if there’s been a password breach, and dozens of other issues that website operators need a way to stop.  Meanwhile, Google’s reCAPTCHA program (which is its implementation of the more generic CAPTCHAs) does feel like it has gotten a lot better in recent years. It does more behind the scenes to verify you are human, using signals like your IP address and activities on the website you’re using, rather than forcing you to identify traffic lights. Just clicking the “I’m Not a Robot” box is enough, a lot more often than it used to be.  But overall, it is still far from a perfect system and is riddled with privacy problems. 

What’s Apple’s solution?

Earlier this month at its annual developer’s conference, WWDC, Apple revealed a feature called Private Access Tokens (PATs), developed in collaboration with engineers from Google, Fastly, and Cloudflare, that would allow users to bypass CAPTCHAs altogether on supported sites and apps. (These tokens are different from passkeys, which aim to replace passwords.) It works by moving the human verification process from the server to your device, ideally making things more frictionless, secure, and private.  When you use your iPhone, you take actions such as logging in with Face ID or Touch ID—actions that are almost impossible for a computer to fake. Combining that with rate-limiting (a term that refers to the fact that you can only make a certain number of attempts before being forced to slow down or complete additional verification) and Apple can far more easily verify who is a human using their device in a normal manner and who is a bot (or user in an iPhone click farm) than a website that you are only interacting with for a few moments can. Certificates stored in your device’s Secure Enclave would keep a record of all your regular human antics. PATs allow websites and apps to automatically authenticate users in the background. When you attempt to log in, they would send an attestation request to iCloud that would check the certificates stored on your device. Assuming you’re using your iPhone or Mac normally, it would attest that you are human and provide a cryptographically signed token so you’d be able to continue without an additional challenge.  While this is undeniably more convenient, it also comes with some nice privacy benefits. Websites wouldn’t need to record your IP address or otherwise track your activity in order to verify you’re human. All that would happen privately on your device. You’d even be able to do things sometimes considered suspicious, like use a VPN, without automatically having to solve a CAPTCHA. Automatic Verification will launch in iOS 16 and macOS Ventura. It’s currently enabled by default in the betas, though it can also be found in the Settings app by going to Apple ID > Privacy and Security and then scrolling down to Automatic Verification. With Google, Cloudflare, and Fastly all collaborating on this, support will hopefully be widespread by the time it officially launches later this year.