advertisement
advertisement

Why Apple’s privacy-focused password killer hasn’t taken off yet

“Sign in with Apple” is more private, secure, and convenient than creating yet another password, but few apps support it so far.

Why Apple’s privacy-focused password killer hasn’t taken off yet
[Photo: Phil Desforges/Unsplash]

With the launch of iOS 13 in September, Apple introduced a new feature that’s supposed to help kill the password.

advertisement
advertisement

By using Sign in with Apple, you can log into iPhone and iPad apps just by clicking a button. You don’t have to remember new passwords, because any accounts you create become tied to your Apple ID. You even get an extra level of protection through Apple’s FaceID or TouchID biometric authentication features, which are required whenever you sign in.

But if you’ve upgraded to iOS 13, you’d be forgiven for not realizing that Sign in with Apple exists. Looking through the App Store’s top 200 free iPhone apps, I found just six apps that support the feature, versus 68 apps that offer sign-in buttons from other companies like Facebook and Google. Apple’s developer guidelines say that if an app supports those third-party options, it will also have to support Sign in with Apple, but so far, less than 10% of the most popular apps do.

Apple says it’s working closely with app developers on implementing Sign in with Apple and has given existing apps until April 2020 to do so. Still, some app makers may not be eager to abide by Apple’s new sign-in system. Although it provides more privacy for users by hiding some personal information (including email addresses) from app makers, it has also raised concerns over those companies’ ability to detect fraud and abuse.

Why Sign in with Apple matters

While other companies such as Facebook and Google already offer their own sign in buttons, those options allow app makers to access more of users’ personal information. Facebook, for instance, shares information from your public profile and by default can share private data, such as your birthday or email address. Google can share your name, email address, and profile picture, along with other info associated with your Google account.

By comparison, Sign in with Apple only shares your name and an email address with the app maker, and using your real email address is optional. Instead, you can set up a proxy email that forwards messages to your true address. If you disable the proxy or unlink your Apple account (through Settings > Apple ID > Password & Security > Apps Using Your Apple ID), the developer can no longer reach you.

Although some developers might not be enthused about a login method that keeps them at an arm’s length from their users, Apple isn’t exactly giving them a choice. By requiring Sign in with Apple alongside other login options, Apple gets to reinforce its position as a leader on privacy and security, provide a clear benefit for users, and kick some sand on the likes of Google and Facebook along the way.

advertisement

Searching for Apple’s sign in button

To their credit, some top app developers have been quick to embrace Sign in with Apple. Those include TikTok, Zillow, Bumble, GroupMe, Adobe, and WordPress. Several other developers have also told me that they plan to support Sign in with Apple in the coming months, including Dropbox, iHeartRadio, eBay, and Poshmark.

Other app makers that I contacted were more vague. Representatives for Yelp, Etsy, Pinterest, McDonald’s, Chick-fil-A, SoundCloud, and FuboTV said they had no plans to share. Nextdoor, Airbnb, Doordash, Uber, Venmo, Costar, Calm, News Break, Photomath, Shopify, Indeed, and Expedia did not respond to requests for comment.

That doesn’t necessarily mean those developers are planning to play chicken with Apple’s April deadline—implementing a new sign-in solution takes time, but developers may not be rushing with five months to spare—but they may have some reservations about the service.

Aaron Parecki, the security architect at the identity software firm Okta, says the new sign-in process will require developers to put a lot more faith in Apple, because they’ll have no way of determining the identify of new users on their own. Even if an app developer isn’t using an email or other personal information for nefarious purposes, that information does provide some level of protection against abuse, like from endless fake accounts on social media.

“This whole concept of a random email address is not something that app developers are used to dealing with,” he says.

This may help explain why Tinder, for instance, has so far held off on supporting Sign in with Apple. While the company would not explain its specific reasons, a representative for the dating app said it’s working to understand how it can use Sign in with Apple without compromising safety and privacy.

advertisement

“[T]he safety of our members is a top priority, and verifying a user’s identity using their login credentials helps us prevent those who have been removed for their conduct from accessing our service,” a Tinder representative said via email. “We are working with Apple to understand if Sign in with Apple helps us meet those goals.”

Even for developers that want to support Sign in with Apple, implementation raises some challenges. Matias Woloski, the CTO and cofounder of the identity software platform Auth0, notes that Apple isn’t providing app makers with any way to link an existing account to Sign in with Apple. Developers will have to store those links on their own servers, or pay for an authentication provider (like, say, Auth0) to handle everything.

“It’s more of an implementation issue, and dealing with all of those complexities, than a philosophy issue,” Woloski says.

Still, he does believe that Sign in with Apple is creating some tension for developers, who on one hand want to understand more about their users and target them with relevant ads or services, and on the other are finding that their customers have become more privacy conscious. He notes that out of roughly 8,000 paying Auth0 customers, he says, hundreds have been testing Sign in With Apple, though only a handful are using it in production. (Apple did not answer specific questions for this story.)

A deadline looms

For new apps, Apple is already making them support Sign in with Apple if they offer third-party options from the likes of Facebook and Google. As for existing apps, it’s unclear how Apple’s April 2020 deadline will play out. Woloski doesn’t think Apple will remove apps for failing to implement Sign in with Apple, but he could see the company rejecting app updates until they do.

Okta’s Aaron Parecki, however, says some developers may be hoping that Apple pushes back its deadline or allows for some exceptions, if only because forcing them to adopt a new login system is a pretty drastic and unusual measure. A staredown could be looming between Apple and some of the biggest developers on its platform, though Parecki says this could still go either way.

advertisement

“If enough companies do end up deploying it, then Apple has the upper hand, and they can pressure the other companies to have it,” Parecki says. “On the other hand, if everybody throws a fit and nobody implements it, then Apple’s in a weaker position.”

For the sake of fewer password headaches and greater privacy protections, let’s hope Apple comes out ahead.

advertisement
advertisement