News

OpenID Foundation Claims ‘Sign in with Apple’ Has Critical Gaps, Poses Security and Privacy Risks

The OpenID Foundation on Thursday issued an open letter to Apple’s Software Engineering chief, Craig Federighi, which says that while the iPhone maker’s “Sign in with Apple” feature bears similarity to OpenID Connect, it does provide exposes them to greater security and privacy risks.

“The OpenID Foundation applauds Apple’s efforts to allow users to login to third-party mobile and Web applications with their Apple ID using OpenID Connect,” the letter begins.

However, it quickly points out that while Apple has “largely adopted” Connect in Sign in with Apple, a number of differences shrink the areas where Apple’s login system can be used and expose the system to privacy and security threats.

The differences are said to place “an unnecessary burden” on developers working with both OpenID COnnect and Sign in with Apple, since Apple’s code isn’t compatible with OpenID Connect Relying Party software.

The letter asks Apple to “address the gaps” by doing the following:

  1. Address the gaps between Sign In with Apple and OpenID Connect based on the feedback.
  2. Use the OpenID Connect Self Certification Test Suite to improve the interoperability and security of Sign In with Apple.
  3. Publicly state that Sign In with Apple is compatible and interoperable with widely-available OpenID Connect Relying Party software.
  4. Join the OpenID Foundation.

Sign in with Apple testing will begin later this summer, leading up to the public launch of iOS 13, which is where the new login system will debut.

Apple says the new login system is a new, more private way to quickly sign into apps and websites. Users will no longer need to fill out a form to create a login, or use their Facebook or Google accounts to sign in. Instead, they can use their Apple ID to authenticate. Apple will protect users’ privacy by providing developers with a unique random ID. When developers request a name and email address, users will have the option to keep their real email address private, and can share a unique random email address instead.

Chris Hauk

Chris is a Senior Editor at Mactrast. He lives somewhere in the deep Southern part of America, and yes, he has to pump in both sunshine and the Internet.