OpenID Foundation Claims 'Sign In with Apple' Could Expose Users to Security and Privacy Risks

At WWDC 2019 earlier this month, Apple announced Sign In with Apple, a new privacy-focused login feature that will allow macOS Catalina and iOS 13 users to sign into third-party apps and websites using their Apple ID.

signinwithapple
The feature has been largely welcomed as a more secure alternative to similar sign-in services offered by Facebook, Google, and Twitter, since it authenticates the user with Face ID or Touch ID, and doesn't send personal information to app and website developers.

However the implementation of Sign In with Apple has now been questioned by the OpenID Foundation (OIDF), a non-profit organization whose members include Google, Microsoft, PayPal, and others.

In an open letter to Apple software chief Craig Federighi, the foundation praised Apple's authentication feature for having "largely adopted" OpenID Connect, a standardized protocol used by many existing sign-in platforms that lets developers authenticate users across websites and apps without them having to use separate passwords.

Yet it cautioned that several differences remain between OpenID Connect and Sign In with Apple that could potentially put users' security and privacy in jeopardy.

The current set of differences between OpenID Connect and Sign In with Apple reduces the places where users can use Sign In with Apple and exposes them to greater security and privacy risks. It also places an unnecessary burden on developers of both OpenID Connect and Sign In with Apple. By closing the current gaps, Apple would be interoperable with widely-available OpenID Connect Relying Party software.

To remedy the situation, the foundation asked Apple to address the differences between Sign In with Apple and OpenID Connect, which have been recorded in a document managed by the OIDF certification team.

open id logo
It also invited the company to use OpenID's suite of certification tests to improve the interoperability of the two platforms, publicly state their compatibility, and join the OpenID Foundation.

Shortly after unveiling Sign In with Apple, the tech giant told developers that if an app lets users log in using their Facebook or Google logins, then it must also provide an alternative Sign In with Apple option.

The company then raised some eyebrows when it emerged that its updated Human Interface Guidelines asked app developers to place its authentication feature above other rival third-party sign-in options wherever they appeared.

(Thanks, Jonathan!)

Popular Stories

Apple WWDC24 Apple Intelligence hero 240610

Apple Explains iPhone 15 Pro Requirement for Apple Intelligence

Wednesday June 19, 2024 4:48 am PDT by
With iOS 18, iPadOS 18, and macOS Sequoia, Apple is introducing a new personalized AI experience called Apple Intelligence that uses on-device, generative large-language models to enhance the user experience across iPhone, iPad, and Mac. These new AI features require Apple's latest iPhone 15 Pro and iPhone 15 Pro Max models to work, while only Macs and iPads with M1 or later chips will...
Apple Intelligence General Feature

Apple Intelligence Features Not Coming to European Union at Launch Due to DMA

Friday June 21, 2024 9:44 am PDT by
Apple today said that European customers will not get access to the Apple Intelligence, iPhone Mirroring, and SharePlay Screen Sharing features that are coming to the iPhone, iPad, and Mac this September due to regulatory issues related to the Digital Markets Act. In a statement to Financial Times, Apple said that there will be a delay as it works to figure out how to make the new...
iPhone 16 Pro Max Generic Feature 2

5 Biggest Changes Rumored for iPhone 16 Pro Max

Wednesday June 19, 2024 5:00 am PDT by
Given Apple's rumored plan to add an all-new high-end tier to its iPhone 17 series in 2025, this could be the year for Apple to bring its boldest "Pro Max" model to the table — the kind of iPhone 16 upgrade that stands tall above its siblings, both figuratively and literally. If you have been holding out for the iPhone 16 Pro Max, here are five of the biggest changes rumored to be coming...
Apple Vision Pro 2 Feature 2

Apple Reportedly Suspends Work on Vision Pro 2

Tuesday June 18, 2024 8:17 am PDT by
Apple has suspended work on the second-generation Vision Pro headset to singularly focus on a cheaper model, The Information reports. Apple was widely believed to have plans to divide its Vision product line into two models, with one "Pro" model and one lower-cost standard model. The company is said to have been deprioritizing the next Vision Pro headset over the past year, gradually...
back to school 2024

Apple's 2024 Back to School Sale Launches, Up to $150 Gift Card With Mac or iPad

Thursday June 20, 2024 4:29 am PDT by
Apple has launched its annual Back to School promotion for college students in the United States. This year's promotion offers a free Apple gift card with the purchase of an eligible Mac or iPad. Apple is also offering students 20% off AppleCare+ plans. Apple is offering a $150 gift card with any new MacBook Air, MacBook Pro, or iMac, and a $100 gift card with the purchase of any new M4 iPad ...
iOS 17

Apple Releases First Public Beta of iOS 17.6

Thursday June 20, 2024 10:18 am PDT by
Apple today seeded the first betas of upcoming iOS 17.6 and iPadOS 17.6 updates to public beta testers, with the betas coming a few days after the initial iOS and iPadOS 17.6 developer betas. Public beta testers can get the beta by opening up the Settings app, going to the Software Update section, tapping on the "Beta Updates" option, and toggling on the iOS 17 or iPadOS 17 Public Beta....

Top Rated Comments

Precursor Avatar
65 months ago
OpenID "a non-profit organization whose members include Google, Microsoft, PayPal, and others."

Someone's in panic mode, less customer tracking huh
Score: 108 Votes (Like | Disagree)
garylapointe Avatar
65 months ago
Am I missing something in that the headline doesn't seem to support this with more info in the MacRumors story?

"reduces the places where users can use Sign In with Apple and exposes them to greater security and privacy risks."

Greater than what? Than no risk? Than not implementing 'Sign In with Apple'? Than Facebook?

"reduces the places where users can use Sign In with Apple"

Or is it just more risk in that it's not implemented everywhere?

Stating risk without actually reporting anything about the risk isn't really news and is kind of clickbaity...
Score: 68 Votes (Like | Disagree)
raybob Avatar
65 months ago
They’re worries because their biggest source of income “selling customers’” info is in jeopardy.
Google, microsoft and PayPal?!!!

It’s like pharmaceutical companies becoming members of a non profit which is concerned about cheaper medicine.
Score: 34 Votes (Like | Disagree)
btrach144 Avatar
65 months ago
I’m going to assume Apple knows what it’s doing here and purposefully chose to leave out parts of the OpenID standard that didn’t align with Apple’s security needs or vision.
Score: 26 Votes (Like | Disagree)
goobot Avatar
65 months ago
The title sounds like Apple sign in is flawed but the article says that it’s just not available everywhere which somehow makes it a sercurity risk?
Score: 25 Votes (Like | Disagree)
Baymowe335 Avatar
65 months ago
Not at all. I've already heard several Apple developers say they're concerned about the lack of interop with OpenID.
Not at all confirmed by your anecdotal story?
Score: 24 Votes (Like | Disagree)