The idea here is that if a user is trying to sign in on a webpage, they already have a device like an iPhone, iPad, or Mac, which means they’ve already gone through a more stringent security protocol such as Face ID or Touch ID. Plus, the Apple ID is already signed in on the device that is allowing Safari to visit the webpage in question. The technical objective behind Private Access Tokens is to let servers avoid CAPTCHA, without allowing servers to track client identity.
The whole token system to bypass the CAPTCHA verification process relies on a new HTTP authentication layer and RSA blind tokens that throw in cryptographic protocols for added security. For those reliant on Google’s Chrome browser instead of Safari, Private Access Tokens aim to do what Chrome Trust Tokens seek to achieve.
Another important aspect here is that the system will send authentication tokens when an app is running in the foreground. Throughout the entire process, the Apple ID signed in on a device isn’t shared by any of the involved parties. As for the tokens required to bypass the captcha challenge and verify that the client is not a bot, they will be available for apps using WebKit and URLSession systems.