Back

OpenID vs Sign in with Apple

August 5, 2019
3 minutes read
Category: Security
Author: Aleksandar Branković

A little more than a month ago, at their WWDC2019 Apple announced a new feature that would let third-party apps authenticate users using their Apple ID. 

If you’re not quite sure what “Sign in with Apple” would entail, think the Google or Facebook login systems, but with upgraded user privacy. 

All a user needs to do to log in is tap a button and they are then authenticated with Face or Touch ID on their device. They get to choose whether they want to share their actual email address with the app or one randomly generated by Apple. 

By randomly generating an email address, Apple wants to increase user privacy and put a stop to tracking users based on their emails. Best of all, this would prevent credential stuffing or spam should the app developer decide to sell your user data.

Sounds great, right?

At first, yes, I have to agree. However, not long after their announcement, OpenID Foundation penned an open letter to Apple questioning some aspects of the implementation of “Sign in with Apple” which could very well raise significant security issues. 

Let me first fill you in on OpenID and how Apple fits in.

OpenID Foundation praises “Sign in with Apple” for adopting many OpenID Connect features 

OpenID Connect is somewhat of a standard when it comes to allowing users to sign in to third-party apps using a standardized, unified method. Microsoft, Google, Cisco, Oracle and many more are members of this foundation, while all IPification services are OpenID Connect compliant.

The foundation would now like for Apple to join by following their protocols closely or simply adapting “Sign in with Apple” so that it is OpenID compatible. 

Right now, “Sign in with Apple” is pretty close to what OpenID Connect stands for and the foundation has applauded Apple’s efforts to provide a solution for users to safely log into third-party apps and services. 

However, after analyzing Apple’s solution, the Foundation is worried that the tweaks Apple has made to OpenID Connect could potentially expose the users to greater security and privacy risks. 

The gaps between OpenID Connect and “Sign in with Apple” may cause security and privacy issues

Although Apple is majorly relying on OpenID Connect standards, there are some differences that cause worry to the OpenID Foundation and other industry professionals, including ourselves. 

To start with, the foundation says that “Sign in with Apple” reduces the places where the users can use it to log in, consequently resulting in potentially exposing them to significant security, but also privacy issues. 

I’ll just give you a couple of ideas of what that could look like.  

The tweaks Apple has made to OpenID mean that this protocol can’t stop Cross-Site Request Forgery (CSRF) attacks, something that happened to Facebook recently. 

What that means is attackers could trick users into triggering various actions on websites they are logged into but aren’t currently using.

For example, you could click a malicious link sent to your email and end up triggering a money transfer on PayPal which you are still logged in. 

Moreover, another tweak could enable threat actors to complete code injection attacks or code insertion attacks should your personal data leak. And we don’t want any of that. 

It’s also worth mentioning that Apple insists that “Sign in with Apple” be put before other sign-in options which, “political” arguments aside, could mean that the users are being directed towards a less safe authentication solution. 

In addition, there are many peculiarities the foundation is worried about as well. 

Having all that in mind, I have to say that I’m afraid it’s only the question of when - and not if, this parting of ways will be exploited by an increasing number of threat actors online. 

The foundation has been keeping tabs of the differences between OpenID and “Sign in with Apple” in a document online, and is yet to complete the full analysis of the two solutions. 

Addressing these gaps is a viable solution to mitigating these issues

However, there’s a solution to every problem. Apple addressing these issues and complying with the OpenID standard could be the answer to this situation. 

Whether this will happen, we are yet to see. The foundation is asking Apple to address the gaps based on feedback, use the OpenID Connect Self Certification Test Suite to ensure interoperability and security of this method, and finally publicly state they are compatible with the OpenID Connect Relying Party software. 

We always welcome new methods here at IPification, but they should under no circumstances come with old issues that have already been solved with standardized protocols. 

We have decided to make IPification compliant with OpenID Connect because it is the best set of security protocols that authentication options can be built on. 

So, what do I think about “Sign in with Apple”? 

“Sign in with Apple” has the right idea, but its implementation is raising questions. UX-wise, it’s great. User privacy, which it claims to put first, is up for discussion since some of the potential issues could result in the direct opposite. Security-wise, there’s work to be done. 

In 2019, we cannot compromise between the three. 

More importantly, we don’t have to. We can have them all. 

That’s precisely what we are doing with IPification. 

IPification works by generating a unique mobile identity that includes various data provided by the mobile operator while still detecting any SIM card or device changes. And this process is done seamlessly in the background within a fraction of a second. 

IPification puts an innovative solution on top of already existing technologies to provide the easiest and the most secure authentication solution that respects the privacy of its users.