Apple announced iOS 13, iPadOS and macOS Catalina at WWDC 2019 developer conference last month. Besides new features and performance improvements, the new operating systems from Apple come with a major privacy-focused feature called ‘Sign In with Apple’. The feature has been widely appreciated, but OpenID Foundation has questioned its implementation.
Apple says, Sign In with Apple is a more secure alternative similar to sign-in using Twitter, Google and Facebook. It uses Touch ID or Face ID to authenticate the user. Thus, it doesn’t send any personal information to website or app developers. But the new privacy feature has been questioned by the OpenID Foundation (OIDF), which is a non-profit organization. Some of its members include Google, Microsoft, and PayPal among others.
The foundation praised Apple’s authentication feature in an open letter to software chief Craig Federighi. The privacy feature has “largely adopted” OpenID Connect. It uses a standardized protocol that is used by several sign-in platforms. It lets developers authenticate users without them having to use separate passwords. But there are some differences between Apple’s new feature and OpenID Connect that could put user privacy and security at risk (via MacRumors).
The heart of the matter
“The current set of differences between OpenID Connect and Sign In with Apple reduces the places where users can use Sign In with Apple and exposes them to greater security and privacy risks. It also places an unnecessary burden on developers of both OpenID Connect and Sign In with Apple. By closing the current gaps, Apple would be interoperable with widely-available OpenID Connect Relying Party software,” the letter said.
OpenID Foundation has urged Apple to address gaps between both features and use OpenID test suite to improve interoperability and security. In the letter, the organization has also urged Apple to join the foundation. Apple has made it mandatory for all third-party iOS apps that rely on SSO solutions to integrate Sign In with Apple button. Also, developers need to place the button above other SSO buttons. How Apple addresses these concerns remains to be seen.