At the WWDC 2019 conference today, Apple announced a new mechanism to let third-party apps authenticate users using their Apple IDs.
Named ‘Sign in with Apple,’ this new authentication mechanism works in the same way as other similar login systems provided by Facebook and Google, but with an added benefit of user privacy.
“http://www.zdnet.com/”Sign in with Apple’ is a fast, easy way to sign in, without all the tracking,” said Craig Federighi, Apple’s software engineering chief.
In an exclusive interview with CBS News’ Norah O’Donnell, Apple CEO Tim Cook said that his company wasn’t trying to take on Google and Facebook for first-party data, but moving privacy protections forward. Cook said:
You know, we’re not really taking a shot at anybody. We’re – we focus on the user. And the user wants the ability to go across numerous properties on the web without being under surveillance. We’re moving privacy protections forward. And I actually think it’s a very reasonable request for people to make.
However, Cook wants to frame it Apple aims to make it easier for developers to use its sign-in service and offer more privacy controls.
“A simple API allows a developer to add a ‘Sign in with Apple’ button right in their app. You just tap it, and you’re authenticated with FaceID on your device, logged in with a new account, without revealing any new personal information,” Federighi said. “Some apps may want a name, and maybe even an email to send you information when you’re outside the app.
“We do allow them to request this information […], but you can choose to share your actual email address, or you can choose to hide it,” Federighi said.
This new feature, according to the Apple exec, will generate a random email address, hosted by Apple, which will receive all communications and notifications from that app, and forward the emails to the user’s legitimate email address.
“That’s good news because we give each app a unique email address,” Federighi said, highlighting that apps will not be able to track users based on their email addresses anymore.
“You can disable any one of them at any time when you’re tired of hearing from that app,” the Apple exec said.
“It’s really great!,” he said.
Protection against spam and credential stuffing
And it is. By generating unique email addresses for each app, Apple will not only prevent user tracking, but it will also put a stop to email spam.
Shady app developers will often sell user data, to analytics providers or spam operators. Furthermore, even if the app developer has no intention of sharing a user’s email, a data breach can expose users’ emails to hackers.
If any of these unique emails leak or find their way into the hands of spammers, the user can deactivate the email and put a stop to any incoming stream of unwanted emails.
In addition, because the emails are unique per app, in the case of a data breach, hackers won’t be able to use the email address to associate it with a user’s real-life identity.
This, in turn, protects the user against credential stuffing attacks against their Apple account or accounts at other services.
And another good news is that ‘Sign in with Apple’ will also be available for the web and other platforms, and not just for iOS apps, according to an Apple design document.
Related cybersecurity coverage: