What’s in a Login Button?
All you need to know about the new “Sign in with Apple”
For Akamai Identity Cloud, we intend to support our clients that wish to implement “Sign in with Apple” just like we do for Facebook, Google, Instagram, Twitter, LinkedIn and about 30 other Identity Providers. If you use it for your apps and websites, here’s what you need to know.
A lot has been written about “Sign in with Apple” since it was introduced at Apple’s World Wide Developer Conference (WWDC) last week — and what might look like just another login button on the surface might well be one of the most significant and most impactful announcements the tech company has made in years.
It wasn’t so much what Apple presented on stage, but some fine print that Apple released afterwards — quietly and off-stage — that sparked commentary in the media and discussions in the developer community and among identity experts, privacy advocates, and market observers.
In an update to their App Store Review Guidelines, published on the same day as the announcement, Apple says that developers must implement the new login feature in all applications where they already offer other third-party authentication services, like the well-known and widely used login buttons from Facebook, Google, or Twitter. Apple does not require the button for apps that only offer their own login functionality (often referred to as “traditional login”).
Reuters reported that Apple will also ask developers to position the “Sign in with Apple” button in iPhone and iPad apps above rival buttons, according to an update to the company’s “Human Interface Guidelines” released last week. These design guidelines are not formal requirements for an app to be accepted in the AppStore, but as Reuters pointed out (and, subsequently, many voices on social media), many developers believe that following them is the surest way to gain approval from Apple.
Some commentators felt that enforcing the adoption of Apple’s new login option is a risky move for the tech giant; after all, these requirements were released on the same day as reports emerged that the US Justice Department has been granted authority to investigate Apple for potential antitrust violations.
It’s all About Privacy
What sets the “Sign in with Apple” button apart from others? In one word, it’s privacy. In two words, it’s privacy and control — the promise to keep customer data private and to give users control over what they share with the vendors that are behind the apps or websites for which they use the button to sign in. Apple says there will be no tracking and no user data will be shared with the app vendor by default. Where an email address is required to communicate with the app vendor, users can decide to keep their personal addresses hidden. Apple will generate a unique, anonymous, but fully functional email address that users can decide to use for communication with the vendor. The idea of unique disposable email addresses is not new. For example, Google’s Gmail lets you manually add dots, plus signs and extra characters to your address for similar purposes. But that is not nearly as efficient and easy as Apple’s solution, which automatically generates completely random addresses and allows users to disable them at any time.
What “Sign in with Apple” basically does is to ensure proper authentication of the user when logging in. For that, Apple uses its own existing authentication methods, like facial recognition on the iPhone (meaning users won’t need any new passwords). It then lets the app know if the user is good to go and can be allowed in. But Apple will not share the actual identity of the user, and for the purpose of basic login the app doesn’t need to know. The identity information remains with Apple, unless the user decides to voluntarily and consciously share selected personal data points with the app.
This concept is different from other login services or Identity Providers (IdPs) that typically share user identity and a set of other data points with app vendors and allow them to build up customer profiles. More importantly, the popular IdPs all make their money by selling targeted, personalized ads and therefore rely on collecting and tracking user data. Apple doesn’t sell ads and the new login button is widely considered a strategic move against the likes of Facebook and Google, which probably will not be able to offer comparable data minimization as they cannot escape their business models.
In theory, this makes Apple a more trustworthy holder of personal data. The company has been touting privacy as a competitive differentiator in their messaging for a while, like in this iPhone ad. But make no mistake, this approach to user privacy is very Apple-centric; in order to use an Apple device, and also in order to use the new login button, users need to have an account with Apple first, and for that Apple does require personal information. Privacy here means trusting Apple to keep your personal data private.
Should you use “Sign in with Apple” in Your Apps and Websites?
There are undoubtedly a lot of good things to be said about Apple’s new login service. It provides solid two-factor authentication while lowering the barrier for users to sign up. It doesn’t require users to remember new and potentially unsafe passwords and gives them ways to minimize the data they share.
Businesses using “Sign in with Apple” can benefit from Apple’s reputation (and self-promotion) as a trusted vendor. Customers using Apple devices have already put their trust in Apple by creating an Apple ID, and they will not need to be convinced to trust another company before signing into that company’s app. Trust is of increasing importance to consumers and affects signup and conversion rates. Last year, in a poll of U.S. Internet users, 39 percent of Americans said it was “highly likely” or “guaranteed” that they would walk away from a business that requires them to provide highly-personal information and nearly three-quarters (73 percent) believed that, in general, websites know too much about them.
“Sign in with Apple” will be available outside of the Apple hardware universe as well, such as on regular web pages and other platforms like Windows and Android. Apple’s brand recognition and the aforementioned focus on privacy in the company’s messaging and advertising will likely make “Sign in with Apple” a trusted option even for consumers outside of the Apple ecosystem.
The universal advantages of using social login buttons apply to Apple as well: App developers don’t have to implement complex authentication infrastructure themselves. If somebody loses access to their account, it will be Apple’s customer service that takes care of that. This can be a significant money saver as the cost of support incidents (or the implementation of self-service account recovery as part of the app) are high. These advantages are not specific to Apple but are also true for other social login providers.
Apple claims to provide a basic level of fraud protection. When the new login button is used, Apple’s system lets apps know if the user who signs up is human or “unknown” — unknown meaning it could be a bot, or a new user. At WWDC, Apple recommended to treat any “unknown” as a new user, which I take as an indication that their system can’t really distinguish bots and humans or detect and flag malicious actors. Apple also did not provide any clues to how their systems actually arrive at the determination. It remains to be seen if this capability can really be considered fraud protection and what value it provides in practice.
Is “Sign in with Apple” for Everyone?
One potential downside of Apple’s solution is that the data minimization it enables (and encourages) might not be what an app vendor wants or needs. Data collection has gotten a bad reputation in the light of scandals, breaches and abuse, but it is not always a bad thing. According to the aforementioned poll, more than a third of US Internet users still wish to receive personalized communication and offerings, and that requires personal data. There are companies and organizations that take privacy as seriously as Apple, don’t make money from selling customer data to advertisers either, and collect profile data in ways that respect the user’s privacy and control. Watch this video by UK broadcaster Channel 4 for an outstanding example. Apple might target Facebook and Google with this latest move, but it could also hit other organizations.
If you must (or desire to) collect customer profile data from your users, it is worth examining how much Apple’s sign-in button would impact the amount and quality of data your consumers are willing to share.
If you should come to the conclusion that, once given a choice, a relevant portion of your users would no longer share data with you, you might want to examine why that is and how you can improve. Can you make your own sign-up experience more trustworthy, by providing better transparency about what you do with the data? Do you ask too many questions upfront? Are you requesting information that is only useful for you, but not for the user? What does it take to make the processing of personal data part of a mutually satisfying business relationship with your customers, as opposed to being perceived as intrusive or evil?
These are in fact questions that companies also had to face after the EU’s General Data Protection Regulation (GDPR) went into effect last year. GDPR made it illegal to collect somebody’s personal data without telling them for what purpose and getting their explicit consent. Consent requires trust. No trust means no consent and no personal data. And without personal data there can be no personalized marketing, no deep understanding of the customer journey, and no 360 degree view of the customer. “Sign in with Apple” could have similar effects — not for Apple, but for your business.
Apple’s new login feature helps to make privacy protection and data minimization a top-of-mind topic for end users, developers, and businesses. It offers consumers an easy and convenient way to minimize and control the personal data they share with other companies. However, they still need to share personal data with Apple first, as even users on other platforms need to have an Apple account.
“Sign in with Apple” is clearly an instrument that allows Apple to extend and heighten the walls around its closed ecosystem, in which it already controls the platform and applications, and now makes a significant step to gain more exclusive control of user data. The difference between Apple’s walled garden and those of Facebook or Google is that Apple says that it doesn’t intend to share user data even in anonymized or pseudonymized form for the purpose of ad targeting — at least as of today.
Companies will have to decide if they are willing to accept this increased dependency on Apple and potential decrease of customer data, or if it makes more sense for them to take control of the data they need by building their own profile database and decrease the dependency on any walled gardens by managing customer identities themselves.
*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Sven Dummer. Read the original post at: http://feedproxy.google.com/~r/TheAkamaiBlog/~3/WNUGDTWU88o/sign-in-with-apple.html