How To: Bypass Annoying CAPTCHAs for Apps and Websites on Your iPhone Automatically for Instant Verification

Bypass Annoying CAPTCHAs for Apps and Websites on Your iPhone Automatically for Instant Verification

If you hate matching images, typing letters and numbers, solving math problems, and sliding puzzle pieces for CAPTCHA human verification, you'll love Apple's newest privacy feature for apps and websites.

Generally, CAPTCHAs can be a massive nightmare on mobile devices. They are used by websites for security purposes, to detect bots, stop active denial of service attacks, and otherwise protect their servers, but they end up annoying their users.

  • It slows the user experience down, adding another step to log in or complete a task. Cloudflare estimates that it takes an average of 32 seconds for a user to complete a CAPTCHA challenge.
  • You can get bad images that make it hard to match boats, traffic lights, bicycles, or whatever it's asking for.
  • Words may be jumbled in a way that makes a letter impossible to get right.
  • It does not work well with users that have accessibility issues.
  • People with color blindness may not see specific text colors.
  • Rendering the data it needs to work consumes excess bandwidth.
  • It may be tracking your IP address and other private data.

In the new iOS 16 update, Apple has implemented a new security feature that bypasses CAPTCHA verification. It does so using iCloud and Private Access Tokens (PATs) that verify your device is sending out the HTTP requests. As a bonus, it will not disclose your identity or share private data like IP addresses.

CAPTCHA in iOS 15 (left) vs. Private Access Tokens in iOS 16 (right). Image via Apple

To implement PATs on a website or app, its servers must have the hostname and public key for a trusted token issuer, which can be a content delivery network (CDN) like Cloudflare or Fastly, a web hosting provider, or a CAPTCHA provider. Fastly notes that site owners need to enable PATs, but it's automatic for Cloudflare customers.

That info is then sent to users as a "PrivateToken" challenge. This new HTTP authentication scheme uses RSA Blind Signatures to cryptographically confirm to the server that your device passes an attestation check.

These signatures are 'unlinkable,' which means that servers that receive tokens can only check that they are valid, but they cannot discover client identities or recognize clients over time.

Private Access Tokens are not strictly for Apple devices, as they are a part of a broader authentication standard called Privacy Pass being developed by the Internet Engineering Task Force (IETF) working group, which includes Apple and Google. Currently, Cloudflare and Fastly are the only CDNs Apple has worked with, but it is working with other companies for vast implementation across the web.

The feature is enabled by default, but you can double-check to ensure it's enabled by visiting Settings –> [Your Name] –> Password & Security –> Automatic Verification. The change also appears on iPadOS 16.1 for iPad and macOS 13 Ventura for Mac, both released on Oct. 24. The setting path is the same for iOS and iPadOS, but you'll need to go to Settings –> Apple ID –> Password & Security –> Automatic Verification on macOS 13.

Just updated your iPhone to iOS 18? You'll find a ton of hot new features for some of your most-used Apple apps. Dive in and see for yourself:

Cover photo by Justin Meyers/Gadget Hacks; screenshot and GIF by Daniel Hipskind/Gadget Hacks (unless otherwise noted)

Be the First to Comment

Share Your Thoughts

  • Hot
  • Latest