Amongst the reveals we saw at WWDC 2019 was a new technology for apps and the web: “Sign in with Apple.” It’s supposedly a more private way to sign into apps and services, according to the company. But if Apple’s version is more private, what are you actually giving away when you sign in with a competing sign-in option from Google, Facebook, or Twitter? And how does Apple plan to do things differently?
If you’ve ever signed up for anything online, you’re no doubt familiar with the option to sign in with one of your existing accounts, something called single sign-on (SSO). If you already happen to be signed into Facebook or Google or whatever on your phone or in your browser, it’s a one-click (or one-tap) process.
That’s one of the benefits from the user side: It’s quick and convenient to sign in to third-party accounts. You don’t have to type out your name and email address, or think up a new password, or pick a new profile picture, because this data can be collected from your existing account (and without the connecting app ever seeing your main Google or Facebook password).
As far as the positives go, it also acts as a sort of password manager solution. You only have to remember your Facebook or Twitter password to sign into multiple apps and sites, rather than setting up multiple sets of login credentials. In the case of a Google connection, you can pay with Google Pay, save files to Google Drive, and so on, without setting up new services every time.
The downsides are, of course, privacy-related: Another third-party app or service gets access to data about you that you might not want to share. Plus, the big tech giants like Facebook and Google know even more about what you’re doing online and on your devices when you use their SSO option. So what exactly are you giving away?
When you sign in with Facebook, Google, or another similar sign-in option, you should be shown the parts of your existing profile that you’re giving up to the new developer, as well as the privileges that the new app or service has—some will want the power to post to your Facebook profile, for example, while others won’t.
Certain sections of these deals (usually your name and email address) will be either take it or leave it—you have to give up that information to use the SSO option; others (like granting access to your contacts, for instance) may be optional. But you should at least be told the terms of the agreement before you make the final decision whether to use the login services you have available.
Underpinning all these seamless connections are the open standards OAuth 2.0 and OpenID Connect, developed as a way of making online life more convenient and secure for users and developers alike. From a security standpoint, the downside to this convenience is that if a hacker gains access to your Google, Facebook, or Twitter account, it can also access the apps you’ve signed into with those credentials. But those companies may have better security practices than some smaller companies, so the risk may even out.
Two considerations though: First the data and access the third-party app gets to your Google, Twitter, or Facebook account. Apps are supposed to treat your data with care, but we know that doesn’t always happen, which is why these single sign-on methods are best used for apps and sites you trust and know. As always, it’s best to read through data privacy policies when you connect in this way—even if most people never do it.
Remember, apps and sites don’t often work in isolation, and many of them will be selling it in the background, sometimes to the same buyers. Even if Google isn’t selling your purchasing history, a third-party app might be, and the more apps you connect, the bigger that profile goes.
Secondly, there’s the extra data that Google, Facebook, and Twitter get on you: at the very least, they collect the apps that you’re using and how often you sign into them. Again, that gives these tech giants a more comprehensive picture of who you are and what you get up to in your digital life, just like running searches on Google or following brands on Facebook.
You can find the details of this data collection in the relevant privacy policies. According to Facebook’s policy, for example, apps using a Facebook login to connect may provide “information about your device, websites you visit, purchases you make, the ads you see and how you use their services.” A game developer can report back to Facebook about the games you’re playing, a business can report back on what you’re buying, and so on.
Besides the issue of data privacy, there’s also the chance that an app you thought you could trust is going to do something you don’t want with your contacts, or your tweets, or whatever it is you’ve allowed to access along with your accounts. This could be because a third-party developer has gone rogue, or because the third-party app has had its own security measures breached.
This is why time and time again we’ve recommended running a regular audit of the apps, sites, and services connected to your main accounts and removing those third-party connections you no longer need. For your Google account, you can do this here, and there are similar options online for Facebook and Twitter.
If existing SSO options have their advantages and disadvantages, then how is Sign in with Apple different? From what we know so far, it uses similar technology to OAuth 2.0 and OpenID Connect, so on the surface at least, you’re going to see a very familiar flow if you choose Sign in with Apple over the other SSO options.
Apple’s sign on works out of the box with Touch ID and Face ID, which makes it extra convenient. (Google does support fingerprint login on third-party apps, but it’s dependent on developers implement it and is not yet widespread.) It will require accounts to have two-factor authentication enabled too, something which you should be setting up on all your accounts anyway.
The most immediate difference with Apple is the throwaway email addresses you can create and use, if you don’t want to expose your actual email address: It means the third-party app or site never sees your real email address, and you can cut off contact in an instant by wiping the temporary email address from existence.
It also makes it less straightforward for marketers to use your email address to track you across multiple apps and sites. Email addresses are one of the key ways ad-tech companies can connect the dots between profiles, and with a throwaway email address, that’s not going to happen so much.
Email addresses and Touch ID aside, on a practical level, not a huge amount is different: Apple is simply asking you to trust it more than you trust Google, or Facebook, or Twitter, with the data that’s getting pulled in. That comes with the usual Apple promises: as much data as possible being stored locally and anonymously on devices, rather than attaching it to your profile in the cloud.
Would it be enough to stop another Cambridge Analytica from happening? Ultimately, you still need to be careful with the apps you choose to use your Apple credentials with: It doesn’t necessarily act as a foolproof method of protection against unscrupulous app developers and marketing firms.
Google has a good rundown of what to consider before granting access to any app or service, no matter what SSO method you’re using—considerations of security, privacy policies, the ability to view and delete the data held about you, how much access other parties have to that data, and so on.
From the other side of the table, we do know that Facebook and Google (and to some extent Twitter) are much more interested than Apple in piling up as much data on you as they can. You’ll need to balance that against other considerations—such as whether the app you’re signing into needs access to Google Drive or Google Maps—when deciding which button to hit.
Apple can’t share where you went to school or your favorite movies with a third party, for example, because it just doesn’t have that information. The sharing in both directions is much more limited, and that in itself might be enough to draw you towards the Apple sign-on option when the feature rolls out fully later this year. As for whether it’ll be quite so attractive to app makers remains to be seen.