Governance , Identity & Access Management , Multi-factor & Risk-based Authentication

Apple Emphasizes Privacy With Single Sign-On Feature

'Sign in With Apple' Seeks to Halt Tracking
Apple Emphasizes Privacy With Single Sign-On Feature
Apple executive Craig Federighi introduced a privacy focused login tool that doesn't reveal real email addresses to apps. (Source: Apple)

The "social login" has always been a bit of a devil's bargain.

See Also: Webinar | Beyond Managed Security Services: SOC-as-a-Service for Financial Institutions

Sure, it was convenient to seamlessly use Facebook or Google credentials to log in to another app or service. The social login offered an easy alternative to the fatigue of creating yet another set of login details.

But using Facebook or Google credentials for another app or service opens the door for granular observation of a user's internet activity, and that information can be used for targeted advertising. Plus, services could immediately learn more about those who were visiting their sites or using their apps based on data passed to them by Google and Facebook.

Now, however, Apple is seeking to upend those kinds of data exchanges as it increasingly seeks to use privacy as a competitive advantage. At Apple's Worldwide Developers Conference in San Jose on Monday, Craig Federighi, Apples' senior vice president of software engineering, introduced a new single sign-on authentication mechanism within iOS 13, the latest mobile operating system due to be released later this year.

The feature, called "Sign in with Apple," will allow for Apple credentials to be used to sign into other apps and services. Federighi says Apple wanted to solve the problem of social logins being used as data collection tools.

How the Apple sign-in tool will appear in an app (Source: Apple)

"Your personal information sometimes gets shared behind the scenes, and these logins can be used to track you," Federighi says.

Reduced Data Sharing

The difference, however, is that Apple will share little information with those services. Apps will only be able to ask for a user's name and email address. And users can choose not to reveal their real email address. Instead, Apple will create a unique address to supply to an app, and then email communications from the app will be forwarded. This borrows from other privacy-focused services that offer persistent and unique email addresses.

For example, Abine's Blur service offers "masked" email addresses and the ability to turn off forwarding if a service sends too many emails. Likewise, Federighi says Apple users will be able to turn off the forwards.

Apple will give users the option to not reveal their real email address to services and apps but instead a forwarding address. (Source: Apple)

Assigning unique email addresses to different services also blunts the impact of data breaches. If a service gets hacked or exposes that unique forwarding email, it's not as big of a deal. Plus, if a separate service starts sending communications to the unique email address, it will be obvious which one has had a security incident.

Apple says it won't track the login activity. "You're in control of your data," the company says.

Threat to Targeted Advertising?

Some observers say that "Sign in with Apple" could pose problems for the advertising businesses of Google and Facebook. Email addresses are key data for targeting ads. But persistent, unique emails would foil that targeting.

"Apple has 1 billion device owners," writes Steve Cheney, co-founder of Estimote, a company that specializes in wireless sensor app technology. "Make no mistake, 'Sign in with Apple' can severely fracture the ad $$$ engines of FB and Google."

Apple's control of the App Store and wide deployment of iOS devices gives it power to impose the feature. It plans to require developers to enable "Sign in with Apple" for apps that support other third-party login tools, and a beta testing program will be launched later this year.

That doesn't mean users have to use it - they can still opt to create their own set of new credentials - but the apps must offer it.

Some observers have questioned whether apps will accept Apple's unique email addresses. Some services forbid registration of accounts with email addresses using certain domains. But crossing Apple isn't likely to benefit an app or service.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.