Private Access Tokens and the Future of Anti-Fraud
A few months ago, we announced Fastly’s support for a brand new authorization protocol known as Private Access Tokens (PATs). In case you missed it, PATs allow origin administrators, DevOps teams, security professionals, or anyone who runs a web application to get a privacy-respecting attestation of a client’s properties without disrupting user experience, via a token exchange protocol that relies on trusted relationships and advanced cryptography.
But what does that mean in practice? In this article, we’ll describe how this new functionality takes us a giant step forward in the fight against fraudulent or abusive automated activity. Today, administrators are forced to navigate a complex set of choices that balance security, privacy, user experience, and business outcomes. With PATs, our vision is to provide a solution that enables improvements in all four of these areas, better than anything else available in the bot mitigation market today.
Today’s solutions: The trouble with CAPTCHA
Today, most anti-automation and anti-fraud efforts rely heavily on CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) to make the distinction between human and automated traffic. If you’re unfamiliar with the term, CAPTCHA is the name for those tests that ask you to click the traffic sign images or type the letters you see in a box, to help prove you’re a human. The assumption is that any client which cannot pass a CAPTCHA is a bot. There are a number of benefits to this approach, and it is widely used to protect checkout flows, login pages, and other sensitive forms from automated abuse.
However, there are many problems with CAPTCHA as well. For starters, CAPTCHA and other bot mitigation vendors gather browser data to make their human vs. bot classification decisions. Unsurprisingly, they don’t usually share what data they gather or how they use it, since it’s part of their secret sauce. But that presents privacy concerns for end-users, whose browser information is required to access resources on the web.
Furthermore, CAPTCHAs and other bot mitigation solutions can be bypassed in a number of ways by determined attackers. A prospective attacker can hire a CAPTCHA-farming service to employ low-wage humans to solve the puzzles and tasks that machines cannot easily complete, for an economical price – less than $1.00 for every thousand solves. So although CAPTCHA might help tip the economic balance of an attack (making it too expensive for attackers to carry out), someone that is determined will find a way through.
Finally, and perhaps most significantly, CAPTCHA can be a significant user experience challenge. Any UX aficionado knows that introducing one more click into a business-critical flow like a checkout page can reduce conversion rates. Now imagine adding a multi-click puzzle to those same flows, and you’ll see why some administrators prefer to deal with the consequences of fraud rather than introduce this friction to their users. According to some estimates from Baymard Institute, up to 29% of legitimate users can fail CAPTCHA challenges on their first attempt, a chilling prospect for companies that rely on providing excellent experiences to their users and customers.
A better approach: The promise of Private Access Tokens
PATs address the fundamental problem with CAPTCHA and other bot mitigation techniques available today, which treat all traffic as suspicious and rely on user action and browser data to assess risk. Instead of this type of approach, PATs rely on a familiar pattern which holds that a trusted third party can do a better job of verifying the details of an unknown party in a transaction. It’s akin to showing an ID to prove your age -- a third party knows some kind of information about you, and the other party in the transaction trusts that third party.
We’ve posted previously about the details of how PATs work. In summary, they are built on an ecosystem of trusted relationships: attesters and issuers establish trusted relationships with each other, and issuers also build trusted relationships with origin administrators. When a client requests a resource from such an origin, the origin can request that the client provide a token from a trusted issuer. If the client supports this, it can ask its trusted attester to retrieve a token from the specified issuer. When trust is maintained properly between all these parties, assuming the client has the correct property that the origin is looking for, a blindly-signed, cryptographically-secure token can be generated and shared back up the chain to give the client access to the requested origin resource, since the origin will have definitive proof that the client has the property that it wants.
It is important to note that although we’ve mainly focused this post on defeating automated abuse with PATs, and therefore using them to replace CAPTCHAs, PATs are designed to be used to privately attest to any information an origin wants to have. They are not limited to ‘human vs. bot’ classification. Origins may want to serve up age-, geo-, or device-restricted content, and PATs allow them to verify that clients meet their requirements all while maintaining client privacy. This makes PATs a potentially preferable solution to the human vs. bot classification problem, because they can have other tangible business benefits, as well.
The main limitation to PATs today is related to their novelty. Currently, only Apple devices running iOS 16 or MacOS Ventura (currently in beta) support PAT challenges. Until the attester and issuer ecosystem ramps up to support more client device types, origin administrators will need a fallback system for verifying client properties when PAT challenges fail. However, given the obvious benefit of this protocol and the enthusiasm in the space already, it appears to be only a matter of time until other big-name device, browser, and OS vendors begin supporting PAT attestation.
For Fastly’s part, we’re excited to offer a demo issuer today for interested developers to tinker with. We also have a beta issuer program available for interested parties, and plan to include PAT challenges as a rule action in our Fastly Next-Gen WAF (powered by Signal Sciences). Be sure to reach out to our experts if you’re interested in any of these offerings, and follow along here as we share more information about PATs as the ecosystem develops.
This post is part of Privacy Week, where Fastly is bringing you stories about how we’re integrating privacy practices and technology into the very fabric of the internet.