The OpenID Foundation has openly questioned Sign In with Apple, a new feature in iOS 13 and macOS Catalina 10.15 that permits customers to log into web sites and apps using their Apple ID account without divulging personal details, such as their names or email addresses.
It allows iPhone, iPad and Mac users to sign in to apps and websites with their Apple ID.
The users is authenticated with Face ID or Touch ID while hiding their real email address by having Apple supply a unique, randomly created iCloud email address just for that one app or service. Moreover, each developer is assigned their own unique email address, meaning you can stop receiving unwanted emails from all their apps and websites with a few taps.
The non-profit organization penned an open letter to Apple’s software engineering chief Craig Federighi to warn that although the system doesn’t send any personal information to app and website developers, its implementation could put user privacy and security at risk.
The current set of differences between OpenID Connect and Sign In with Apple reduces the places where users can use Sign In with Apple and exposes them to greater security and privacy risks. It also places an unnecessary burden on developers of both OpenID Connect and Sign In with Apple. By closing the current gaps, Apple would be interoperable with widely-available OpenID Connect Relying Party software.
Sign In with Apple uses OpenID Connect as an underlying technology but the non-profit organization is now pushing the iPhone maker to adopt OpenID Connect instead, a “modern, widely-adopted identity protocol built on OAuth 2.0 that enables third-party login to apps.
The organization is saying Apple would be wise to address the differences between the two sign-in systems. They’ve also invited Apple to become a member of the OpenID Foundation. OpenID’s members include Google, Microsoft, PayPal and others.
Sign In with Apple was introduced during the June 3 WWDC 2019 keynote.
Here’s Apple’s description of the upcoming feature.
Apple is introducing a new, more private way to simply and quickly sign into apps and websites. Instead of using a social account or filling out forms, verifying email addresses or choosing passwords, customers can simply use their Apple ID to authenticate and Apple will protect users’ privacy by providing developers with a unique random ID.
Even in cases where developers choose to ask for a name and email address, users have the option to keep their email address private and share a unique random email address instead. Sign In with Apple makes it easy for users to authenticate with Face ID or Touch ID and has two-factor authentication built in for an added layer of security. Apple does not use Sign In with Apple to profile users or their activity in apps.
Developers have reacted enthusiastically to Sign In with Apple but some are unhappy with the official rules because they prohibit embedding social sign-in buttons for Twitter, Google or Facebook without also providing a Sign In with Apple button as an alternative.
Apple’s Human Interface Guidelines mandate that Apple’s button be placed above all other sign-in buttons. “Prominently display a Sign In with Apple button,” reads an excerpt from the update guidelines. “Make a Sign In with Apple button the same size as other sign-in buttons, and avoid making people scroll to see the button.”
Surprisingly, Google’s product management director publicly praised Apple’s new login button as a great step in the right direction even though it competes with Google’s own sign-in button.
I honestly do think this technology will be better for the internet and will make people much, much safer. Even if they’re clicking our competitors button when they’re logging into sites, that’s still way better than typing in a bespoke username and password, or more commonly, a recycled username and password.
Federighi said Sign In with Apple will be “an easy way to sign in without the tracking.”