Friday, June 14, 2019

Sign in With Apple

Apple (MacRumors):

Sign In with Apple makes it easy for users to sign in to your apps and websites using their Apple ID. Instead of filling out forms, verifying email addresses, and choosing new passwords, they can use Sign In with Apple to set up an account and start using your app right away.

I’ve been wondering for 10 years or so when Apple was going to do this. This is late to the game, but it’s not too late to make a big difference.

I don’t really want to use it myself, because why insert a man-in-the-middle who can access all my accounts? Why link all my accounts to the same password? Why make logging into other services dependent on Apple’s server working? But, for the regular user who doesn’t even have a password manager, this is great.

All accounts are protected with two-factor authentication for superior security, and Apple will not track users’ activity in your app or website.

This is strangely worded. I would assume they aren’t and can’t track what’s going on in the app or site after login. But are they tracking which sites/services you log into (and how often and from where)? This would be very valuable competitive information. And probably of interest to law enforcement as well. It’s likely no worse than single sign-on using Facebook, Google, or Twitter, though.

Lily Hay Newman:

One important difference: Sign in with Apple integrates seamlessly with Apple’s authentication offerings—like Face ID and Touch ID—which provide strong security while also being quick and easy to use. No passwords to remember, no extra accounts to manage and worry about. Other single-sign-on schemes largely haven’t added support for biometric authentication yet.

And in an even more dramatic measure, Apple’s universal login will let you hide your email address from third-party services. Unlike Facebook and Google, Apple will randomly generate an email address on your behalf, which then forwards communications from companies and institutions to your real address.

Sarah Perez:

If I let Apple make up a random email address for me, does Apple now have the ability to read my email?

No. For those who want a randomized email address, Apple offers a private email relay service. That means it’s only routing emails to your personal inbox. It’s not hosting them.

But Apple absolutely can read any e-mail sent by the service that you’re logging into, since it’s sending the message to the relay address. And Apple has historically had aggressive server-side spam filtering that deletes some good messages before you can even see them. Does this make e-mail accounts hosted with other providers subject to that, too?

Ben Thompson (Hacker News):

This was certainly an interesting announcement in its own right: identity management is one of the single most powerful tools in technology. Owning identity was and is a critical part of Microsoft’s dominance in enterprise, and the same could be said of Facebook in particular in the consumer space. Apple making a similar push — or even simply weakening the position of others — is noteworthy.

Manton Reece:

People often ask me how we “win” against the big social networks, bringing more open platforms and indie blogging to everyone. It happens in small steps, not overnight. Sign In with Apple can be one of those small steps. Anything that moves people away from signing in with Facebook and Twitter is part of the solution.

Eric Young:

‘Sign on with Apple’ identity management system - is quite possibly the biggest announcement from Apple in years

Darrell Etherington (Hacker News):

Apple’s truly transforming into a privacy-as-a-service company, which shows in the way that it’s implementing both the new single sign-on account service, as well as its camera and location services updates in iOS 13. The SSO play is especially clever, because it includes a mechanism that will allow developers to still have the relevant info they need to maintain a direct relationship with their users – provided users willingly sign-up to have that relationship, but opting in to either or both name and email sharing.

Laurie Voss:

This is amazing chess by Apple, positioning them as pro-privacy while simultaneously making themselves a major aggregator of behavior, identity and customer relationships. Apple is pro-privacy... as long as you trust Apple with all your data.

Sean Hollister (MacRumors):

But Apple doesn’t seem to be content just selling its single sign-on as a convenient, pro-privacy option. As iOS developer Ben Sandofsky spotted today, the company has unilaterally decided that if any app offers Google, Facebook, or other third-party sign-on options, it’ll need to offer Apple’s sign-on too.

[…]

Plus, there’s a genuine argument to be made that offering Apple single sign-in is doing the right thing by users — who will no doubt already be logged into their own iPhones and iPads, and are one thumbprint or glance away from adding an extra level of security to that sign-in with a biometric Touch ID or Face ID login.

[…]

On the other hand, this is a terrifying example of the power Apple wields over developers. Apple just announced this feature, and now every developer that got comfy with Facebook, Google, etc. is going to have to add (and find space to add) a button and the underlying code at some undetermined point later this year, or else abandon single sign-on entirely, or risk their livelihood getting cut off?

Lauren Goode:

That doesn’t mean the end user has to use Apple sign-on. But it means it has to be there in sign on screen of the app. And we have yet to see how aggressively this is pushed.

And if you do sign up for an app or service using Apple sign-on and then you try to access that account from another device (like an Android phone) or non-Apple browser (like Chrome) you will be rerouted back to Apple.com to sign in.

Will it be pushed as aggressively as, say, iCloud Keychain is when you’re trying to use another password manager? Maybe. And that would be annoying.

Ricky Mondello:

My WWDC session, What’s New in Authentication, is now available to watch anytime!

I cover Sign in with Apple, iPad Apps for Mac, transcending Password AutoFill with one tap sign-in, Safari 13’s weak password warnings, SSO, WebAuthn, and more!

Aaron Parecki (tweet):

Thankfully, Apple adopted the existing open standards OAuth 2.0 and OpenID Connect to use as the foundation for their new API. While they don’t explicitly call out OAuth or OIDC in their documentation, they use all the same terminology and API calls. This means if you’re familiar with these technologies, you should have no trouble using Sign in with Apple right away!

Let’s walk through building a short sample application that can leverage Apple’s new API to sign users in.

Zack Whittaker (Hacker News):

app developers will have to switch on SPF for their outgoing email — to prevent others spoofing their emails — before they can use sign-in... which is mandatory.

Eric Ravenscraft:

It’s an appealing promise, but it’s not flawless. The biggest drawback to SSO — whether it comes from Apple or someone else — is that if there’s a failure in the way you sign in to your primary account, then it can make all your accounts vulnerable. Someone with access to your Facebook account could, for example, also get in to your Spotify account. It’s like putting all your eggs in one basket. Security for your primary SSO account has to be as good or better than all of the other accounts you use it to sign in to.

Nameless Wanderer:

This is the kind of stuff I’m scared of with Apple login. I entered all details perfectly on the mac yet it couldn’t verify me. I needed an iPad to finally login to my account.

Dan Masters:

Very valid concern. Apple is notorious for their subpar account management & backend – from repeatedly requiring re-authentication in macOS/iOS, to somehow always forgetting “Remember Me”, to using their own proprietary network-based 2FA rather than a time-based token system…

Previously:

Update (2019-06-19): Luc P. Beaudoin:

I totally agree with Apple requiring their login to be at the top. Nudge theory — for the good of users who know no better, ie the majority. However, law makers, being part of the majority, might disagree

Update (2021-01-01): Steve Yegge:

Apple is refusing my app because I won’t redesign it to shove Sign in with Apple down the customer’s throat, relegating other (BETTER) options (Google, Facebook) to a tiny link at the bottom.

[…]

I’ve spent MONTHS adding Sign in with Apple to my app because it’s a new requirement. It’s practically undocumented and was INSANELY hard to get working, and required a major backend redesign.

Steve Yegge:

Apple finally approved my app after I screamed loud enough; they no longer need me to arbitrarily rewrite my entire 4-year-old sign-in flow to suit their personal tastes du jour.

6 Comments RSS · Twitter


One thing we're going to have to figure out is customer support. Suppose someone uses Apple sign-in to create an account, and uses an anonymous address and doesn't provide their name. During their free trial period, they use in-app purchase to buy a subscription. Then they call my company for support (phone support is popular with our customers). How do we link the person on the phone to their account? We have some ideas but we're not sure yet.


Sören Nils Kuklau

I don’t really want to use it myself, because why insert a man-in-the-middle who can access all my accounts?

Because for many sites (especially small ones, but including big ones, like PlayStation Network), you don’t really know if you can trust them to keep your information secure.


@Sören They’re going to get my billing information either way, and I use unique e-mail addresses.




Sign Up with Apple is a dead horse. Even the fanboy sites like MacRumors, MacObserver, Cult and Mac didn't implemented this. Some special reasons for Apple resistance?

Leave a Comment