Apple’s World Wide Developers Conference (WWDC) on Monday was full of surprises. One of them was a new feature designed to make signing in to apps and websites more private: ‘Sign In with Apple’.
You know how you’ve signed up for dozens of accounts on websites over the years? You have to enter your email address, choose a password that meets requirements, store it (hopefully with a password manager)… and soon after comes the flood of junk mail from the site’s needy marketing team.
Some folks use a throwaway-email address service for each new account. But what if you want to see some of that mail? And how sure are you that the dummy address won’t get reused in the future by someone else? And how do you know if the website’s going to store your password securely?
The other option is to use a single sign-on service from one of the two big providers: Google or Facebook. When you see a ‘Sign In With Google’ or ‘Sign In With Facebook’ button on a web site, it’s offering to let you use your Google or Facebook ID for a quick, one-click sign up or sign on, no password required, as long as you’re signed into Google or Facebook.
The problem with services like these is that the companies running them (and their hidden partners) end up knowing more about you than your grandmother.
Sign In with Apple is Cupertino’s privacy-conscious version of those services. The idea is to make signing in – and signing up – to websites as simple as possible, without having to provide any personal information.
When a website or a mobile app supports Sign In with Apple, you’ll be able to register for an account by authenticating on your device (with a suitably-specced iOS device, that means FaceID or TouchID). So just like Facebook and Google’s social sign-in features, you can create an account with a single button. Apple then acts as a proxy for you, managing your login credentials for that website or app.
Unlike Google and Facebook’s sign-in features, though, Apple’s focuses on privacy in addition to convenience. It won’t send the third-party app any data about you, and it even gives you the option to use an email address that it randomly creates and manages for you instead of your real address. When the app mails that address, Apple forwards it to you, but you can choose to kill the address at any time so that you don’t have to unsubscribe from a needy app’s email list.
Is this a direct broadside at Facebook and Google? Apple CEO Tim Cook told CBS:
We’re not really taking a shot at anybody.
The fact that Apple software engineering chief Craig Federighi displayed the Sign In with Facebook and Sign in with Google buttons on a big screen when announcing the feature suggests otherwise. But we digress. Cook added:
We focus on the user. And the user wants the ability to go across numerous properties on the web without being under surveillance.
What’s under the hood?
What’s the technology behind this service? At the time of writing, Apple hadn’t revealed if it’s using an industry standard service to support this operation, or if it’s going it alone.
Google and Facebook both use OAuth 2.0, an industry standard for online authentication from the IETF, for their single sign-on services.
However, Apple has been experimenting with Web Authentication (WebAuthn), which is another password-free sign-in mechanism supported by the FIDO Alliance.
WebAuthn combined with version 2 of another protocol called Client to Authenticator Protocol (CTAP) make up the FIDO 2 standard, which also streamlines two-factor authentication. It lets you use USB keys to sign into browser-based apps without using a password. That’s what Apple shipped in a preview version of the Safari browser in December.
A blow for monetization?
Sign In with Apple sounds very neat, but there’s a small catch: It’s an offer that developers can’t refuse. In an update to its developer guidelines, Apple said:
It will be required as an option for users in apps that support third-party sign-in when it is commercially available later this year.
So, as with most things Apple, developers are in a kind of gilded cage. Those supporting third-party sign-in from Facebook or Google won’t have a choice but to add this feature, effectively removing their direct relationship with the user, just as App Store subscriptions put Apple in between the content or service provider and the user. It could force online content and service providers to rethink their monetization models overnight. Maybe that’s no bad thing.
On the other hand, this looks like a good thing for many users fed up with handing over their privacy when they sign up for online services. It’s also fantastically convenient because it makes it even easier to sign up for (and into) a service on an iOS device. You won’t even have to bother storing a password in Apple’s keychain now. It will also work via the browser on other platforms, Apple guarantees us.
What do you think? Will you use this service? Let us know in the comments.