WWDC: What you need to know about Sign In with Apple
Credit to Author: Jonny Evans| Date: Tue, 04 Jun 2019 11:32:00 -0700
There’s lots of interest in Apple’s new Sign In with Apple system, a highly secure, private way to sign in to apps and websites. Here’s what you need to know:
Apple has noticed that sign-in systems for services, apps, and websites rely on services that use your action of signing in to place cookies on your computer and track what you do.
Apple’s focus on privacy means it is attempting to restrict such practices, which is why it has developed the new system as a more private way to sign into these apps and services.
The idea is that Apple doesn’t track you and makes the entire process as private as possible.
Not from what I have seen. Sign In with Apple works with your Apple ID. This means that instead of filling out forms, verifying email addresses, and choosing (and struggling to remember) new passwords, you can just tap the Sign In with Apple button to get started straight away. This makes it as easy to use as most other authentication systems, and — Apple claims — much more private.
The system relies on your Apple ID. That means when you choose to sign into something, you can use your Apple ID to authenticate and Apple will then provide a unique random ID to access the service. In the future, you continue to log in as seamlessly as any other authentication service, but Apple continues to protect your privacy.
If developers, sites, or services demand you share your email address, you can provide it if you wish, though Sign In with Apple can also generate a random email address for that service. This limits what the service learns about you, but it still allows those offering the service to contact you, while not actually gathering your real email address.
That doesn’t seem to be the case. Apple’s system works merrily with Face ID or Touch ID. It also has two-factor authentication built in.
It is not true that Apple knows what you are doing. In keeping with its privacy models elsewhere across its platforms, the company works to collect as little information about you as it can. Apple promises that it, “Does not use Sign In with Apple to profile users or their activity in apps.”
There are hackers, fraudsters, and automated fake account creation tools all over the modern internet. This is bad news in lots of ways — take a look at the millions of fake users deleted by Twitter in recent months and the impact on follower counts for some high-profile users for an idea of how these fakes sully social media discours.
Apple says Sign In with Apple uses on-device machine learning and “other information” to prevent fake or fraudulent account creation, or, as Apple puts it, “It uses on-device machine learning and other information to provide a new privacy-friendly signal that helps you determine if a new user is a real person or an account you might want to take another look at.”
Sign In with Apple is designed to work on all Apple’s platforms, but that’s not going to be much use on other platforms, is it? This may be correct at this stage of deployment, but there are strong signals suggesting Apple has a plan for that.
The feature works natively on all Apple’s platforms, and it works in any browser. That’s important, as that cross-platform browser support means you can use it on websites and services and in versions of your app working on other platforms. You can learn more about how to deploy the system on websites and other platforms using HTML and JavaScript here.
I’ve spoken with non-Apple developers involved in the enterprise space at and around WWDC. Jamf, for example, says because they already support authentication services from Google and Microsoft, they are interested to see if they can help enterprises use Apple’s new and ultra-private sign-in system across their own internal applications and services, and in what other ways it could help improve rapid deployment and on-boarding of employees, services, and apps.
Given Sign In with Apple is accessible to other platforms and websites with little more than a few lines of code, it seems probable many enterprise users may choose to deploy the service internally and externally in some scenarios.
Apple doesn’t seem to care too much about the data broking industry. The company has gone on record to warn against the chilling impact of privatized web surveillance and privacy erosion on democracy, freedom, and public discourse. While there is a need in many industries for access to such data, Apple’s decisions mean most of us can look forward to making more informed consent before granting access to such data to third parties. Apple CEO Tim Cook puts it this way: “If there is no privacy, freedom plummets,” he told CBS.
Sign In with Apple will be available for beta testing this summer. Apple says it will be required as an option for users in apps that support third-party sign-in “when it is commercially available later this year.” Apple won’t force you to use the system, but it clearly hopes that when given the choice of using its private system or less private options, most of us will choose to use Sign-In with Apple.
I think we will.
Another privacy protecting enhancement Apple delivered at WWDC is a new tool that lets users allow an app to track their location only once, which may help make people aware of how their location data can be exfiltrated and used.
Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.