Apple single sign-on option promises privacy for users

Apple unveiled its own single sign-on service during its annual Worldwide Developers Conference and positioned it as a more private alternative to social SSO options from Google and Facebook.

The new offering, called Sign In with Apple, promises to be a more private option by limiting the data provided to third-party services, including the option to anonymize a user's email address by having Apple generate a random email address and forward communication back to users.

Apple's single sign-on (SSO) adds security by requiring users to have two-factor authentication on Apple ID accounts and integrating with Face ID and Touch ID on iOS devices. Sign In with Apple on the web would work much like any other SSO option.  

However, questions remain about exactly what data will be sent to third parties. Craig Federighi, Apple's senior vice president of software engineering, said onstage at WWDC that some of a user's app usage habits will be sent to developers. It is also unclear if the Sign In with Apple service uses standard OAuth or SAML protocols or a proprietary system.

Apple did not respond to requests for comment at the time of this post.

"As an Apple user myself, I quite like the private email relay service concept that will keep my personal email address private -- but, really, just to make it easier to unsubscribe from a particular vendor's email communications, if I so choose. It doesn't necessarily add much security," Sam Bakken, senior product marketing manager at authentication vendor OneSpan, based in Chicago, said via email. "In terms of enterprises relying on this to help manage employee identities, that could get complicated. I myself would likely want separate Apple IDs for my personal use and work use. And that sounds like a hassle -- if it's even allowed."

Apple does not currently support signing in with multiple Apple IDs on the same iOS device at the same time.

While the limits on the data provided to third parties may provide more privacy for users, it also could mean those third parties would have less incentive to implement the Apple single sign-on option.

However, Apple added a new guideline to the iOS App Store requiring apps to not only add Sign In with Apple as an option if the app offers other SSO options, but to place the Apple single sign-on button above competitors and ensure the button is "the same size or larger than other sign-in buttons."

Paul Bischoff, privacy advocate with product testing firm Comparitech, applauded Apple single sign-on for being more private, but said he didn't think "many developers would adopt it if it weren't mandatory."

"If you're on the developer side, you might not get as many email addresses and other pieces of personal information that can be used to track users and target them with ads," Bischoff said. "Apple has the right to set requirements for its own platform, though it's certainly a power grab from Google and Facebook."

"It could well be a competitor in the market. Not only is it mandatory for apps on the App Store to implement, it's also the only major company to offer a privacy-first single sign-on," he continued. "At a time when a lot of us are concerned about our online privacy and digital security, it's a very attractive option."

At a time when a lot of us are concerned about our online privacy and digital security, it's a very attractive option.

Rebecca Herold, CEO of Privacy Professor, noted a couple of red flags in the way the Apple single sign-on service has been presented.

"It is a huge privacy red flag for me whenever any tech vendor requires that their solution be used when other options are available," Herold said via email. "From a technology standpoint, that certainly is not necessary."

"It seems to be a pure power play to force developers to build products that will, ultimately, be used to gather access credentials, and subsequently associated capabilities, to a wide range of individuals' -- using Apple apps -- authentication information, to then be able to track all their other types of apps used, along with when, where and frequency, and possibly many other data points," she continued. "It also greatly increases the risks for unauthorized access to all those other apps whose authentication capabilities they now possess."

Merritt Maxim, vice president of research at Forrester, added that while data sent to third parties may be limited, Apple will still be collecting user data.

"The privacy approach here is different. But while Apple is not collecting any additional information, they will still have knowledge of where users are authenticating to which app, so [these] user actions are not completely anonymous," Maxim said.

"The challenge will always be [whether] Apple [can] change user behavior, especially for users who have already created an existing username and password at existing sites," he continued. "Even though social login has been around for years, actual adoption remains mixed, often because users are reluctant to change behavior, especially without any specific incentive."