At Apple's global developer conference on Monday, the company unveiled a range of products and services, including a new Mac Pro, which consists partly of raw computing power and partly of cheese grater. However, a new feature mentioned in passing could have a significant impact on users' security and privacy for years to come. Apple now has its own single-sign-on scheme – and it's a fundamental overhaul of how such a mechanism works.
You've seen single sign-on before, even if you do not use it. Using this technology, you can use your Google or Facebook login to access other third-party services instead of having to set a unique username and password for each one. You centralize a group of accounts to a more secure login that you're more likely to actively monitor and manage, rather than storing a credit card for a one-off account that you've set a weak password for and then never thinking about it again.
Apple sign-in is similar to the alternatives at a glance, offering the ability to use your Apple ID as a unified login wherever developers integrate it. As part of its extensive, year-long project to protect privacy, Apple has added some additional protections that characterize its version.
Lily Hay Newman is concerned with information security, digital privacy and hacking for WIRED.
One important difference: Sign in with Apple integrates seamlessly with Apple's authentication offerings ̵
Even more dramatic is that you can hide your email address from third-party services using Apple's universal login. Unlike Facebook and Google, Apple randomly generates an e-mail address on your behalf that redirects corporate and institutional communications to your actual address.
"Capturing e-mail addresses has always bothered me," says Will Strafach, an iOS security researcher and CEO of the secure firewall iOS App Guardian. "Signing up with Apple allows you to get the most out of both worlds, so we can now send email updates to users without them knowing who they are, similar to how we use Apple's in-app purchases as their only payment method. so that we can accept payments without knowing user identities. "
In practice, signing up with Apple is probably not quite as seamless as stated. Apple must ensure that the emails it forwards are not accidentally blocked or intercepted in spam folders. From the user's point of view, you'll need to add two-factor authentication to your Apple ID account if you do not already have it. It's good! Everyone should do it anyway. But it's an extra step you need to take. As practical as Touch ID and Face ID may be, in practice you will not always log into accounts on your iPhone. On non-Apple devices, using Apple Sign In is still comparable to using a single sign-on scheme.
The company also did not say much about the basics of signing up with Apple. Jim Fenton, an independent privacy and security consultant who has worked on developing user authentication standards for the National Institute of Standards and Technology, hopes the feature will be based on well-tested, open standards such as the well-known OAuth to protocol. Reduce the likelihood that later unforeseen security problems occur. Apple needs to be extra cautious about this feature as it adds even more interaction to third-party users.
And not that you shed a tear, but Apple's interim e-mail This option can also undermine popular digital advertising and marketing strategies where people's e-mail addresses are used to online Movements and preferences. For that very reason, companies like Google and Facebook, whose sales are mainly driven by advertising, may no longer add similar protection in the near future.
"When a merchant wants to contact a user, he then sends a message to Apple's obscure email address," says Fenton. "But I wonder if merchants have concerns that they will not get any information about the user they would get with other identity systems." At the end of an update to the App Store Review Guidelines, Apple's sign-up will be available for beta testing this summer and will be required as an option in all iOS apps that support third-party sign-in. ins. An app can continue to choose to manage all logon and user authentication on its own. However, if it offers Google, Facebook, or other login options, it must also include those from Apple. And once it's available on iOS, signing in to Apple is likely to appear on all other operating systems and devices. Otherwise, a user logging on to an iPhone for something on a Windows laptop or an Android tablet would be excluded.
A major disadvantage of single-sign-on schemes that Apple's new offer can not avoid is that they create a single point of failure for numerous sign-ups. Single sign-on acts as a kind of master key for all your accounts on the Internet. Once you lose it, you are exposed everywhere. Facebook has refreshed this in its data breach of September. But Fenton and others say that Apple's track record in security is solid enough that the benefits outweigh the risks to the average person. And for those who are all-in-the-apple in the Apple ecosystem anyway, it's only to be hoped that Apple's privacy and security promises are serious.
More Great WIRED Stories