Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Apple IT Technology

iOS 16 Will Let iPhone Users Bypass CAPTCHAs in Supported Apps and Websites (macrumors.com) 34

Tapping on images of traffic lights or deciphering squiggly text to prove you are human will soon be a much less common nuisance for iPhone users, as iOS 16 introduces support for bypassing CAPTCHAs in supported apps and websites. From a report: The handy new feature can be found in the Settings app under Apple ID > Password & Security > Automatic Verification. When enabled, Apple says iCloud will automatically and privately verify your device and Apple ID account in the background, eliminating the need for apps and websites to present you with a CAPTCHA verification prompt.
This discussion has been archived. No new comments can be posted.

iOS 16 Will Let iPhone Users Bypass CAPTCHAs in Supported Apps and Websites

Comments Filter:
  • I'll leave it off (Score:1, Interesting)

    by davidwr ( 791652 )

    Apple vouching that I'm a human: OK

    Apple handing over my Apple ID: Not so much.

    Now, if I could use it only on the apps and web sites that I'm "logging into" with my Apple ID today anyways, that's going to be fine.

    • Re:I'll leave it off (Score:5, Informative)

      by seth_hartbecke ( 27500 ) on Monday June 20, 2022 @12:01PM (#62636338) Homepage

      If you watch the video from apple, they will step you through the IETF standards they are using to accomplish this.

      iCloud is involved to say "this person is a human."

      iCloud does not give out any information that uniquely identifies you, or even your phone.

      All it's doing is proving you are a real human, not a bot.

      • So, now we've automated the process of determining whether a person is human. Brilliant!
        • No. Because for to set up an iCloud account you also have to be a human (at least by the same standards).
        • It sounds a bit like the assumption is that spammers will never have iphones and won't figure out a way to farm them.

          I remember about 10 years ago some wow gold farmers complaining about how they could no longer compete with some others that built a complete replacement of the wow client, which means they were also able to emulate all of the anti-botting security features enough to fool the servers. This gave them the ability to instantiate hundreds of clients on a single VM instead of just two or three, be

          • Again, if you watch the video ...

            For this to work, your device has to have an iCloud account. Apple doesn't share any of the details of this iCloud account with the web site, but seems to consider this a "good indicator that this device is attached to a person."

            They also have systems on their end that can look for "bot like behavior."

            So if you setup a "farm" of iPhones (each with an iCloud account), in theory ... apple could build systems to detect bot-like-behavor (many many token requests on the same iCl

            • That's kind of like saying that you can easily detect data exfiltration by watching for large data transfers. The reality is that these people tend to be very patient; they'll do it slowly over a long period of time. In this case that would translate to executing only occasional behaviors that are suspect, in addition to adding random benign behaviors to simulate an actual person using the device for other things.

              Trust me, it's been done. And done. And done. And done.

      • by sinij ( 911942 )

        iCloud is involved to say "this person is a human."

        iCloud does not give out any information that uniquely identifies you, or even your phone.

        iCloud is not designed to uniquely identify you to external parties the same way as cookie is not designed to track you across multiple sites and profile your browsing activities. Yet here we are.

      • by davidwr ( 791652 )

        I'll have to go back and read the standard, but I don't see why they need an iCloud or other login in the first place.

        Apple can get enough information from the phone to uniquely identify it.

        If the objection is "an iCloud ID requires you to go though a CAPTCHA or something similar" then fine, make me go through such a thing ONE TIME on a given device (or once per week/month/reboot/whatever per device) to prove I am a human, but don't make me sign in with my Apple ID.

        • by Megane ( 129182 )

          Apple can get enough information from the phone to uniquely identify it.

          Great, let's assume they can 100% identify a genuine iPhone. So? Have you seen the pictures of click farming? They have like 100-200 phones on a panel for one person to monitor. Now tell me again how merely having a genuine iPhone is enough to prevent fraudulent usage.

    • I'll await technical details that aren't in video form; but Apple claims that the implementation is privacy-preserving; so I assume that it's something other than Apple just handing them your ID.

      There are probably some additional elaborations to deal with considerations I'm not thinking of; but if captcha-users are willing to accept your apple ID from Apple as sufficient proof to bypass a captcha they should also be willing to accept an Apple-provided assertion that you are someone with an Apple ID in de
  • By using the computer in their smartphone to vouch for them.
  • by registrations_suck ( 1075251 ) on Monday June 20, 2022 @12:12PM (#62636386)

    It is very rare that a new OS has a feature that I would find useful. Hell, it's rare for a new OS to debut a feature that I can imagine ANYBODY having any use for. But this seems like an actual, bonafide useful feature. Congratulations, Apple!!

  • by Opportunist ( 166417 ) on Monday June 20, 2022 @12:50PM (#62636518)

    Until the scammers find out how to pretend to be human, then the whole shit is back to square one.

    • "Until the scammers find out how to pretend to be human, "

      American human, 194 countries have no yellow taxis, they don't recognize taxis in blurry stamp-sized photos.

      • Unlike American humans, others around the world got used to the US-centric approach the average US company takes to things like that. By now we actually adjusted to miles, Fahrenheit and the rest of the bullshit the US is so enamoured with.

        If it serves our purpose, we can pretend that it matters. Like, well, with anything US.

      • by jaa101 ( 627731 )

        This reminds me of a story about chimpanzee intelligence. Apparently an IQ test asked subjects to identify preferred homes. Chimps selecting trees were marked down on this and other questions with similar issues. Turns out our IQ tests have a pro-human bias.

  • the only way this can work is if they're using your device id to track you. i.e. the secure stuff that's built into the hardware. I'm not the most privacy conscience person in the world but even I get iffy about that.
    • by AmiMoJo ( 196126 )

      Google has been doing this for years. When you encounter a Google Captcha, if you are logged into your Google account then that is used as a strong signal that you are a real human. In most cases you don't need to do anything, that's enough to pass the test.

    • Actually, there is a way to make this work that doesn't use or share your device ID with the web site checking to see if you are human.

      And, actually, it's based on an ITRF standard.

      If you'd watch Apple's video, you could learn how!

  • Apple is hiring tens of thousands of starving asians to solve captchas for fractions of a penny each? Right? That is what is going to happen here, right?
  • How to prevent an attacker from using a robotic finger to click/type the iphone as slow as a human? CAPTCHA can prevent that. The video in the Apple website says "The iCloud attester checks the device is not used by a bot farm". How to check?
  • If I put a CAPCHA on the entrance to my website, it is because I need to verify that they are real people. IDGAFF if they are using the latest super shiny iThing other than it might mean that they are more likely to spend money without too much consideration.

    If you remove the usefulness to websites of that method of verification, they will have to think of something else. Alternatively, they will have to think of a way of detecting and preventing this particular fraud.

C'est magnifique, mais ce n'est pas l'Informatique. -- Bosquet [on seeing the IBM 4341]

Working...