OpenID Foundation says 'Sign In with Apple' is not secure enough

In an open letter, the OpenID Foundation says Sign In with Apple "exposes users to greater security and privacy risks."
Written by Catalin Cimpanu, Contributor
Sign in with Apple

Craig Federighi on stage at WWDC '19 announcing 'Sign in with Apple'

The OpenID Foundation, the organization behind the OpenID open standard and decentralized authentication protocol, has penned an open letter to Apple in regards to the company's recently announced "Sign In with Apple" feature.

In its letter, the organization said that Apple has built Sign In with Apple on top of the OpenID Connect platform, but the Cupertino company's implementation is not fully compliant with the OpenID standard, and as a result "exposes users to greater security and privacy risks."

"The current set of differences between OpenID Connect and Sign In with Apple reduces the places where users can use Sign In with Apple and exposes them to greater security and privacy risks," said Nat Sakimura, OpenID Foundation Chairman.

OpenID Foundation urges Apple to become OpenID compliant

The OpenID Foundation published a list of differences between Sign In with Apple and the OpenID Connect platform, which Sakimura urged Apple to address.

The OpenID exec said these differences place an unnecessary burden on developers working with both OpenID Connect and Sign In with Apple, who now have to support two different authentication standards and deal with each one's quirks.

"By closing the current gaps, Apple would be interoperable with widely-available OpenID Connect Relying Party software," Sakimura said.

OpenID Foundation asks Apple to join

OpenID Connect is a modern and very widely-adopted identity protocol built on the OAuth 2.0 protocol. It enables applications to let users sign in with accounts on third-party services using a unified and standardized method.

The OpenID Foundation includes members such as Google, Microsoft, Cisco, Oracle, PayPal, and Akamai, among many others. All these companies have pledged to support the OpenID standard, and build products that closely follow it, or create third-party login solutions that are OpenID compatible.

Apple is not a member, but Sakimura has asked the company to join the foundation after it addresses the gaps between Sign In with Apple and OpenID Connect, passes the OpenID Connect Self Certification Test Suite, and publicly announces that its system is OpenID compatible.

Apple has not responded to a request for comment in regards to Sakimura's open letter.

Apple announced Sign In with Apple at the WWDC 2019 developer conference last month. The feature lets users sign into websites and applications using their Apple ID. Apple said its new third-party login system will focus on user privacy and preventing user tracking, and will allow the user to be in more control of what they share with the third-party site when they create an account. Users can choose to share only selected details, or they can even share a randomly generated email address. More information is available in our previous coverage.

Updated on October 4 to add that Sign in with Apple is now OpenID compliant.

Apple WWDC 2019 keynote: Scenes and surprises

Related cybersecurity coverage:

Editorial standards