Apple is not always the first company to introduce a particular product or service. But when he finally decides to tackle something, he tries to do it better than everyone else. This is the message that Apple was trying to convey when it announced its new login feature with Apple this month at WWDC.
In a keynote address at Apple's annual developer conference, the company displayed the standard Facebook and Google login buttons on the screen – the same buttons you can use to sign in today. to applications or websites. They are often presented as the simplest solution to connect to a new application. instead of going through the process of entering an email address and creating a new password, you simply use your name and password from a service you already trust.
But Craig Federighi, IT manager at Apple, warned that "your personal information is sometimes shared behind the scenes and that this login information can be used to follow you." He then reduced the potential, thus revealing the response of Apple: Connect with Apple, the virtual connection of the company. button. "We wanted to solve this problem, and many developers are doing it too," Federighi said.
It is true that some developers were looking for a more private authentication option for applications, especially as an alternative to Facebook Login, which was the subject of a thorough review last fall after a serious breach of security involving Login having Compromised 90 million Facebook accounts. A security expert who told me about this story suggested that some elements of Apple's authentication feature, which has not yet been launched, might be more secure than other solutions.
But other application manufacturers have mixed feelings about what Apple has proposed. I talked to various developers who develop apps for iOS and Android, one of whom asked to remain anonymous because they were not allowed to speak on behalf of their employer. Some are skeptical that Connecting with Apple offers a radically different solution than that already available on Facebook or Google. The famous opacity of Apple for new products means that the manufacturers of applications do not yet have many answers as to the impact of the connection mechanism of Apple on their applications. And an application maker went so far as to refer to Apple's claim that its connection system would be offered if other connection systems were presented as "small".
As WIRED's Lily Hay Newman wrote last week, connecting with Apple allows you to use your Apple account credentials to connect to non-Apple apps. Like Facebook Login and Login with Google, it aims to "centralize a group of accounts around a more secure identifier that you are more likely to actively monitor and manage, rather than to prevent." a unique account that you have set with a weak password. "
Apple said the connection with Apple will be available for beta testing this summer. The company has also announced its intention to use Apple's Facial Facial Recognition features and Touch ID fingerprint recognition system on Apple platforms and the Web.
Apple uses the same basic protocols for its connection system as other systems in the industry. Earlier this week, a senior developer of Okta's identity management company analyzed the initial process of implementing the connection to Apple and said that Apple seems to be using standard technology for this feature .
"Fortunately, Apple has adopted the existing open standards OAuth 2.0 and OpenID Connect … Although they do not explicitly call OAuth or OIDC in their documentation, they use the same terminology and the same calls. API, "wrote Aaron Parecki. "It means that if you know these technologies, you should have no trouble connecting to Apple immediately!"
Chris Kanich, security and privacy researcher who teaches at the computer department of the University of Illinois at Chicago, agrees that "technically, this seems to be identical to that that Facebook and Google offer.
But Apple also adds significant additional layers of protection. For example, in Connecting with Apple, Apple will have the ability to create a random and anonymous email address for users. While Facebook Login does not require users to share an email address at all (the company claims to have made the sharing of email addresses optional five years ago), but does not offer to generate an e-mail address. random mail. Same as Google's login option: it does not mean require e-mail address, but it does not propose to generate a proxy e-mail address either.
In addition, Facebook and Google still require users to share their names and profile images – information that is then passed on to third-party application manufacturers. In some cases, these login tokens allow developers to request information such as birthdays or calendar access. (Apple declined to comment on the recording of this story.)
Crisis of identity
One of the elements of Sign In with Apple that has already hoisted developers is Apple's mandate that application makers must implement Sign In with Apple if they have already integrated the Facebook login features and Google to their applications. Previously, some documents suggested that Apple ask developers to place the login button on top of all other options, but this language has since been changed in Apple's user interface directives. Now, the Sign In button only needs to be smaller than the other options and the user does not have to scroll to see it.
Leah Culver, co-founder and chief technology officer of the Breaker podcast discovery app, said she "was not very happy to [Apple] force applications to use some type of connection, and I think it's a bit petty. "
"The question becomes, just because they control the App Store, should they control the connection?" Said Culver. She notes that Google does not force Android developers to use the connection with Google, which Google confirmed when I asked.
Buzz Andersen has been a software engineer for over 15 years. After working at Apple before moving to companies such as Square and Tumblr, he admits to being a fan of Apple. He states that the connection with Apple is long overdue and that he personally believes that Apple's offer is more reliable than the other options. But even he admits that Apple's mandate that its logon option is offered when other options are present could be a "no-begin" for some developers.
"I've already heard of people who have problems with that, and it's a bit heavy," says Andersen. "Apple is known for its heaviness with its ecosystem."
Although the option of using a randomized email address is designed to protect consumers, some developers believe that this could create a dilemma. Will Fischer is a product manager in Christie's emerging technology group, the 253-year-old auction house. He says he is intrigued by Sign In with Apple for his own personal use on the iPhone, because "this is absolutely going to make things easier," but its implementation at work could present complications.
"It's an interesting concept," says Fischer. "But our app does not currently contain anonymous payment. As a business, we need to know who we are dealing with and who we are selling to. This is definitely something we would like to evaluate more deeply. "
Lauren Goode is a senior writer at WIRED and covers consumer technologies.
Basically, applications using the connection with Apple may request personal information from the user, such as an email address, but they may not require it. Thus, an application requiring a more detailed level of information about the identity of a person, such as an auction application or a banking application, may simply need to use its own identifier. direct. (It also means that they can not offer the Google or Facebook login options because of Apple's mandate.)
It is therefore not surprising that some Android developers are also wondering about the use of Sign In with Apple for "extreme cases". Chris Maddern, co-founder and product manager of Button's mobile commerce app, pointed out that many developers were not only building for iOS, "Also for users who cover iOS, Web and Android devices," he wrote in an email.
"This means that on the web and on Android, you will have to present this option in one way or another, otherwise users may not be able to connect. It will be a web-based authentication flow that is not perfectly transparent, "he explains. "In short, 99% of Android developers do not think about it at all. But once the condition "Add a sign with Apple" is imposed on them because they must already add it on iOS, they will not be delighted anymore. "
It is interesting to note that Facebook itself, as an iOS app developer, and not as a connection provider, has not yet determined whether to implement the Apple connection in its own application. When I asked Google if it would use the connection with Apple for its own applications, the company was not sure initially. later, he said that would not be the case, because the connection to Google services does not involve the connection to a third party.
Some of the issues raised by the developers could be solved in the months leading up to the public launch of the Apple Connection feature, expected to happen this fall. Other blame can still be very real when he throws. And that might just mean that developers have to do the extra work necessary to tailor their application to Apple's requirements.
For example, Culver relied on Facebook's social graph to allow users of the Breaker podcast app to easily connect to their friends. In the event that someone uses Connect with Apple, he will have to go through the extra step of finding friends in the app.
But Kanich, a security researcher from the University of Illinois at Chicago, describes this as one of the ultimate tensions between Apple, its developer community and its customers.
He describes Sign In with Apple as a "one-pony pony" and it's a good thing from a safety standpoint, he says. While something like Facebook is a rich application that people use for a lot of data sharing, Sign In with Apple is a discrete product with no big social graph. This means that even if a hacker were able to violate it, the fallout would be limited compared to the violation of Facebook.
"It goes back to the fact that Apple will keep more control over your identity," Kanich said. "And that gives Apple more control, which third-party app manufacturers do not like. But third parties are not the customers; the users are the customers. And that's where the tension really goes. "
More great cable stories