OpenID Foundation says 'Sign In with Apple' is not secure enough
Craig Federighi on stage at WWDC '19 announcing 'Sign in with Apple'
WWDC 201
The OpenID Foundation, the organization behind the OpenID open standard and decentralized authentication protocol, has penned an open letter to Apple in regards to the company's recently announced "Sign In with Apple" feature.
In its letter, the organization said that Apple has built Sign In with Apple on top of the OpenID Connect platform, but the Cupertino company's implementation is not fully compliant with the OpenID standard, and as a result "exposes users to greater security and privacy risks."
"The current set of differences between OpenID Connect and Sign In with Apple reduces the places where users can use Sign In with Apple and exposes them to greater security and privacy risks," said Nat Sakimura, OpenID Foundation Chairman.
OpenID Foundation urges Apple to become OpenID compliant
The OpenID Foundation published a list of differences between Sign In with Apple and the OpenID Connect platform, which Sakimura urged Apple to address.
The OpenID exec said these differences place an unnecessary burden on developers working with both OpenID Connect and Sign In with Apple, who now have to support two different authentication standards and deal with each one's quirks.
"By closing the current gaps, Apple would be interoperable with widely-available OpenID Connect Relying Party software," Sakimura said.
OpenID Foundation asks Apple to join
OpenID Connect is a modern and very widely-adopted identity protocol built on the OAuth 2.0 protocol. It enables applications to let users sign in with accounts on third-party services using a unified and standardized method.
The OpenID Foundation includes members such as Google, Microsoft, Cisco, Oracle, PayPal, and Akamai, among many others. All these companies have pledged to support the OpenID standard, and build products that closely follow it, or create third-party login solutions that are OpenID compatible.
Apple is not a member, but Sakimura has asked the company to join the foundation after it addresses the gaps between Sign In with Apple and OpenID Connect, passes the OpenID Connect Self Certification Test Suite, and publicly announces that its system is OpenID compatible.
Apple has not responded to a request for comment in regards to Sakimura's open letter.
Apple announced Sign In with Apple at the WWDC 2019 developer conference last month. The feature lets users sign into websites and applications using their Apple ID. Apple said its new third-party login system will focus on user privacy and preventing user tracking, and will allow the user to be in more control of what they share with the third-party site when they create an account. Users can choose to share only selected details, or they can even share a randomly generated email address. More information is available in our previous coverage.
Updated on October 4 to add that Sign in with Apple is now OpenID compliant.
Apple WWDC 2019 keynote: Scenes and surprises
Related cybersecurity coverage:
- US Cyber Command issues alert about hackers exploiting Outlook vulnerability
- Cyberwarfare in space: Satellites at risk of hacker attacks
- D-Link to undergo security audits for 10 years as part of FTC settlement
- Cloudflare launches decentralized service for generating random numbers
- G20 supports proposal to make cryptocurrency exchanges hand over user data
- US wants to isolate power grids with 'retro' technology to limit cyber-attacks
- iOS developers still failing to build end-to-end encryption into apps TechRepublic
- The best identity theft monitoring services for 2019 CNET