June 8, 2022
Last Updated: January 6, 2023
Private Access Tokens (PATs) are part of the latest iteration of the Privacy Pass protocol currently being standardized at the IETF.
hCaptcha has supported Privacy Pass since its inception, and continues to work in public and private forums to ensure that new privacy-preserving standards reach wide adoption.
In the version being adopted by Apple, a service (like hCaptcha) can request that your compatible hardware device (i.e. recent-model iPhone) generate a token to "attest" to various properties of the device and application, which is then validated and signed by Apple.
This signing process uses "RSA blinding" in such a way that the signed token that the requesting service (like hCaptcha) receives is not linkable to the issuance, i.e. cannot be connected to the original hardware device.
Recent iPhones or iPads using iOS 16.2 or later and recent MacOS devices running the latest versions of Safari and OS X are currently supported.
When compatible devices are used with a compatible service, it can provide some additional assurance that, for example, the user is actually running on a real phone, without uniquely identifying that phone to hCaptcha in the process.
Modern threat actors are very familiar with the requirements of automating actions on mobile phones, so PATs are a very limited, partial solution to the security problem, and do not really address humanity verification at all.
You should think of this as an additive technology, which in some circumstances will allow a reduced challenge rate, but in others will likely be generated by a threat actor, and thus will continue to go through the normal challenge flow.
Hardware attestation refers to a piece of hardware signing a proof of some attribute of its system. This is most commonly used for anti-tamper verification of hardware or software.
Various methods of linking identity to a device in a cryptographically secure fashion, sometimes with privacy-preserving properties, have been proposed for decades. Public key cryptography dates back to c. 1975, and hardware tokens have existed nearly as long.
Unfortunately, controlling a piece of hardware does not mean you are a person. Every popular consumer hardware attestation scheme tends to be repeatedly broken, patched, and then broken again.
Malicious abuse of these flaws is often found to have been occurring for months or years prior to discovery or academic publication.
A wall of more than 10,000 phones used for abuse, part of a Chinese bot operation.
No matter how reliable your cryptographic scheme, if someone can at the end of the day simply spend money to give you the answer you are looking for, owning a piece of hardware is insufficient.
That said, cryptography is quite a young discipline. Based on recent history, your cryptographic scheme and/or implementation is likely to be broken as soon as anyone has an incentive to look at it closely, and it is likely other people will figure this out long before you do. Relying on hardware means you may need to ask every single one of your users to change a physical device in order to patch the flaw. This is unlikely to happen quickly in most cases, meaning in reality your system will simply fail open.
This is why defense is depth is important: hCaptcha uses multiple different approaches to answer the same fundamental question, allowing comparison for consistency across all evaluations.
PATs are answering an entirely different question. They let security services like hCaptcha reduce the CAPTCHA challenge rate in some scenarios, but are not a silver bullet. They will see persistent sustained abuse as soon as they become popular, just like every other similar attempt before them.
In other words, so long as people remain people, it is likely that humanity verification via CAPTCHAs will have a role to play online.
Our job at hCaptcha is to find good tradeoffs between difficulty and accuracy and to keep friction low, especially for accessibility users. In the end, interacting with challenges is likely to remain part of the arsenal of tools for reducing online abuse so long as human nature remains unchanged.
Building a service that does this well while balancing all concerns is a very hard problem (and we are always working to improve it so as to make the experience as pleasant as possible) but we hope you will agree that reducing spam, abuse, account takeovers, and online fraud is ultimately well worth the occasional simple question.
