'Sign In With Apple' not fully secure, says OpenID Foundation
At this year's WWDC, Apple announced 'Sign In With Apple' - a novel way of signing into apps on iPhone, iPad, and Mac. The option came as an alternative to the regular single sign-on buttons provided by Google and Facebook and promised enhanced security with Face ID/Touch ID authentication. However, weirdly enough, an organization claims that the option isn't fully secure. Here's why.
First off, what is 'Sign In With Apple'?
'Sign In With Apple' appears along with Facebook/Google sign-in buttons and lets you sign into apps/services using Apple ID. The log-in is authenticated with Face ID or Touch ID and no personal information, not even email, is shared with the service you're logging into. If entering email is mandatory for an app, the option generates a dummy email for the user to work with.
OpenID Foundation claims the tech is insecure
Though the announcement of 'Sign In With Apple' was met with widespread interest, a non-profit organization named OpenID Foundation has raised questions over the feature. They have written an open letter to Apple's software chief Craig Federighi, noting that the current implementation of the sign-in button could put the privacy and security of users in jeopardy.
Why they think the sign in button is insecure
In the letter, they claimed that Apple's sign in button is largely similar to its own 'OpenID Connect' protocol that serves as the base for allowing third-party sign-in into applications. But, they claimed Apple's service is slightly different from OpenID, which reduces the places where users can use Sign In with Apple and exposes them to greater security and privacy risks.
Apple asked to fill the gaps
Now, the Foundation has asked Apple to fill the gaps between the two services in order to make their offering better and more secure for the users. "By closing the current gaps, Apple would be interoperable with widely-available OpenID Connect Relying Party software," they said, noting that the company can use OpenID's suite of certification tests to improve interoperability of its button.
Apple asked to become OpenID's member
They have also asked Apple to become a member of the OpenID Foundation and publicly state that 'Sign In with Apple' is compatible and interoperable with widely-available OpenID Connect Relying Party software. To note, Google, Microsoft, PayPal are some existing members of OpenID Foundation.
