The new iOS 16 Automatic Verification feature that bypasses CAPTCHA prompts will soon be available to more websites. Cloudflare announced recently that it is releasing a free API that will be available to any website wanting to eliminate CAPTCHAs.
Turnstile API Makes Bypassing CAPTCHAs Easier
In a blog post, Cloudflare announced the open beta of Turnstile. Dubbed as the invisible alternative to CAPTCHA, the announcement said that anyone, anywhere on the Internet who wanted to replace CAPTCHA verifications will soon be able to do so easily. For those unaware, CAPTCHA verifications are the checks that ensure a visitor to a web page is a human, not a script or other form of bot. They usually require solving a puzzle, identifying letters visible in a distorted image or choosing images matching a specific keyword.
All web developers need to do is to call a simple API. The good thing about Turnstile is that it will be available even for those who are not Cloudflare customers. The website also doesn’t have to send traffic through the Cloudflare network to use the API. Signing up is free and it is also available via the dashboard for Cloudflare customers.
Before releasing Turnstile API on public beta, bypassing CAPTCHAs had been made possible through the use of Private Access Tokens. In June, Cloudflare announced its collaboration with Apple to use Private Access Tokens.
Cloudflare explained how Private Access Token works in the blog post:
Private Access Tokens are built directly into Turnstile. While Turnstile has to look at some session data (like headers, user agent, and browser characteristics) to validate users without challenging them, Private Access Tokens allow us to minimize data collection by asking Apple to validate the device for us. In addition, Turnstile never looks for cookies (like a login cookie), or uses cookies to collect or store information of any kind. Cloudflare has a long track record of investing in user privacy, which we will continue with Turnstile.
Apple Supports Private Access Tokens in iOS 16 and iOS 16,1
Apple has supported Private Access Tokens in iOS 16. As mentioned iOS 16 and iOS 16.1 users can bypass the CAPTCHA prompt through Automatic Verification. This can be found in Settings > Apple ID > Password & Security. The feature will also be available in the upcoming macOS Ventura and iPadOS 16.1, which are both currently in beta.
Once you toggle on Automatic Verification, you can say goodbye to the annoying prompts that ask you to tap on the image of a traffic light to verify that you are indeed a human, when visiting a website. It also eliminates the need to give out personal data.
Thanks for that tip, Arnold. I noticed that mine was on by default.