Checklist 297: Avoiding CAPTCHA

On this week’s edition of The Checklist:

• An end to CAPTCHAs?
• The dangers of login fatigue
• Serpents in the walled garden

Apple introduces Private Access Tokens

We’ve all experienced CAPTCHAs — those little Turing tests you take to “prove you’re not a robot” before you can access a website. Which squares have boats? Fire hydrants? How about crosswalks?

Annoying? Yes. Necessary? Sadly, yes — otherwise website owners would be overrun by malicious bots.

But Apple has just introduced a feature that may end the need for CAPTCHAs, according to a piece from MacRumors:

iOS 16 has a new Automatic Verification feature that can bypass CAPTCHA prompts by automatically and privately verifying a user’s device and Apple ID account via iCloud.

Apple’s Automatic Verification feature uses a technology called Private Access Tokens. Private Access Tokens allow websites to verify that a request is coming from a person and not a computer. Unlike CAPTCHAs, no human interaction is required, which makes it far more convenient for end users. In addition, Private Access Tokens rely on privacy-preserving cryptographic techniques, which is another nice benefit of the technology.

The catch, if there is one, is that Automatic Verification only helps you to avoid CAPTCHAs if the website you’re visiting supports Private Access Tokens. So at the moment, you will still encounter CAPTCHAs. But hopefully, they’ll become less and less common as time goes by. 

If you’re already running iOS 16, Automatic Verification is enabled by default. For the curious, the setting can be found at Settings > Apple ID > Password & Security > Automatic Verification. 

When “sick and tired” is a security issue

Password manager company 1Password has published an important report on the dangers of “login fatigue,” according to an article in VentureBeat. 

The TL;DR is this: When employees find a login procedure to be difficult, intrusive, or just plain annoying, company and customer data is at risk. 

The report was based on a survey of 2,000 workers who spend a lot of time at their computers. What 1Password found was concerning:

• To bypass frustrating login processes, 43% of respondents say that they share logins, delegate work to others, or even skip their work altogether!
• One in four employees say that there are some tasks they’ve simply given up on doing because it’s too hard to log in.
• 38% of people surveyed say that they’ve delayed or skipped setting up security apps because logging in was too difficult.

For employers, the message should be clear: Make logging in as easy as possible, or suffer the security consequences.

To learn about how technology leaders are trying to make logins faster, easier, and more secure, check out Checklist 278: Getting to Know FIDO.

Malware in the App Store!

It’s not common, but it does happen: malware in the Apple App Store.

An article from The Mac Observer reports that a number of malicious apps were found in the App Store recently. The apps were being used by bad guys to distribute adware.

The adware was used to deceive advertisers into believing that ad clicks and impressions were more valuable than they actually were. Users should still be concerned, however, since adware frequently serves up an excessive (and intrusive) number of ads — and because their devices might be used to perpetrate someone else’s fraudulent activity!

Here are the iOS apps involved:

• Loot the Castle
• Run Bridge
• Shinning Gun
• Racing Legend 3D
• Rope Runner
• Wood Sculptor
• Fire-Wall
• Ninja Critical Hit
• Tony Runs

The apps are no longer in the App Store, but if you happen to have one of them on your device, delete it immediately!