Among the laundry list of nuances and updates Apple unveiled at its WWDC 2019 earlier this month, one was Sign In with Apple, a privacy-oriented feature allowing users to use their Apple ID to log into third-party apps and websites.
The idea of a “single sign-on” isn’t anything new. As a matter of fact, more than a million sites integrate the OpenID protocol, counting Google, Amazon.com, Microsoft, and PayPal among its customer base -- but not Apple.
The benefits for single sign-ons are many -- like reducing password fatigue to saving time not having to re-enter passwords for the same ID -- but, according to one industry organization, it could pose potential security issues when used with other single sign-on mechanisms.
Here’s the rub
Apple probably didn’t expect any problems when it decided to veer away from the Open ID blueprint and create its own version, but one has reared its ugly head.
The OpenID Foundation (OIDF), a non-profit organization whose primary goal is standardizing the technology and keeping all its implementers on the same page, says that Apple’s version of the technology could possibly put its users’ security and privacy at risk.
In a letter to Apple, OIDF praised Apple's authentication feature for having "largely adopted" OpenID Connect. But after that pat on the back, the tone of the letter changed.
“The current set of differences between OpenID Connect and Sign In with Apple reduces the places where users can use Sign In with Apple and exposes them to greater security and privacy risks,” cautioned ODIF’s Nat Sakimura.
OIDF didn’t leave Apple twisting in the wind, however. Its team put together a checklist of recommended code modifications Apple could employ to close any gaps between Sign In with Apple and OpenID Connect.
Should you use Sign In with Apple?
For the moment, the next step is open-ended and sitting on Apple’s desk. As you might expect, Apple has rigorously defended Sign In with Apple, and there’s no guarantee that the company will respond to OIDF’s clarion call.
Nonetheless, if a consumer decides to use Sign In with Apple, they’re promised, for one thing, that Apple won't use the tool to track internet activity, a plus that the company says it has over Google and Facebook’s single log-in widgets.
Another consumer plum is that if a user decides not to share their personal information, any site or app that requests the consumer’s email will instead be given a unique, Apple-generated email address that those messages will be forwarded to, in essence masking their true identity.
"The concept of being able to sign in without using a real email address is a step in the right direction for consumers,” was the take of Ray Walsh, data privacy expert at ProPrivacy.com, and part of an expert panel Engadget asked for its consumer take on the situation.
“Being able to sign in without sharing a real email address removes one crucial bit of data from those services' hands. However, web services still get to collect other crucial data from users when they visit their sites -- which can still be used to track them. When you visit a website, that service automatically receives your IP address; this is an extremely valuable tracking tool. Thus, Sign in with Apple is only removing one small piece of trackable data from the equation."
Dana Simberkoff -- chief risk, privacy, and information security officer at AvePoint -- explained that the feature could be good for both Apple and consumers.: "If it's done right, not only [is it] a win for Apple but also a win for consumers that may be able to take advantage of a more privacy-centric sign-in option,” she said.
Florian Schaub, assistant professor at the University of Michigan School of Information, agrees that the consumer comes out a winner with Apple’s single sign-on process. "The ability to easily generate random email addresses and Apple handling the management of those credentials will make it much easier for consumers to protect their personal information when interacting with mobile apps and online services,” he said.
“It's interesting to see Apple take on the well-established single sign-on offerings by Google, Facebook and others but with a focus on making it easier for people to protect their privacy. It will of course require you to trust Apple to stay true to its promise and not track or analyze with which services you have accounts and how often you log in to those."