Cloudflare announced Private Access Tokens, eliminating CAPTCHAs to validate if website visitors are real users are not. Visitors who are using an operating system that is capable of supporting these tokens will be able to prove that they are human without CAPTCHA or providing personal data.
No more CAPTCHAs
Cloudflare’s new announcement means that internet users’ mobile web experience will be more pleasant and more private than other networks at the same time and they won’t see a CAPTCHA on a supported iOS or Mac device while accessing the Cloudflare network. It will also allow web or application developers to know their user is coming from an authentic device and signed application, verified by the device vendor, and validate visitors without maintaining a cumbersome SDK. Cloudflare customers won’t need to do anything. Cloudflare will automatically ask for and utilize Private Access Tokens and it will ask for less data from visitors’ devices.
Cloudflare has collaborated with Apple, Google, and other organizations to extend the Privacy Pass protocol with support for a new cryptographic token. The new solution will simplify application security for developers and security teams. Apple also announced that PATs will be incorporated into iOS 16, iPad 16, and macOS 13. Cloudflare stated that they expect other vendors to announce support in the near future.
Validating without fingerprinting
PATs focus on validating users by partnering with third parties, who already have the data that can help validate a device. PATs are able to abstract portions of the validation process, and confirm data without actually collecting, touching, or storing that data ourselves. The new method asks the device vendor to do the validation, instead of interrogating the device directly. When PATs are used, device data is isolated and explicitly not exchanged between the involved parties:
- The website knows only the URL and IP, which it has to know to make a connection.
- The device manufacturer (attester) knows only the device data required to attest your device, but can’t tell what website is being visited, and doesn’t know the IP.
- Cloudflare knows the site the user visited but doesn’t know any of the device or interaction information.
Cloudflare said,
« This is just step one for us. We are actively working to get other clients and device makers utilizing the PAT framework as well. Any time a new client begins utilizing the PAT framework, traffic coming to your site from that client will automatically start asking for tokens, and your visitors will automatically see fewer CAPTCHAs. We will be incorporating PATs into other security products very soon. Stay tuned for some announcements in the near future. »