iOS 16 adds “Verification Code Robot”? The truth is not that simple

Original link: https://www.ifanr.com/app/1496336

Just a few days ago (June 20), many media reported that the XDA forum found news that Apple’s iOS 16 system contains “captcha robots”.

After upgrading to the iOS 16 developer preview, you can find “Password and Security” in the Apple ID section of the “Settings” app, and pull it to the bottom to find the “Automatic Verification” switch.

If you understand the full name and function of the verification code (ie CAPTCHA), then you will have many questions about this switch: Since the verification code is “anti-robot”, shouldn’t this function make the verification code useless?

Of course this is not the case. This function cannot be called a “captcha robot”, it uses a new and open verification mechanism – Private Attestation Token (PAT).

What’s wrong with the verification code?

Spam has been a problem on the Internet since the inception of the email and BBS communities. And the most effective way to solve this problem (and almost the only way at present) is a mechanism called CAPTCHA, which is a type of “verification code” we often say (another type of verification used for real-name system and information verification). code, which is beyond the scope of this article).

CAPTCHA is also known as the “Reverse Turing Test”. As the name suggests, it helps websites verify that a user is a real person by asking questions that are hard for machines but easy for humans.

This type of verification code has been around for about 20 years, and the basic principle has hardly changed. The only thing that has changed is that users can judge the crooked color blocks and find the corresponding objects in a pile of pictures. It’s just that as long as you have a certain Internet experience, there must be a moment when you are in a hurry to “find the picture of the jet” and want to smash the computer and mobile phone, and the experience is not good.

▲ Did you see that the heart and lungs stopped? The screenshot of the webpage comes from the official website of hCaptcha

At present, there is also another way to distinguish between humans and machines, that is, by reading as many user access traces as possible, using AI models to determine whether the user’s behavior is a normal person. The noCAPTCHA service launched by Google uses this method to judge the authenticity of the user.

This type of verification does help users bypass the obvious verification process as much as possible, but it also sacrifices privacy. After all, in order to prove “I am human”, I need to tell Google or other big companies all my Internet traces, which is a bit wrong.

▲ Behind the “click” verification is the transfer of privacy. The picture comes from the official website of Google reCAPTCHA

What is PAT? How does it verify that the user is not a bot?

PAT does not refer to a certain technology or a certain service, but a protocol for authenticating users. It requires the participation of users, hardware device manufacturers and verification code service providers to complete the verification process.

The entire protocol process is as follows:

  • Website access to the verification code service that supports PAT
  • The user initiates a request to the website, and the website requires the user to go to the verification code service for verification
  • The CAPTCHA service initiates a verification request to the hardware manufacturer (help me see if this machine has been cracked?)
  • The hardware manufacturer checks the hardware number held by the user, etc., and checks the integrity of the user’s device through technical frameworks such as DeviceCheck or SafetyNet
  • After confirming that the user’s hardware has not been cracked (jailbroken or rooted), the hardware manufacturer requires the verification code service to issue a certificate to the user
  • The user sends the certificate to the website with subsequent requests, and the website takes the certificate to the verification code service for verification
  • The verification is passed, and the request is processed normally

▲ Schematic diagram of the complete PAT verification process. Image from Cloudflare official blog post

It looks complicated, but the whole process has two points: First, there is no verification process that requires manual intervention (inputting characters or clicking pictures, etc.); Privacy is surrendered, and it becomes more reasonable to check whether the device has been cracked and other information.

Because the focus of PAT verification has changed from “are you a human” to “whether your device has been tampered with and is suspected of being abused”, it is natural that users do not need to enter complex verification codes, and they no longer need to continuously track users’ behavior for judgment. .

Is it really possible to say goodbye to the “verification code”?

Not necessarily – at least for the next few years, we will still have to “game of wits” with captchas.

First of all, technology promotion takes a certain amount of time. Even though PAT is a verification protocol and standard jointly drafted and launched by big organizations such as IETF, Apple, Google and Cloudflare, only iOS 16 and Cloudflare (a cloud service provider that prevents websites from being attacked) currently support this verification protocol (Note: Development Providers and online services are currently available at Cloudflare and Fastly Access Beta PAT Verification).

Whether it is the software and hardware updates of end users, or the follow-up of the verification code service with major websites and services, it will take a certain amount of time.

Secondly, due to the special circumstances of the Android system ecosystem in mainland China, Android models cannot be verified directly through the SafetyNet framework embedded in Google Play services. That is to say, each Android system manufacturer must access the PAT protocol separately in order to add PAT support to its own products.

In addition, in the field of desktop equipment, there are many DIY assembly machines. Since such devices cannot find a PAT validator (device manufacturer) to vouch for, it is also very likely that they will not be able to truly enjoy the benefits of PAT.

However, for most people, PAT is indeed an authentication protocol that balances experience and privacy. We expect that domestic Android manufacturers and online services can follow up the agreement as soon as possible, so that ordinary people can also enjoy a better Internet experience.

The title image comes from: Cloudflare official blog

This article is reproduced from: https://www.ifanr.com/app/1496336
This site is for inclusion only, and the copyright belongs to the original author.

Leave a Comment