Apple wants to own the only account you use to sign in to services across the internet. On Monday, the company unveiled Sign In with Apple, a log-in service similar to those offered by Google and Facebook. Unlike those two, Apple says it will protect your privacy by creating new, anonymized email addresses for each service access via Sign In. That’s all well and good, but there’s a bigger concern to be addressed: Is using your Apple account to sign in to apps and services safe in the first place?
When it launches later this year, Sign In with Apple will let users log in to services on any platform using their Apple account. On the iPhone, you can even use Face ID or Touch ID to confirm your identity, which spares you from remembering complex passwords or dealing with randomly generated authentication codes.
For people inside the Apple ecosystem, it could be one of the most secure systems around. If you step outside of Apple’s world, however, security gets a bit weaker.
Apple didn’t respond to a request for comment, but according to the company’s website, Sign In with Apple will be available on the web, which means it can be used on any non-Apple device, obviously without the protections offered by Face ID or Touch ID. In that case, users will have to rely on the security of their Apple account itself, and it appears they’ll only be able to protect their account with weaker, SMS-based two-factor authentication (2FA). That could leave not only their Apple accounts more vulnerable, but any app they log in to with Apple, as well.
Apple’s new sign-in feature — as well as its Google and Facebook counterparts — is what’s known as a “Single Sign-On” (SSO) service. You log in to one product, like your Facebook account, on your computer or phone. Then, when you want to log in to another service on that same device — Spotify, say — Facebook generates a token that confirms your identity. Instead of having to remember passwords for hundreds of different apps, you can remember just one.
It’s an appealing promise, but it’s not flawless. The biggest drawback to SSO — whether it comes from Apple or someone else — is that if there’s a failure in the way you sign in to your primary account, then it can make all your accounts vulnerable. Someone with access to your Facebook account could, for example, also get in to your Spotify account. It’s like putting all your eggs in one basket. Security for your primary SSO account has to be as good or better than all of the other accounts you use it to sign in to.
Fortunately, that is often the case. Google, for example, offers one-tap 2FA that lets users tap a single button on their phone to confirm who they are, providing a powerful extra layer of security. This is easier than entering a code with an authenticator app and safer than using SMS. Facebook, on the other hand, has undermined trust in its own security features by attaching the phone numbers to users’ personal profiles, but it does offer stronger, app-based 2FA options, too.
Apple currently sits somewhere between these two. When first setting up your account, Apple uses that less safe, SMS-based authentication. After setup, iOS users can rely on Face ID, Touch ID, or pop-up prompts on their phones to confirm their identity, though SMS remains the only option if you don’t own an Apple product.
Despite all the options, many people practice poor security hygiene. In 2017, when the Pew Research Center conducted a study about cybersecurity, 39% of adults in the United States used the same or very similar passwords across many sites, while an overwhelming 86% of them kept track of passwords by simply memorizing them. Both of these are inherently unsafe options. Reusing the same password means that if someone gets access to one of your accounts, they could have access to many of them. And the simpler a password is, the easier it is for an attacker to crack it.
You don’t just have to trust that your individual account is secure; you have to trust that the company’s servers are safe.
The best password is a long, complicated one that even you don’t know. Ideally, you’d store it in a password manager — but the key is to differentiate for each website. Even the CEO of password manager Dashlane, Emmanuel Schalit, admits that kicking the poor password habit is more important than using the perfect system.
“It is much better for someone to use something other than the same password everywhere, without a doubt,” Schalit says.
However, he also points out that SSO systems are vulnerable to attacks that password managers aren’t. In September 2018, Facebook disclosed a massive breach wherein hackers stole SSO security tokens for tens of millions of accounts. This token let attackers trick Facebook’s servers into believing they logged in to vulnerable accounts legitimately, highlighting another flaw with SSO: You don’t just have to trust that your individual account is secure — you have to trust that the company’s servers are safe. After Facebook spent most of 2018 dealing with breach after breach after breach, that can be a tough sell.
This means that whether any given SSO is “safe” can depend heavily on how much you trust the company you’re using. On this front, Apple might fare better than its competitors. Earlier this year, Apple dealt with a major FaceTime bug that may have allowed bad actors to listen in on your microphone, but nothing quite so serious as millions of Facebook accounts being exposed.
As Matias Woloski, CTO of identity management platform Auth0, explains, Apple’s track record will go a long way toward building trust. “Apple has a lot of experience in dealing with these types of things,” Woloski says. “They had to work hard to develop their security practices… I would say, not at the level of Google, but it has gotten much better over time.”
Apple is banking on edging out Google by playing the privacy angle. Those other companies, Apple argued in its keynote, will give away your private info every time you use their sign-in button. As mentioned, Sign In with Apple will let you randomly generate an email address to avoid exposing even that level of data, theoretically protecting you from invasive tracking.
Single-use email addresses aren’t a new idea, but the open question is whether Apple can make them intuitive enough that everyday users understand them. “It is not a bad idea to do the kind of things Apple is recommending with disposable emails,” says Schalit. “Our consumer research showed that, conceptually, [people are] still struggling with the idea of randomly generated emails… So, we’ll see if Apple’s able to get traction.”
According to Apple, its anonymous email feature should work entirely behind the scenes, so users might not even notice a difference. Users will simply tap “hide my email” and Apple will create a middleman email address that forwards any messages you receive from the app to your real email account. You’ll receive emails like normal, but the app never knows your actual address.
Finding that right balance between the best possible security practices and what consumers will actually use isn’t easy. Apple seems to be getting close. You might technically be safer if you use a password manager to randomly generate passwords, enable app-based two-factor authentication everywhere — or better yet, use a physical security key — and never use a single SSO. But that’s a big ask.
Most people will make some compromises on security, and they may have to deal with the consequences eventually. It’s possible that one day someone could breach Apple’s servers and steal users’ tokens, as happened to Facebook.
On the other hand, Apple has made its living on making complicated things easy for the average user. The Macintosh made PCs easy for people who weren’t familiar with “personal computers” and the iPod with iTunes turned managing a complex music library into an everyday task. If using Sign In with Apple means some users stop reusing their simple passwords and keep their email addresses private, the trade-off might be worth it in the long run.