So ...
They are claiming that iPhone users are mere humans like the rest of us?
Apple has introduced a game-changer into its upcoming iOS 16 for those who hate CAPTCHAs, in the form of a feature called Automatic Verification. The feature does exactly what its name alludes to: automatically verifies devices and Apple ID accounts without any action from the user. When iOS 16 ships later this year, it will …
"First, they have an iPhone, iPad, or Mac, and they've unlocked the device with their password" etc etc.
Yes, but the website that is asking for verification does not know this. There's absolutely nothing in a bog standard HTTP request (which is all the server sees) that indicates any of this. No, not even the misspelled referrer, because that can be easily faked.
Correct, but all the prelude is bigging up something that isn't really relevant.
For example... I have a device. The filesystem is encrypted. I have to give a password to start it up. Then unlock the SIM. Then turn it on using biometrics or password. Choose the browser, go to a website... lots of manipulations, and it's not a fruity device. So, really, all those steps taken (by the user) are pretty much par for the course these days, aren't they?
The point is that Apple controls what runs on their devices, so the OS can guarantee that there is a real user, and pass complex encrypted certificates. On most other devices, you can run any old program that simulates the existence of a user, so it's not possible to have such a guarantee.
Try Consent-o-matic*. Not perfect, but it gets rid of most of them!
Other, similar plugins are also available.
* Link is to the Apple App Store version, but it is available for most common browsers / platforms.
Am heartily sick of trying to squint to see the number letter combination or if there is a bus, bicycle, car train, bridge, traffic light in some far distant part of a picture & if it overlaps into a adjacent square(s) & if I should click on it as its part of the item being asked to identify.
On a side note, while attempting to communicate with a friend in the UK some years back I was asked to verify & type in the two random words displayed next to her picture. It rather unflatteringly chose the first name of our former pub (Icon) & then called her a minger.
I had the two word one come up once. I'm a Brit living in France with en-gb, en, fr, es as my browser language preferences, and an English language OS.
So was somewhat startled to see Cyrillic on one side and Hebrew on the other. Uh-huh. Let me just look at my Unicode table and blindly guess...
> "First, they have an iPhone, iPad, or Mac, and they've unlocked the device with their password, Touch ID, or Face ID. They're almost always signed into the device with their Apple ID. And they've launched a code-signed app," argued the Apple-ite.
Erm no that proves nothing. Lets imagine you have an iPhone, iPad, or Mac, you're signed into the device with your Apple ID and you've unlocked the the device. Now imagine your device has been infected with a virus. This Apple person would consider that virus to be you and allow it to empty your bank account, encrypt your data or whatever it wanted to do on any site the device can access.
And this is what Apple call security.
You have misunderstood the point of this software. It is not to authenticate you, as a security measure to protect your identity or access. It only attempts to identify that you are a person instead of a bot. Malware getting into the system and with access to the tokens (which may be difficult if Apple keeps this feature to themselves) would allow that malware to spam a service with supposedly human requests, but it would not allow that malware to access your data which would be protected with actual security measures.
That said, I'm not thrilled with the concept. Yes, it avoids captchas, and I hate those to the extreme. However, it avoids them using a system that makes adding them even easier and using a method that could be weaponized against privacy (signed tokens identifying user devices). Apple claims that their implementation doesn't uniquely identify devices to the sites, and I'm inclined to believe them, but it moves one step closer to that. Others have suggested jumping directly to that option, essentially requiring a login for everything which could be easily logged and tracked, so getting closer to it is something I view with concern.
In what context have you seen CAPTCHAs used as a security mechanism to prevent malware from impersonating you?
Every use I've ever seen of the damn things is an attempt to block bots from 1) creating accounts or 2) posting fake UGC.
CAPTCHAs were a bad idea when they were invented and have gotten steadily worse, because of course they degrade into problems which are easier for machines than they are for people. Anything that helps get rid of them is fine with me. (I am not an Apple user. Haven't liked anything they've done since the //e, and don't care for the corporate attitude.)