Apple debuts privacy-minded “Sign in with Apple” SSO

Among the many news shared during Apple’s annual developer conference there’s one that stands out: the introduction of “Sign in with Apple”.

About the “Sign in with Apple” feature

Apple’s new single sign-on (SSO) authentication mechanism is similar to the one provided by Facebook, Google, LinkedIn, Twitter, and others, in that it will allow users to sign in to apps and websites without creating a new account.

But there are important differences, mainly focused on assuring users’ privacy.

Users will be able to effectively sign in with their Apple IDs, but apps will only be able to collect the user’s name and email address. In fact, if users decide so, they won’t even be able to collect the latter, as Apple will provide them with the option of providing a randomly generated relay email address (hosted by Apple).

This means that every app or website that the user signs into will receive a different, unique email address. This will prevent user tracking, as well as effectively make the selling or sharing of this information pointless: if the user starts receiving unwanted emails, he or she can simply deactivate that particular email address.

Apple, on the other hand, promises not to track users as they interact with apps or websites that offer the Sign in with Apple option.

Also, the company made sure to point out, every account using Sign In with Apple is automatically protected with two-factor authentication and, on Apple devices, users are persistently signed in and can re-authenticate anytime with Face ID or Touch ID.

What’s in it for the app developers?

Apple says that the new feature will help developers spot fraudulent accounts.

“Sign In with Apple is designed to give you confidence in your new users. It uses on-device machine learning and other information to provide a new privacy-friendly signal that helps you determine if a new user is a real person or an account you might want to take another look at,” the company explains.

Nevertheless, Apple is not giving them much of a choice on whether to implement the option or not.

“Sign In with Apple will be available for beta testing this summer. It will be required as an option for users in apps that support third-party sign-in when it is commercially available later this year,” the company pointed out in the updated App Store Review Guidelines, which also bring a number of new privacy-protecting rules for developers.

“The biggest problem with cybersecurity and raising awareness is the fact people tend to favour ease of use over protection as a rule. Being pushed by Apple should make this new feature the new normal and make those favouring minimal security realise how easy it can be to implement and use,” Jake Moore, Security Specialist at ESET, commented for Help Net Security.