{"id":19309,"date":"2022-06-10T08:30:13","date_gmt":"2022-06-10T16:30:13","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/06\/10\/news-13042\/"},"modified":"2022-06-10T08:30:13","modified_gmt":"2022-06-10T16:30:13","slug":"news-13042","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/06\/10\/news-13042\/","title":{"rendered":"WWDC: Apple, Cloudflare, Fastly plot the end of CAPTCHA"},"content":{"rendered":"

<\/p>\n

Credit to Author: Jonny Evans| Date: Fri, 10 Jun 2022 08:59:00 -0700<\/strong><\/p>\n

Apple took several steps toward a password-free future at its Worldwide Developer Conference<\/a>, but another component of its strategy will be to replace CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) with a more private solution.<\/p>\n

Apple is working with Cloudflare (with whom most think it developed\u00a0the tech<\/a>\u00a0behind iCloud Private Relay<\/a>). It is also working with Google and Fastly to deploy a standardized alternative to CAPTCHA called Private Access Tokens.<\/p>\n

We\u2019ve all become used to encountering CAPTHA interrogations when working online.\u00a0The number of crosswalks and taxis most people have identified in photographs must surely be counted in billions, and it is sometimes an annoying additional step to work through the process when logging into or setting up new accounts online.<\/p>\n

The process also challenges users with accessibility problems or language barriers.<\/p>\n

Another problem is that CAPTCHA servers sometimes rely on fingerprinting\/tracking clients using their IP address, which does not reflect the industry\u2019s moves to protect user privacy. And while the process does help protect services and their servers against fraudulent activity, it does add friction to the user experience.<\/p>\n

So, CAPTCHA serves its purpose, but at the cost of user experience, privacy, accessibility.<\/p>\n

Private Access Tokens attempt to find a better way.<\/p>\n

The theory behind Private Access Tokens is that by the time you arrive at a website, you have already crossed some hurdles that are hard for a bot to emulate. You probably use a device that is already unlocked using biometric authorization or a passcode. On Apple platforms, users are likely to be signed into the device with an Apple ID, and probably use a code-signed app. Private Access Tokens use this information to establish trust within technology currently being standardized by the IETF Privacy Pass working group<\/a>.\u00a0<\/p>\n

Apple showed two devices accessing the FT.com<\/em> website to demonstrate this. The first iOS 15 device had to fill in account details and then use CAPTCHA to log on; the iOS 16 device simply visited the site to be logged on, no interaction required.<\/p>\n

When you consider the number of times a day you or your customers are required to log in the first way, the advantages of Private Access Tokens seem clear.<\/p>\n

As I understand it, this is the process that takes place:<\/p>\n

There is much more to the process than this somewhat over-simplified explanation provides. For example, it also protects against access requests from compromised devices or bots. If you want to get a little deeper, developers can review this Apple presentation<\/a>, this\u00a0note on Cloudflare<\/a>, another from Fastly<\/a> and Google\u2019s introduction to a similar tech called Chrome Trust Tokens<\/a>. Finally, for the deepest dive, this article<\/a> describes the architecture of the system, and this one<\/a> gives Apple developers additional detail to help deploy\/support the feature.<\/p>\n

Apple\u2019s iOS 16, iPad OS 16 and macOS Ventura beta testers may already be surfacing the technology if they access any site or service that may perhaps already support the tech, though unless they really like CAPTCHA interrogations, they probably won\u2019t notice. Of course, as time moves forward, we\u2019ll see more sites and services introduce support, with most Apple developers choosing iCloud for attestation and third parties \u2014\u00a0including existing CAPTCHA technology providers \u2014 probably building support for Private Access Tokens into their systems.<\/p>\n

This tech is far from being the only security\/privacy improvement Apple announced at WWDC. The company will today discuss tools to further secure DNS security within an application, and also introduced\u00a0next-generation authentication technology<\/a>, Passkeys. Passkeys are a highly secure way to access sites and services. The company also fielded impressive security and privacy enhancements in Safari, including strong protection against cross-site scripting vulnerabilities. More on that here<\/a>.<\/p>\n

Jana Iyengar, Product Lead, Infrastructure Services at Fastly explained:<\/p>\n

\u201cFastly is proud to invest, engage, and create technology and products that exemplify our belief that security and privacy are critical to a more trusted internet. We are actively working with our partners in the standards community to add more features to Private Access Tokens \u2014 like rate limiting for media protection and attestations for more client properties. There are exciting potential applications of this technology: consider what you could do with cryptographic guarantees that you\u2019re exposing only and exactly what a website needs to know about a user \u2014 like their age. Providing an explicit guarantee on this sort of data flow can protect both users and websites.\u201d<\/p>\n

Cloudflare\u2019s Reid Tatoris and Maxime Guerreiro wrote:<\/p>\n

\u201cThis is just step one for us. We are actively working to get other clients and device makers utilizing the PAT framework as well. Any time a new client begins utilizing the PAT framework, traffic coming to your site from that client will automatically start asking for tokens, and your visitors will automatically see fewer CAPTCHAs. We will be incorporating PATs into other security products very soon.\u201d<\/p>\n

In conjunction with Apple\u2019s many other solutions<\/a> to protect privacy online, the industry intention to make it increasingly difficult to correlate device data with personal identity means fingerprinting should become a thing of the past. Surveillance capitalists who trade in personal data exfiltrated from people without express consent will \u2014 and should \u2014 most certainly need to change their business models.<\/p>\n

Overall, these moves should deliver extraordinary benefits to every user while also putting additional shields in place so enterprises can guard against sophisticated attempts to harvest personal data to undermine endpoint security or penetrate business networks.<\/p>\n

Please follow me on\u00a0<\/em>Twitter<\/em><\/a>, or join me in the\u00a0AppleHolic\u2019s bar & grill<\/a>\u00a0and\u00a0<\/em>Apple Discussions<\/em><\/a>\u00a0groups on MeWe.<\/em><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Jonny Evans| Date: Fri, 10 Jun 2022 08:59:00 -0700<\/strong><\/p>\n

\n
\n

Apple took several steps toward a password-free future at its Worldwide Developer Conference<\/a>, but another component of its strategy will be to replace CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) with a more private solution.<\/p>\n

Introducing: Private Access Tokens<\/strong><\/h2>\n

Apple is working with Cloudflare (with whom most think it developed\u00a0the tech<\/a>\u00a0behind iCloud Private Relay<\/a>). It is also working with Google and Fastly to deploy a standardized alternative to CAPTCHA called Private Access Tokens.<\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[2211,4314,10480,10403,714],"class_list":["post-19309","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-apple","tag-internet","tag-ios","tag-macos","tag-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19309","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=19309"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19309\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=19309"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=19309"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=19309"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}