OpenID Foundation Claims 'Sign In with Apple' Could Expose Users to Security and Privacy Risks

MacRumors

macrumors bot
Original poster
Apr 12, 2001
46,363
8,768



At WWDC 2019 earlier this month, Apple announced Sign In with Apple, a new privacy-focused login feature that will allow macOS Catalina and iOS 13 users to sign into third-party apps and websites using their Apple ID.


The feature has been largely welcomed as a more secure alternative to similar sign-in services offered by Facebook, Google, and Twitter, since it authenticates the user with Face ID or Touch ID, and doesn't send personal information to app and website developers.

However the implementation of Sign In with Apple has now been questioned by the OpenID Foundation (OIDF), a non-profit organization whose members include Google, Microsoft, PayPal, and others.

In an open letter to Apple software chief Craig Federighi, the foundation praised Apple's authentication feature for having "largely adopted" OpenID Connect, a standardized protocol used by many existing sign-in platforms that lets developers authenticate users across websites and apps without them having to use separate passwords.

Yet it cautioned that several differences remain between OpenID Connect and Sign In with Apple that could potentially put users' security and privacy in jeopardy.
The current set of differences between OpenID Connect and Sign In with Apple reduces the places where users can use Sign In with Apple and exposes them to greater security and privacy risks. It also places an unnecessary burden on developers of both OpenID Connect and Sign In with Apple. By closing the current gaps, Apple would be interoperable with widely-available OpenID Connect Relying Party software.
To remedy the situation, the foundation asked Apple to address the differences between Sign In with Apple and OpenID Connect, which have been recorded in a document managed by the OIDF certification team.


It also invited the company to use OpenID's suite of certification tests to improve the interoperability of the two platforms, publicly state their compatibility, and join the OpenID Foundation.

Shortly after unveiling Sign In with Apple, the tech giant told developers that if an app lets users log in using their Facebook or Google logins, then it must also provide an alternative Sign In with Apple option.

The company then raised some eyebrows when it emerged that its updated Human Interface Guidelines asked app developers to place its authentication feature above other rival third-party sign-in options wherever they appeared.

(Thanks, Jonathan!)

Article Link: OpenID Foundation Claims 'Sign In with Apple' Could Expose Users to Security and Privacy Risks
 

garylapointe

macrumors 68000
Feb 19, 2006
1,526
831
Dearborn (Detroit), MI, USA
Am I missing something in that the headline doesn't seem to support this with more info in the MacRumors story?

"reduces the places where users can use Sign In with Apple and exposes them to greater security and privacy risks."​

Greater than what? Than no risk? Than not implementing 'Sign In with Apple'? Than Facebook?

"reduces the places where users can use Sign In with Apple"​

Or is it just more risk in that it's not implemented everywhere?

Stating risk without actually reporting anything about the risk isn't really news and is kind of clickbaity...
 
Last edited:

BootsWalking

macrumors 65816
Feb 1, 2014
1,254
7,197
Doubtful Apple will agree to make their login system more interoperable since part of its strategic advantage is user lock-in. Just look at iMessage - it's one of the best features of Apple's ecosystem. Apple was rumored at one time to be working on an Android version of iMessage but were smart to shelve the project and keep it exclusive to iOS/Mac.
 

Mike MA

macrumors 68020
Sep 21, 2012
2,036
1,654
Lets see once more details are available. It’s a welcome and new feature, it will mature over time.
 
  • Like
Reactions: house13um

richard4339

macrumors 6502a
Sep 6, 2006
861
79
Illinois
If you look in the document it’s all little things, like Apple not providing adequate documentation for their differences, not returning a nonce which is a standard to help protect from MITM attacks, some methods and calls are names like the openid standards but do something else, and in some cases their documentation just flat out being wrong.

Doubtful Apple will agree to make their login system more interoperable since part of its strategic advantage is user lock-in.
Yeah, but as a dev just being able to reuse the same set of standards for Apple login as all the others makes my life easier and in general makes everyone more secure than having to hack together different code sets for every provider, more chances for me to mess up.
 

mi7chy

macrumors 603
Oct 24, 2014
6,016
7,010
Apple isn't the first to proxy email for privacy since domain name registrars have been doing it for ages with private domain registrations. Also, not comfortable with Apple MITM all the emails and have visibility into the sites and services I access plus all email visibility. Lastly, no hardware token integration like with 'Sign in with Google' and their Titan Security Key or built into Pixel 3a.
 

Westside guy

macrumors 603
Oct 15, 2003
5,407
2,257
The soggy side of the Pacific NW
I’ve had an OpenID for maybe 10-12 years... got it not long after that project started.

I’d completely forgot about it, though, until seeing this story. I forgot because I haven’t really been able to use it anywhere at all. A well-designed and well-thought-out service is nice... but if it never gains any traction, it’s pretty useless.

Not that I’m clamoring for “Sign in with Apple”. I’m glad Apple is offering it for the people who would otherwise spew their Facebook and Google credentials everywhere, but I’ll keep setting up individual accounts with individual passwords as needed. With services like the Keychain, or LastPass, it’s just as simple as using these federated authentication services.
 

mi7chy

macrumors 603
Oct 24, 2014
6,016
7,010
Hmm, the premise is “this is different from the others”. Why would Apple want to turn their different login system into the same as all the rest? What would be the point in doing that at all?
Interoperability. Same reason USB peripherals work across all devices otherwise you'll have proprietary Apple USB that only works on Apple devices and incompatible with non-Apple.
 

uroshnor

macrumors member
Nov 4, 2015
59
68
Doubtful Apple will agree to make their login system more interoperable since part of its strategic advantage is user lock-in. Just look at iMessage - it's one of the best features of Apple's ecosystem. Apple was rumored at one time to be working on an Android version of iMessage but were smart to shelve the project and keep it exclusive to iOS/Mac.
Part of the reason for them keeping FaceTime and iMessage exclusive, is patent issues. Both of those features have been subject of many lawsuits (being in America), and if they keep the capability Apple only, they have a defined scope (Apple devices) a revenue stream to defend with. If they tried to open it up, the Android and Windows versions would need to be free, and you'd then get into the "someone stole my patent and gave it away for free to the world lawsuits"
 

mariusignorello

macrumors 68000
Jun 9, 2013
1,597
1,996
Apple isn't the first to proxy email for privacy since domain name registrars have been doing it for ages with private domain registrations. Also, not comfortable with Apple MITM all the emails and have visibility into the sites and services I access plus all email visibility. Lastly, no hardware token integration like with 'Sign in with Google' and their Titan Security Key or built into Pixel 3a.
Well the part about it being built into the Pixel is mirrored by Apple’s 2FA being able to send codes to all your trusted devices.
 
  • Like
Reactions: jogu

Fukui

macrumors 68000
Jul 19, 2002
1,615
6
Interoperability. Same reason USB peripherals work across all devices otherwise you'll have proprietary Apple USB that only works on Apple devices and incompatible with non-Apple.
yes, but it just works™️
 
  • Like
Reactions: Jeff750

TheYellowAudi

macrumors member
Am I missing something in that the headline doesn't seem to support this with more info in the MacRumors story?

"reduces the places where users can use Sign In with Apple and exposes them to greater security and privacy risks."​

Greater than what? Than no risk? Than not implementing 'Sign In with Apple'? Than Facebook?

"reduces the places where users can use Sign In with Apple"​

Or is it just more risk in that it's not implemented everywhere?

Stating risk without actually reporting anything about the risk isn't really news and is kind of clickbaity...
Nope- a consortium made up of Google, MS & paypal is just mad that Apple is looking to upset the norm again. Hopefully Apple will do the 2 things they’re typically pretty good at doing:
1: NOT following the norm, & creating a new norm, &
2: doing all of it better than it had been done previously.
[doublepost=1561927448][/doublepost]
I’m going to assume Apple knows what it’s doing here and purposefully chose to leave out parts of the OpenID standard that didn’t align with Apple’s security needs or vision.
‘Zactly.
 

coolfactor

macrumors 601
Jul 29, 2002
4,398
4,041
Vancouver, BC
Not at all. I've already heard several Apple developers say they're concerned about the lack of interop with OpenID.
I'm trying to figure out how this even has anything to do with OpenID. This uses your iCloud credentials, or Touch ID and Face ID, if available.

This feels very much like they are scared that they'll lose tracking of a large percentage of (Apple) users, so they try to paint a negative light.

Need to read more into it.
 

coolfactor

macrumors 601
Jul 29, 2002
4,398
4,041
Vancouver, BC
Interoperability. Same reason USB peripherals work across all devices otherwise you'll have proprietary Apple USB that only works on Apple devices and incompatible with non-Apple.
USB is a funny example.

First, there's sadly, several versions of USB — A, B, mini, micro. It's hardly been a "universal" connector. Now Type C, which finally feels like a future-proofed design.

Secondly, USB existed on PCs long before Apple added it to the new iMacs and finally made it an industry standard. After the iMac, then PC vendors started using this long-ignored port.