Apple let the public know that it has introduced a new way to stop third-party sites and services from getting your information when you sign up for an app. According to Apple software engineering chief, Crag Federighi, one-click sign on can be convenient for consumers but can come at the cost of users’ privacy. Personally identifiable information (PII) sometimes is shared behind the scenes and these logins can be used to track individuals.
To secure user data, Apple is introducing a feature to allow developers to add a “sign in with Apple” feature that will authenticate users’ identities without turning over any data to a third-party company.
Apple's single-sign-on feature isn't as sexy as a new phone or operating system, but it could have an massive impact on user security and privacy for years to come https://t.co/L3d6Nmq3nC
— WIRED (@WIRED) June 5, 2019
Expert Comments:
Ben Goodman, vice president of global strategy and innovation, ForgeRock:
“
Yesterday’s news of “Sign in with Apple” forces the issue of organizations and providers to modernize their authentication methods, and places Apple at the forefront of this shift. This new capability moves securing identities beyond user names and passwords toward tokenized authentication. By tokenizing login Apple potentially eliminates passwords all together, which are the weak link in the security chain. This is different than typical single sign on (SSO) via Face/Touch ID, which still contains a username and password which can be hacked.
Consumers are becoming hypervigilant of being aware of how their data is used by organizations. And they gravitate towards companies and vendors that both show respect for their privacy and give them controls to manage it. Apple is betting big on this and has made end-user privacy a key pillar of their strategy. The new “Sign in with Apple” capabilities provide consumers the convenience of other SSO and rapid registration tools, but Apple’s business model prioritizes privacy over data collection.
As well, this new feature from Apple supports better identification of users from the start of managing an identity. We’re beginning to see these identity schemes from organizations that are seen as “anchors of trust,” such as banks, governments and telcos. And Apple is positioning itself as one of these “anchors of trust” by incorporating privacy and service from the outset and providing a better way to authenticate user identities, without trading seamless sign on capabilities and privacy for access to data.
However, implementing all of these different methods for SSO will be difficult for many businesses and application providers. In addition to the raw overhead of having to support multiple authentication and registration schemes in every app, there is the danger of overwhelming the users with too many authentication options, especially if an option doesn’t apply to them in their current context. This is why business and app owners need an identity platform that can support all of these different schemes and provide many options to integrate them into applications. As well, the identity platform needs to be intelligent enough to understand the end-user context and only present them the authentication options which are relevant to them.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.