Sign in with Apple has critical security flaws says OpenID Connect maker

At WWDC 2019, Apple was largely praised for turning privacy from an add-on feature to a service. The biggest proof of that was its "Sign in with Apple", its attempt to overthrow Google and Facebook logins in iOS and macOS apps. Underneath, it used a version of the OpenID Connect specification to make secure logins possible. But according to the OpenID Foundation, its implementation might ironically leave users exposed to hacking attacks.

OpenID Connect is described as a "widely-adopted identity protocol built on OAuth 2.0 that enables third-party login to applications." The Foundation that develops it includes the likes of Google, Microsoft, PayPal, Facebook, and Twitter. Noticeably no Apple, which may be one of the gripes it has over Sign in with Apple.

In an open letter to Apple SVP of Software Engineering Craig Federighi, the OpenID Foundation first applauds the company for its adoption of Connect to allow third-party logins with their Apple ID. However, it has apparently opted to adopt only certain parts of the specification instead of the whole shebang. And according to the Foundation, the differences between the two could leave Apple's owner users open to attack.

Some, however, might also read ulterior motives in the Foundation's call to close the gap. It naturally wants its full spec to be implemented and probably get Apple to sign up as a member. It also wants Apple to advertise that Sign in with Apple is compatible and interoperable with other OpenID Connect partners, which is probably not something Apple wants to do.

Sign in with Apple offers Apple users a convenient way to log into apps just like they could with Google and Facebook accounts but tight privacy checks in place. When it gets implemented, all apps that offer third-party logins are required to also offer Sign in with Apple buttons. Testing starts this summer with a full release intended for iOS 13's launch this fall.