Cloudflare Releases Private Access Tokens To Replace Captchas

Cloudflare introduces a new method for macOS and iOS to replace captchas. Private Access Tokens use a series of verification methods to verify whether a website visitor is a bot or a real user. That happens automatically.

Private Access Tokens or PATs are part of Privacy Pass† That is a protocol to authenticate users. Cloudflare developed that protocol several years ago. Privacy Pass now includes support for a cryptographic token that can validate website visitors. The tool is intended as an alternative to captchas, which Cloudflare says have “a terrible user experience.”

cloudflare says that the Private Access Tokens work without user data. The company points out that as an alternative to captchas, website operators can also collect more data to authenticate users, such as an IMEI number, or fingerprinting data, such as screen size. With Private Access Tokens, that information can still be collected by an ‘attester’ who verifies whether a user is genuine, but that information is then put into a token that is then shared between the client and the website. That token only includes that a user is genuine, but not the way in which that was verified.

The ‘attestation’ is performed by the device on which Private Access Tokens are generated. That can be a browser or an operating system. PATs are supported in iOS 16, iPadOS 16 and macOS 13, Cloudflare says. The company expects to get the initiative in more software “in the near future”, but is not naming any names.