Keith Uber At Apple’s recent Worldwide Developer Conference (WWDC), Apple software chief Craig Federighi announced to the world a new way for end-users to sign in to applications – Sign in with Apple.
The Good
Familiar to existing buttons “Sign in with Google” and “Sign in with Facebook”, and numerous other regional specific sign-in methods, Apple finally will start to capitalise on the amazing asset that they have – the identity and login information for every registered Apple user.
Apple was able to put a great spin on their service around privacy – a way to differentiate it from other existing services. The value of privacy and security is slowly being better understood by wider audiences.
It will certainly offer a smooth user-experience for Apple users. It will be very interesting to see how quickly and widely the service is adopted – beta testing is starting this summer.
The Bad
Not following standards. Period.
Apple’s keynote was light on details, however their developer portal opened up more information about how the service works. Rather than following industry standards, Apple again has decided to make their own unique implementation decisions. Hans Zandbelt has initiated a collection of deviations from the standard.
How Sign in with Apple differs from OpenID Connecthttps://t.co/lIjJL5GROV please provide input by adding comments.
— Hans Zandbelt (@hanszandbelt) June 16, 2019
Many of the choices made seem very hard to justify – what advantage is there to not just following the specification? The OpenID specification are, as the name suggest, open, and do not require licensing fees or licensing agreements.
This is unfortunate, as it makes integration to thousands of existing products and services more than just a configuration matter – it requires service-specific exceptions and behaviour tailored for Apple’s flavour. Implementations against Apple’s service will require additional testing as existing internal and standard test frameworks will not represent the behaviour of their service. Apple was thinking differently again.
The Ugly
Privacy concerns
One celebrated innovation in the Sign in with Apple service is the fact that the email address of the end user can be hidden from the connected service, and instead a persistent pseudonymous mail forwarding address will be used. This received a long round of applause. They forgot to mention on stage that neither Facebook login nor Google login actually require that the user shares an email address with services that request it.
When a service requests an email address, the user is presented with a dialog to “Share my Email” – sending your actual email address or “Hide my email” – to create a service specific forwarding address, such as [email protected].
Of course, this function requires that all email sent to the relay address are going through Apple’s servers, even if your original AppleID is using a non iCloud email address . Is that really privacy-protecting?
Forced adoption
As a condition of publishing an app in the Apple App Store, applications that offer other third-party sign in methods will be required to also offer “Sign in with Apple” as an option.
For many apps, this will require developers to rethink how to present additional sign-in methods, how to remember what has been used before and careful evaluation and testing of the new method. For apps that have never used third-party sign-in, expect your users to more vocal about requesting the addition of the “Sign in with Apple” service and consider adding also alternative login methods at the same time.
Easing the change
Through IdP Connect, Ubisecure offers solutions that can help companies offering online services to offer third-party login services and allow their users to connect one or more to their online accounts. We shield applications from a lot of the related complexity and protect user privacy by keeping the data close to the application and under the control of the service provider. We also help large enterprises with existing users and accounts to offer login services to their users – that is the ability offer their own branded “Sign in with” button, based on open standards.
Talk to us today about IdP Connect, our services that connect the identities from identity providers to service providers.
About The Author: Keith Uber
Keith is VP Customer Success at Ubisecure.
His specialities include: Identity and Access Management, identity federation, authorisation, access governance, authentication policy and technology, and privacy.
More posts by Keith Uber