Use Sign In With Apple: It’s Better For A Reason
One of the biggest changes we’ve observed in recent years is the shift in how we log into apps using authentication methods like Sign in with Apple and social logins. All of these authentication mechanisms add convenience for users, making them the ideal choice for registering and logging in to various services. However, if you read the title, you can probably guess that there’s one that’s better than the rest.
Apple has made a big push to make its sign-in service the preferred choice when using apps on iOS as well as other operating systems, including some Android and Windows apps. We’re going to start by looking at why social sign-ins are today’s preferred way to register and login to most services then we’ll dive into why Sign in with Apple is better than the rest.
Merits of using social logins and a couple of flaws with the design
To get right to it, this method of authentication is more convenient and secure than using an email/username and password combination. While some users are careful to create strong, unique passwords for all their services, a study on password habits shows that this isn’t quite the case.
Users will essentially do the bare minimum when they’re only given the option to create a login using email. Many people have dozens of online accounts where 53% rely on memory to store login info which is likely why some 51% of users tend to recycle the same password.
The problem here is that if one service is breached and your password isn’t properly encrypted, this gives an attacker access to other accounts when they find a recycled password. This has been a pervasive problem since the dawn of the Internet – fortunately, social logins help prevent this issue.
Generally, a social login will use a token that’s randomly generated every time a user uses Facebook, Google, Twitter, or some other social login to access an account. As such, this method piggybacks on the user being authenticated with the referenced platform. A user that logs into an account with a social login first “proves” who they are to the social platform at which point, the platform gives the “ok” to the service they’re attempting to log in to via a token.
While this is an overall better system than giving users the option to create login credentials, it’s not without flaws. If a user’s base account, for example, Facebook, isn’t secure then a malicious user who knows this platform’s login info could potentially access every account where Facebook is used as the social login.
Too, there have been several security concerns that have come to light with social logins, especially Facebook. The platform is well-known for “oversharing” users’ personal information –a service can opt to request far more data than just a user’s basic info. While some sites are careful to only request the bare minimum information, it often leaves a user’s email exposed which can sometimes lead to abuse.
Why Sign in with Apple is the best of the bunch
Though Sign in with Apple isn’t perfect, it does boast some features that others don’t offer. Perhaps one of the biggest selling points to using your Apple ID to sign in is the fact that it works seamlessly with features like Face ID and Touch ID. Both methods work by associating a top-layer of authentication, meaning your face or fingerprint, on top of your Apple ID and password.
If you use an iPhone or an iPad regularly then you surely recognize how much easier it is to simply scan a finger or your face when you want to download something from the App Store! This is why it is currently used by over 2000 sites and apps and growing in popularity.
One of the best parts about using Sign in with Apple is how it handles the exchange of email information with the underlying platform: it doesn’t. Instead of passing your underlying credentials to a platform, which is something that happens when you use other social logins to register with a service, Apple creates a spoof email on your behalf. This essentially prevents your email from being abused like in instances when a platform is breached or in scenarios where the platform sells off your information to advertisers.
This is also how Apple has been handling in-app purchases (IAP) for quite some time. When a user goes to pay for something in an app, only the payment information is passed along and nothing else.
One last thing to mention is that this authentication method can be used with Android and on the web as well. Developers are able to use an instance of ‘OAuthProvider’ with virtually any framework and reference apple.com to use their sign on for improved security.
The few, minor problems with Sign in with Apple
While Sign in With Apple does offer a better way for users to register and login to the apps they use, it does have a few drawbacks.
The first issue is that not all providers that accept this login method will “play nicely.” By generating a random email, it’s possible that the email Apple creates will be rejected because it gets waylaid, for example, when it looks like spam. Some services still require the user to backtrack to the underlying email address used during registration to confirm their identity. As such, if Sign in with Apple passes a phony email, then a user won’t be able to complete registration.
The other main problem with Sign in with Apple is an issue that affects all social logins. If something happens with a user’s underlying Apple account (or a password is changed) this can cause widespread authentication issues. Fortunately, by design, most services will simply require that a user re-login to the service in such an event. However, if there is some kind of more pressing issue – say, an account is compromised – this creates a similar debacle to times that a malicious user gets ahold of underlying credentials used in social login.
Blue Label Labs builds software that your users can securely log into
Our focus is aligning everything from usability through security to ensure that our apps offer a great UX and optimal security. We strongly urge that our clients who are building apps for iOS and beyond use the best possible authentication mechanisms available to ensure their platform and customers stay safe. Get in touch to learn more about how our security practices yield excellent software.