OpenID Alleges Sign In With Apple Is An Epic Privacy Fail And Major Security Risk
The OpenID Foundation has penned an open letter to Apple imploring the company to make changes to its 'Sign-In with Apple' technology that is infused in iOS 13. According to the letter, there are concerning "gaps" between Apple's implementation and OpenID Connect, and those gaps expose users to "greater security and privacy risks."
"The current set of differences between OpenID Connect and Sign In with Apple reduces the places where users can use Sign In with Apple and exposes them to greater security and privacy risks. It also places an unnecessary burden on developers of both OpenID Connect and Sign In with Apple. By closing the current gaps, Apple would be interoperable with widely-available OpenID Connect Relying Party software," the letter states.
Back at its Worldwide Developers Conference (WWDC) in June, Apple took at dig at both Google and Facebook, saying their own sign-in buttons share a lot of private information behind the scenes. In contrast, Apple lauded its upcoming sign-in feature, which developers can integrate into their apps. Apple pointed out that Sign-In with Apple uses Face ID for authentication and will not reveal personal information.
Furthermore, Apple stated that users can choose to keep their email address private—apps would get a randomized email address instead, which would then get forwarded to a user's real email address.
OpenID's point of contention is that Apple is leveraging OpenID Connect for Sign-In with Apple, but with key differences that make it less secure and not as private. Therefore, it is calling on Apple do the following...
- Address the gaps between Sign In with Apple and OpenID Connect based on the feedback.
- Use the OpenID Connect Self Certification Test Suite to improve the interoperability and security of Sign In with Apple.
- Publicly state that Sign In with Apple is compatible and interoperable with widely-available OpenID Connect Relying Party software.
- Join the OpenID Foundation.
OpenID itself is an open standard and decentralized authentication protocol. It is promoted by the OpenID Foundation, a non-profit consortium that counts Google, Microsoft, and PayPal among its members.
Apple has already begun testing iOS 13 with developer betas, and is expected to release a public beta later this month. A finalized version will make its official debut sometime in the fall.