Privacy Access Tokens to Replace CAPTCHA Real Soon


CAPTCHA, a well-known test for website visitors to prove they are humans, not robots, rapidly grows obsolete. There are ways to break or bypass CAPTCHA, and there are obvious inconveniences these tests bring to clients when deployed on websites. Luckily, the progress won’t cease, and the replacement is coming. We’re talking about Privacy Pass – a browser extension that does the job of filtering bots on the client’s side and automatically.

Prove to Machines That You Are Not a Machine Via Cryptographic Token

Privacy Pass is a browser extension initially designed for Chrome and Firefox, with its first version released back in 2018. This plugin verifies that you are not a bot automatically and awards you with a cryptographic token (Privacy Access Token – PAT) that serves as a pass on CAPTCHA-protected websites. The extension analyzes your behavior while you browse, so there is no need to stop to solve CAPTCHA puzzles. It turns out that there are plenty of ways to figure out that there is a human being behind the browser by analyzing what and how the client does.

Cloudflare CAPTCHA pages accept PATs, and it seems reasonable to believe that manual CAPTCHA will be driven out from use very soon. What is even more promising is that Apple gives Privacy Pass a huge recognition boost by including it in the upcoming operating systems, iOS 16 and macOS Ventura.

Standard CAPTCHAs for manual solving will probably linger for some time, though, to welcome users who either haven’t yet earned an access token during their browsing session or clients whose behavior seems suspicious.

What’s wrong with CAPTCHA?

CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is fine; it’s just old. Its purpose is to make automatized attacks such as DDoS (and other bot-activity on websites) impossible. But it turns out that there are ways to provide smooth and seamless verification of users being humans without forcing them to solve puzzles. Checkpoints, where you have to stop and perform actions, are real trouble for marketing – users just hate them.

A click farm interior
Click farm. Image: Diggit Magazine.

Moreover, back in 2013, a CAPTCHA-beating neural network showed up. It solved test jigsaws with 99.8% accuracy, which is a better-than-human result. After nine years, machine learning algorithms only improved.

Another phenomenon is connected to CAPTCHA bypassing. There are entire click farms – offices where specially trained people do nothing else but solve CAPTCHA puzzles to let bots enter protected websites. The bots deliver the tasks they face on websites to human clickers and then receive them back solved via a special API.

So, CAPTCHA is getting closer and closer to obsolete. It is beatable and annoying. Why not replace it with something high-end like Privacy Pass?

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

Leave a comment

Your email address will not be published. Required fields are marked *