Apple’s World Wide Developers Conference (WWDC) on Monday was full of surprises. One of them was a new feature designed to make signing in to apps and websites more private: ‘Sign In with Apple’.
You know how you’ve signed up for dozens of accounts on websites over the years? You have to enter your email address, choose a password that meets requirements, store it (hopefully with a password manager)… and soon after comes the flood of junk mail from the site’s needy marketing team.
Some folks use a throwaway-email address service for each new account. But what if you want to see some of that mail? And how sure are you that the dummy address won’t get reused in the future by someone else? And how do you know if the website’s going to store your password securely?
The other option is to use a single sign-on service from one of the two big providers: Google or Facebook. When you see a ‘Sign In With Google’ or ‘Sign In With Facebook’ button on a web site, it’s offering to let you use your Google or Facebook ID for a quick, one-click sign up or sign on, no password required, as long as you’re signed into Google or Facebook.
The problem with services like these is that the companies running them (and their hidden partners) end up knowing more about you than your grandmother.
Sign In with Apple is Cupertino’s privacy-conscious version of those services. The idea is to make signing in – and signing up – to websites as simple as possible, without having to provide any personal information.
When a website or a mobile app supports Sign In with Apple, you’ll be able to register for an account by authenticating on your device (with a suitably-specced iOS device, that means FaceID or TouchID). So just like Facebook and Google’s social sign-in features, you can create an account with a single button. Apple then acts as a proxy for you, managing your login credentials for that website or app.
Privacy-focused
Unlike Google and Facebook’s sign-in features, though, Apple’s focuses on privacy in addition to convenience. It won’t send the third-party app any data about you, and it even gives you the option to use an email address that it randomly creates and manages for you instead of your real address. When the app mails that address, Apple forwards it to you, but you can choose to kill the address at any time so that you don’t have to unsubscribe from a needy app’s email list.
Is this a direct broadside at Facebook and Google? Apple CEO Tim Cook told CBS:
We’re not really taking a shot at anybody.
The fact that Apple software engineering chief Craig Federighi displayed the Sign In with Facebook and Sign in with Google buttons on a big screen when announcing the feature suggests otherwise. But we digress. Cook added:
We focus on the user. And the user wants the ability to go across numerous properties on the web without being under surveillance.
What’s under the hood?
What’s the technology behind this service? At the time of writing, Apple hadn’t revealed if it’s using an industry standard service to support this operation, or if it’s going it alone.
Google and Facebook both use OAuth 2.0, an industry standard for online authentication from the IETF, for their single sign-on services.
However, Apple has been experimenting with Web Authentication (WebAuthn), which is another password-free sign-in mechanism supported by the FIDO Alliance.
WebAuthn combined with version 2 of another protocol called Client to Authenticator Protocol (CTAP) make up the FIDO 2 standard, which also streamlines two-factor authentication. It lets you use USB keys to sign into browser-based apps without using a password. That’s what Apple shipped in a preview version of the Safari browser in December.
A blow for monetization?
Sign In with Apple sounds very neat, but there’s a small catch: It’s an offer that developers can’t refuse. In an update to its developer guidelines, Apple said:
It will be required as an option for users in apps that support third-party sign-in when it is commercially available later this year.
So, as with most things Apple, developers are in a kind of gilded cage. Those supporting third-party sign-in from Facebook or Google won’t have a choice but to add this feature, effectively removing their direct relationship with the user, just as App Store subscriptions put Apple in between the content or service provider and the user. It could force online content and service providers to rethink their monetization models overnight. Maybe that’s no bad thing.
On the other hand, this looks like a good thing for many users fed up with handing over their privacy when they sign up for online services. It’s also fantastically convenient because it makes it even easier to sign up for (and into) a service on an iOS device. You won’t even have to bother storing a password in Apple’s keychain now. It will also work via the browser on other platforms, Apple guarantees us.
What do you think? Will you use this service? Let us know in the comments.
Mahhn
What a great idea (cough, gag) to put access to everything in the trust of one entity. But who should I trust more, a company that profits from harvesting peoples data, or a company that profits from harvesting peoples data. Decisions, decisions. I know, lets ask the government. NSA, who do you think we should trust?
Spryte
How is this “more private”?
Sounds much like storing your data on “someone else’s computer”…
John Nelson
Apple’s will be the service I recommend to all my clients, as opposed to those offered by the other major companies. I feel strongly about my clients’ privacy concerns!
Stephen Barlow
Good on Apple for coming up with this feature so we don’t get spam email from all those leeches out there.
Joe
Sounds very similar to Mask my Email from Blur. Great addition to a platform 👍
Dave
So….unlike the agnostic alternatives, to use it you must own an iDevice?
I can see the argument “if you want to use it but an iDevice”. But…. Some of don’t like the iDevices (had one for work and thought the keyboard was awful)
Now…. If they put out an app for Android that could leverage the system (assuming Fido, it should be possible), it could become a viable option
Nobody_holme
facebook login: I get easier login at a heavy privacy cost, do not want (also won’t work for me at home as i’ve null routed all of facebook)
Google login: I get easier login at a moderate privacy cost as they’re already forcing themselves on me to use a significant chunk of the internet. GTFO.
Apple login: I get easier login at the cost of nothing they don’t already have anyway as an apple device owner, at the cost of being locked into their ecosystem. I’ll use it if I can do so to log in to an existing account and disabling it is an available option, otherwise no.
Services I really care about all have 2fa with my phone already, so I don’t want to break that by making it 1fa of just my phone – that’s a step backwards. So no.
Wall of text over.
Son Nguyen Kim (@nguyenkims)
That’s a direct attack from Apple towards Facebook and Google and that’s a good thing for users! I have some doubts over their “no tracking” promise though as Apple has their own ad business. I would trust more an independent company that focus only on the login and has no other business: I would trust ProtonMail more for managing my emails rather than the behemoth Google :).