Apple’s new “Automatic Verification” to verify that a human is sitting in front of the device is coming to Cloudflare. This expands the distribution considerably.

Since iOS 16, the iPhone operating system has had a feature that can potentially make it much easier to use websites in the Safari browser: so-called CAPTCHAs, which server operators use to try to distinguish between robots and real visitors, should become superfluous. Now the large CDN operator Cloudflare, which counts numerous large and small websites among its customers, has announced its support for the technology. With macOS 13 aka Ventura, it should also benefit Safari users on the Mac.

Token instead of robot query

- Advertisement -

The feature called “Automatic Verification” relies on so-called private access tokens, with which the device used and thus the user identify themselves to a service provider as legitimate. It was presented at the WWDC 2022 developer conference in early June. The procedure should work in compliance with data protection regulations. The group emphasized that no personal data is transmitted and it is also not possible to track the user.

“Automatic verification” via the private access tokens work within the framework of the privacy pass protocol, which Google is also involved in; it should also be part of Android. If the user surfs on a website, the token is requested. The device or Apple then confirm that it is a real user with a real device. Neither the URL nor any Apple ID that may be present will be transmitted. This requires a third party that handles the signing and also does not receive any details. Finally, the token is then delivered by the iPhone, and the website clears the way.

Cloudflare included

It was previously known that Cloudflare will be one of the partners that will help with independent signing. Now the Content Delivery Network also announced the technology in his service Turnstile to integrate. This API, which is also free for non-Cloudflare customers, allows the verification of private access tokens and thus the replacement of CAPTCHAs.

The system previously leveraged other features to “live” users, including “proof-of-work, proof-of-space, checking for web APIs, and various other challenges to detect browser bugs and human behavior,” according to Cloudflare . Private access tokens are now also being added. These are now integrated directly into turn styles. “During Turnstile [bislang] needs to see some session data (like headers, user-agent, and browser characteristics) to validate users without issuing a challenge, Private Access Tokens allow us to minimize data collection by asking Apple to validate the device for us.” The feature is said to have already been integrated; use requires a Cloudflare account.