back to article A great day for non-robots: iOS 16 will bypass CAPTCHAs

Apple has introduced a game-changer into its upcoming iOS 16 for those who hate CAPTCHAs, in the form of a feature called Automatic Verification. The feature does exactly what its name alludes to: automatically verifies devices and Apple ID accounts without any action from the user. When iOS 16 ships later this year, it will …

  1. Yet Another Anonymous coward Silver badge

    So ...

    They are claiming that iPhone users are mere humans like the rest of us?

    1. pavel.petrman

      Re: So ...

      Merely that they are not robots, I suppose:

      - Are you a robot?

      - No, there's an app for it!

  2. heyrick Silver badge

    "First, they have an iPhone, iPad, or Mac, and they've unlocked the device with their password" etc etc.

    Yes, but the website that is asking for verification does not know this. There's absolutely nothing in a bog standard HTTP request (which is all the server sees) that indicates any of this. No, not even the misspelled referrer, because that can be easily faked.

    1. jmch Silver badge

      "the website that is asking for verification does not know this. There's absolutely nothing in a bog standard HTTP request (which is all the server sees) that indicates any of this."

      Yes, hence the complicated encrypted-token-mechanism-thingy referred to in the article

      1. heyrick Silver badge

        Correct, but all the prelude is bigging up something that isn't really relevant.

        For example... I have a device. The filesystem is encrypted. I have to give a password to start it up. Then unlock the SIM. Then turn it on using biometrics or password. Choose the browser, go to a website... lots of manipulations, and it's not a fruity device. So, really, all those steps taken (by the user) are pretty much par for the course these days, aren't they?

        1. Dinanziame Silver badge

          The point is that Apple controls what runs on their devices, so the OS can guarantee that there is a real user, and pass complex encrypted certificates. On most other devices, you can run any old program that simulates the existence of a user, so it's not possible to have such a guarantee.

    2. Yet Another Anonymous coward Silver badge

      >Yes, but the website that is asking for verification does not know this.

      I assume this is like a Tesla/BMW.

      How do you identify an Apple user? You don't need to - they will tell you

      1. Anonymous Coward
        Anonymous Coward

        I’m an Apple user :-)

        1. Yet Another Anonymous coward Silver badge

          I'm an Apple User - and so's my wife

          1. Michael Wojcik Silver badge

            Many of my friends are Apple users, and only a few are lumberjacks.

        2. Fruit and Nutcase Silver badge
        3. Lockwood

          I use Arch btw

      2. MrReynolds2U

        that also works with Vegans

        1. Yet Another Anonymous coward Silver badge

          Click on the pictures of Vegans?

          1. jmch Silver badge

            That's to allow our future AI overlords to identify them. Let's all hope they won't be humanitarians...

          2. Michael Wojcik Silver badge

            I just tell 'em to go back to Vega.

  3. DailyLlama

    That's lovely, but...

    When will they give me a way to block cookies without having to click on "Reject All" on practically every single website I go on?

    1. Mishak Silver badge

      Re: That's lovely, but...

      Try Consent-o-matic*. Not perfect, but it gets rid of most of them!

      Other, similar plugins are also available.

      * Link is to the Apple App Store version, but it is available for most common browsers / platforms.

    2. Anonymous Coward
      Anonymous Coward

      Re: That's lovely, but...

      AIUI, the UK government is going to do it for everybody

    3. katrinab Silver badge

      Re: That's lovely, but...

      In 2009, 13 years ago. It is called the Do Not Track header.

  4. The Oncoming Scorn Silver badge

    I For One

    Am heartily sick of trying to squint to see the number letter combination or if there is a bus, bicycle, car train, bridge, traffic light in some far distant part of a picture & if it overlaps into a adjacent square(s) & if I should click on it as its part of the item being asked to identify.

    On a side note, while attempting to communicate with a friend in the UK some years back I was asked to verify & type in the two random words displayed next to her picture. It rather unflatteringly chose the first name of our former pub (Icon) & then called her a minger.

    1. Yet Another Anonymous coward Silver badge

      Re: I For One

      Please click on 3 the same pictures of hills that were selected as hills by somebody working in a minimum wage click farm in S.E. Asia

    2. yetanotheraoc Silver badge

      Re: I For One

      Gee, thanks. New word of the day for me = minger.

      "The first name of our former pub..." -- I thought you said random.

    3. heyrick Silver badge

      Re: I For One

      I had the two word one come up once. I'm a Brit living in France with en-gb, en, fr, es as my browser language preferences, and an English language OS.

      So was somewhat startled to see Cyrillic on one side and Hebrew on the other. Uh-huh. Let me just look at my Unicode table and blindly guess...

  5. iron Silver badge

    > "First, they have an iPhone, iPad, or Mac, and they've unlocked the device with their password, Touch ID, or Face ID. They're almost always signed into the device with their Apple ID. And they've launched a code-signed app," argued the Apple-ite.

    Erm no that proves nothing. Lets imagine you have an iPhone, iPad, or Mac, you're signed into the device with your Apple ID and you've unlocked the the device. Now imagine your device has been infected with a virus. This Apple person would consider that virus to be you and allow it to empty your bank account, encrypt your data or whatever it wanted to do on any site the device can access.

    And this is what Apple call security.

    1. gnasher729 Silver badge

      Infected by a virus? What virus?

      Reality check. Compare the number of website visits some bot can perform per second with the number of virus infected iPhones.

    2. doublelayer Silver badge

      You have misunderstood the point of this software. It is not to authenticate you, as a security measure to protect your identity or access. It only attempts to identify that you are a person instead of a bot. Malware getting into the system and with access to the tokens (which may be difficult if Apple keeps this feature to themselves) would allow that malware to spam a service with supposedly human requests, but it would not allow that malware to access your data which would be protected with actual security measures.

      That said, I'm not thrilled with the concept. Yes, it avoids captchas, and I hate those to the extreme. However, it avoids them using a system that makes adding them even easier and using a method that could be weaponized against privacy (signed tokens identifying user devices). Apple claims that their implementation doesn't uniquely identify devices to the sites, and I'm inclined to believe them, but it moves one step closer to that. Others have suggested jumping directly to that option, essentially requiring a login for everything which could be easily logged and tracked, so getting closer to it is something I view with concern.

    3. Michael Wojcik Silver badge

      In what context have you seen CAPTCHAs used as a security mechanism to prevent malware from impersonating you?

      Every use I've ever seen of the damn things is an attempt to block bots from 1) creating accounts or 2) posting fake UGC.

      CAPTCHAs were a bad idea when they were invented and have gotten steadily worse, because of course they degrade into problems which are easier for machines than they are for people. Anything that helps get rid of them is fine with me. (I am not an Apple user. Haven't liked anything they've done since the //e, and don't care for the corporate attitude.)

  6. steelpillow Silver badge

    Does this mean what I think it means?

    "confirmed via certificates stored in the device without giving away user identities."

    So only the Big Data slurpers will be able to correlate every offering of the certificate ID with everything else and identify the user?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like