Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Sign In with Apple Touts Single Sign-On without Sharing Your Data

Sign In with Apple Touts Single Sign-On without Sharing Your Data

This item in japanese


At the recent WWDC 2019, Apple announced its own Single Sign-On (SSO) service, dubbed "Sign In with Apple". Deemed "Apple's most significant new innovation" by Time, Sign In with Apple promises not to share any personal user data, including email addresses.

On the WWDC 2019 stage, Apple software engineering head Craig Federighi remarked SSO

can be convenient, but it also can come at the cost of your privacy — your personal information sometimes gets shared behind the scenes and these logins can be used to track you.

Besides directly sharing some of your personal data with SSO providers, SSO is indeed key to the possibility of companies such as Facebook and Google to track you while you surf the Internet.

Instead, said Federighi, Apple can let users sign in using FaceID without sharing any personal information. Sign In with Apple fits perfectly in Apple's policy about data privacy and its attempt to position itself as a bastion against commercial exploitation of private user data.

Apple's approach to privacy certainly has its appeal for many privacy-aware users. As many commenters on Hacker News highlight, though, users are paying a price for the privacy Apple provides them in terms of vendor lock-in. Additionally, you must blindly trust Apple policies, since there is no way to actually know what Apple is doing with the data you provide them.

To make things easy for developers, Apple will be providing an API to show a "Sign In with Apple" button and carry through the authentication process using FaceID. In case an app requires an email address to keep in touch or send notifications to the user, Sign In with Apple will let users choose whether they want to share their real email address or create an ad-hoc email relay address. This will forward all of the emails it receives to your main email address, the one you use as an Apple ID, which will be known to Apple only. Since each app will use its own random, ad-hoc email address, users will also have the chance to disable those email addresses on a case-by-case basis.

Apple is also requiring all app developers who use SSO services to include support for Sign In with Apple, and give the corresponding button prominence over Google's, Facebook's, or other third-party login providers. It is important to note that this requirement is specified at the level of Apple Human Interface Guidelines, which is not mandatory. Whatever new rules concerning SSO usage Apple might decide to include in its App Store Review Guidelines -- which are mandatory for apps to be included in the App Store -- they will not be known until the official iOS 13 release this fall.

As a final note, several analysts believe that, while appraisable, Apple's new service may bring the company under legal scrutiny because of the strict integration with the App Store and the requirement for developers to use Sign In with Apple in their apps and give it prominence over alternatives.

Rate this Article