AppleInsider explains Apple’s new Private Access Tokens (PAT) tech announced at WWDC:
Using a new HTTP authentication method called PrivateToken, a server uses cryptography to verify a client passed an iCloud attestation check.
When the client needs a token it contacts an attester — in this case, Apple — which performs the process using certificates stored in the device’s Secure Enclave.
I’ve been waiting for someone to kill CAPTCHAs for us, but this will be an Apple-only solution for now:
The company is working to help make Private Access Tokens a web standard, but there is no mention of tokens working on Android or Windows. People on those platforms may have to put up with CAPTCHAs, for now — or wait for Microsoft’s and Google’s work on the matter.