iOS 16 Is Done Playing With CAPTCHAs

But who’s going to count all those crosswalks and fire hydrants?

  • Apple’s upcoming OS releases will use Automatic Verification to prove you’re not a robot. 
  • Like Apple’s new password-free logins, this uses Public Key Cryptography.
  • This works because we all carry our phones with us, always.
iOS 16 on iPhone


iOS 16 can prove to a website that you're a human and not a spambot or similar. This means far fewer CAPTCHAs for iOS and Mac users.

Apple's next operating systems for the Mac, iPhone, and iPad will contain Automatic Verification, a feature that generates a private token that it shares with a website to verify that you're human. It uses similar tech to the amazing password-free logins that are also coming in this fall's set of OS updates and is also built on standards that could bring it to Google's Chrome browser, too. 

"Apple—via iCloud—will automatically and invisibly verify your device and Apple ID account, removing the need for apps and websites to display a CAPTCHA verification prompt," software engineer Abdul Saboor told Lifewire via email.


CAPTCHAs are a super annoying aspect of the web, and some websites are particularly bad. It kind of makes sense that you have to identify a bunch of fire hydrants, crosswalks, or bridges when you first sign up for an account, but some sites force you to complete a CAPTCHA every time you log in, and worse, these always seem to be the sites that log you out automatically after a day or so. 

But it doesn’t have to be this way. Apple has worked with Google, Cloudflare, and CDN provider Fastly to create Private Access Tokens. This is a very clever system that boils down to Apple verifying that you’re human because you’re using an iPhone.

Because iPhones don’t really operate unless you’re signed into your iCloud account, this means it’s a pretty good bet you’re you and not a robot. Apple provides a Private Access Token to the website you’re signing up to, but not any personal data. 

Apple—via iCloud—will automatically and invisibly verify your device and Apple ID account.

What Next?

The web is full of annoyances that we’ve just gotten used to, but would be ridiculed if someone was inventing the internet today and put them on the spec sheet. Passwords are one of the biggest examples.

Imagine it. We’re supposed to create and remember a complex, long, and unique string of letters, numbers, and punctuation marks for every one of the hundreds of websites we interact with. Failure to do any of it right leads to terrible consequences. Even with a password manager app, it’s still a lot of delicate busywork. 

This is exactly the kind of thing computers are supposed to do. It’s like being told that, yes, you can have a spreadsheet, but you have to add all the numbers up yourself. 

These new Private Access Tokens work in a similar way to Apple’s other big move in iOS 16 and macOS Ventura, iCloud Passkey. This uses something called Public Key Cryptography, which consists of your private key that stays on your device and a public key that can be shared with anyone. Both keys can lock data, but only the private key can unlock it. Thus, your device, and the fact that you have it, are used in place of a password.

iOS 15 vs iOS 16 using iCloud to bypass CAPTCHA


With this new Automatic Verification, a similar framework is used. But what other web annoyances could this fix?

"Apple wants its entire ecosystem to be the most secure in the world. And they are doing a great job in this field," technology writer Sayan Dutta told Lifewire via email. "[Next they] might eliminate cookie pop-ups, unwanted idle time-outs, the right-click hijack, and bring upgraded intelligent tracking protection on Safari."

And how about email? Email has two main problems. One is that it's completely unencrypted, just plain, readable text flying over the web. The other is you don't really know who sent it. Signed and encrypted email is totally possible, has existed for years, and uses the exact same public key cryptography tech. It's just that there are so many email providers that nobody has ever managed to pull it all together across the entirety of email.

Apple wants its entire ecosystem to be the most secure in the world. And they are doing a great job in this field.

If Apple and Google were to get serious about that and partner with big email providers like Fastmail, email could be fixed in short order. 

One of the takeaways of these new features is they’re based on having a secure personal device with you at all times and that enough of us carry them. This is your key to security and authentication. The other part is big actors like Apple, Google, and Microsoft working together to make standards and to make it easy for third parties to join in. 

With those kinds of egalitarian, open-minded attitudes, there’s not much we couldn’t fix.

Was this page helpful?