OpenID Foundation Claims 'Sign In with Apple' Could Expose Users to Security and Privacy Risks - MacRumorsOpen MenuShow RoundupsShow Forums menuVisit ForumsOpen Sidebar
Skip to Content

OpenID Foundation Claims 'Sign In with Apple' Could Expose Users to Security and Privacy Risks

At WWDC 2019 earlier this month, Apple announced Sign In with Apple, a new privacy-focused login feature that will allow macOS Catalina and iOS 13 users to sign into third-party apps and websites using their Apple ID.

signinwithapple
The feature has been largely welcomed as a more secure alternative to similar sign-in services offered by Facebook, Google, and Twitter, since it authenticates the user with Face ID or Touch ID, and doesn't send personal information to app and website developers.

However the implementation of Sign In with Apple has now been questioned by the OpenID Foundation (OIDF), a non-profit organization whose members include Google, Microsoft, PayPal, and others.

In an open letter to Apple software chief Craig Federighi, the foundation praised Apple's authentication feature for having "largely adopted" OpenID Connect, a standardized protocol used by many existing sign-in platforms that lets developers authenticate users across websites and apps without them having to use separate passwords.

Yet it cautioned that several differences remain between OpenID Connect and Sign In with Apple that could potentially put users' security and privacy in jeopardy.

The current set of differences between OpenID Connect and Sign In with Apple reduces the places where users can use Sign In with Apple and exposes them to greater security and privacy risks. It also places an unnecessary burden on developers of both OpenID Connect and Sign In with Apple. By closing the current gaps, Apple would be interoperable with widely-available OpenID Connect Relying Party software.

To remedy the situation, the foundation asked Apple to address the differences between Sign In with Apple and OpenID Connect, which have been recorded in a document managed by the OIDF certification team.

open id logo
It also invited the company to use OpenID's suite of certification tests to improve the interoperability of the two platforms, publicly state their compatibility, and join the OpenID Foundation.

Shortly after unveiling Sign In with Apple, the tech giant told developers that if an app lets users log in using their Facebook or Google logins, then it must also provide an alternative Sign In with Apple option.

The company then raised some eyebrows when it emerged that its updated Human Interface Guidelines asked app developers to place its authentication feature above other rival third-party sign-in options wherever they appeared.

(Thanks, Jonathan!)

Popular Stories

apple safari privacy ad

Apple's New Ad Pitches Safari as a More Private Alternative to Chrome

Thursday June 4, 2026 4:24 am PDT by
Apple has published a new ad to appeal to customers who prioritize privacy when browsing, suggesting that Safari is the one you should use if you want to "Keep data trackers off your back." In a new Privacy on iPhone segment titled "Safari helps block data trackers," the ad shows users of rival phones in everyday situations having to live with data trackers as they browse. The trackers are...
iOS App Store General Feature JoeBlue

Apple 'Records Every Tap' in App Store to Filter New Personalized Recommendations Feature

Wednesday June 17, 2026 6:27 am PDT by
Last week, Apple introduced a new discovery feature for the App Store called Personalized Collections, or app recommendations based on individual interests and behavior. Apple pitched the announcement as another way for developers to have their app discovered, but there has already been some pushback from a privacy perspective. App Store user analytics collected by Apple (Image: Mysk) The new ...
iCloud General Feature Redux

Apple to Unify Sign in With Apple and Hide My Email on One Domain

Monday June 15, 2026 3:56 pm PDT by
Apple is planning to unify the email domains used by Sign in with Apple and iCloud+ Hide My Email under a single private.icloud.com domain. Addresses generated for both features will be issued on the new domain, Apple says. Sign in with Apple addresses currently use the privaterelay.appleid.com domain, while iCloud+ uses icloud.com. Later this summer, both will use the same...

Top Rated Comments

92 months ago
OpenID "a non-profit organization whose members include Google, Microsoft, PayPal, and others."

Someone's in panic mode, less customer tracking huh
Score: 108 Votes (Like | Disagree)
garylapointe Avatar
92 months ago
Am I missing something in that the headline doesn't seem to support this with more info in the MacRumors story?

"reduces the places where users can use Sign In with Apple and exposes them to greater security and privacy risks."

Greater than what? Than no risk? Than not implementing 'Sign In with Apple'? Than Facebook?

"reduces the places where users can use Sign In with Apple"

Or is it just more risk in that it's not implemented everywhere?

Stating risk without actually reporting anything about the risk isn't really news and is kind of clickbaity...
Score: 68 Votes (Like | Disagree)
raybob Avatar
92 months ago
They’re worries because their biggest source of income “selling customers’” info is in jeopardy.
Google, microsoft and PayPal?!!!

It’s like pharmaceutical companies becoming members of a non profit which is concerned about cheaper medicine.
Score: 34 Votes (Like | Disagree)
btrach144 Avatar
92 months ago
I’m going to assume Apple knows what it’s doing here and purposefully chose to leave out parts of the OpenID standard that didn’t align with Apple’s security needs or vision.
Score: 26 Votes (Like | Disagree)
goobot Avatar
92 months ago
The title sounds like Apple sign in is flawed but the article says that it’s just not available everywhere which somehow makes it a sercurity risk?
Score: 25 Votes (Like | Disagree)
92 months ago
Not at all. I've already heard several Apple developers say they're concerned about the lack of interop with OpenID.
Not at all confirmed by your anecdotal story?
Score: 24 Votes (Like | Disagree)