At WWDC 2019 earlier this month, Apple unveiled its new Sign In with Apple platform, which gives users a privacy-friendly alternative to sign in platforms from Facebook and Google. This week, however, the OpenID Foundation is questioning some of the decisions Apple made for Sign In with Apple.
The OpenID Foundation is a non-profit organization with members such as PayPal, Google, Microsoft, and more.
In a public letter to Craig Federighi, the OpenID Foundation writes that Apple has “largely adopted” OpenID Connect for Sign In with Apple, but that there are some notable differences. The foundation argues that the differences between Sign In with Apple and OpenID Connect limit the places customers can use Sign In with Apple and poses security and privacy risks… “The current set of differences between OpenID Connect and Sign In with Apple reduces the places where users can use Sign In with Apple and exposes them to greater security and privacy risks. It also places an unnecessary burden on developers of both OpenID Connect and Sign In with Apple. By closing the current gaps, Apple would be interoperable with widely-available OpenID Connect Relying Party software.”
MacDailyNews Take: Open ID is still around? Well, it’s nice to see that what’s left of it is still able to read the writing on the wall.
How does supposedly “reducing the places where users can use Sign In with Apple” expose users to greater security and privacy risks?
Crickets.
What OpenID — PayPal, Google, Microsoft, etc. — are really concerned about is that their business models are about to lose yet another way to track the world’s well-heeled smartphone, tablet, and personal computer users.
The fact is that users risk their personal security and privacy by stupidly signing in with the likes of privacy-trampling tracker Google et al. in the first place.
I don’t think OpenID’s statement is a matter of opinion. It’s either true or false.
They certainly can be wrong, however this smells like a blatant lie. I think their concerns are in the proprietary nature of Apple’s sign in process, which they do admit is mostly conforming to OpenID standards.
Apple provides a randomly generated email address and lacks of ability to track the person.
They both have to trust Apple’s proprietary validation process and lose tracking or spamming the user. Seems too much.
They do not have to accept it. Just don’t use Apple’s logon process. See how that works for you.
I know what I am gong to use.
Several years ago when I tried to delete some mistakenly created OpenIDs I came to the conclusion I didn’t want any part of their system.
This sounds like CurrentC complaining that Apple Pay will reduce the number of stores where iPhone users can make contactless payments.
I got the impression (though they are deliberately obscure) that they are claiming its less secure only because in the places you can’t use it customers may use very insecure means in its place when it is not available. Interesting Apple would claim of course by limiting who can use this method to those it trusts it would be a security asset as such sign in should not be applied to suspect sites in the first place. Will be interesting to see who proves to be telling the truth here. With some of the the guys on the OpenID side I rather feel its them more concerned about losing business rather than any unspecified security threat but hey ho others may feel differently and when Cook is around who knows what devious ways to milk an opportunity he may be seeing.
But some of us remember that the major security concerns with ApplePay was not the Apple side of the affair but the Banks blasé approach to giving out access to it outside of Apples control, so I can understand why Apple might see this one differently both in terms of security and to those given access to its use otherwise its ‘security’ may become meaningless in reality.