Apple Adds Another Sign-In to Applications

By Pierre-Luc Simard
VP, Technologies

At WWDC 2019, Apple introduced Sign In with Apple. This new authentication service is similar to solutions by Facebook, Google, Twitter, LinkedIn and many other organizations with a large user base. 

The introduction of Sign-In with Apple during the WWDC 2019 keynote was met with applause when its main privacy-focused feature was demoed. When registering to an application using Sign-In with Apple, users have a choice. They can either use one of the email addresses that they’ve already registered with Apple or use an anonymous email generated and managed by Apple. 

The anonymous email is a unique feature for a Sign-In system. With this, Apple promises an exciting balance between users’ privacy and the need for app vendors. After all, vendors need a way to contact the user, while the users need a way to keep their identity private by not providing a uniquely identifiable email. Apple’s randomly generated email is not a throwaway email address like what anybody can get from services such as Mailinator. Each random email address is tied to an Apple ID. This way, Apple can forward emails received from an application vendor to the user and ensure that the account stays alive for a long as the user desires it. These emails do come with a small catch: when the application vendor registers with Apple to enable Sign-In with Apple, they must provide the email address they will use to contact users. Apple will only forward emails sent by the registered email address to any randomly generated that is email associated with the application. It keeps the application vendor from sharing the email address with third-parties and protects the user in case of a data leak. Users can also delete these randomly generated emails from their account, which effectively cuts any ties between them and the application vendor. 

Apple makes it relatively simple to implement its new service in new or existing applications. The integration steps are very similar to other social Sign-Ins. Of course, they’ve made it extra simple on Apple’s platform, which mimicks what Google did it for its Sign-In service on Android. On the server side, identity validation is well documented and straightforward to implement. 

It is also possible to integrate Sign-In with Apple on an Android application. To do so, the application developer must use the Javascript SDK inside a “web-view” and implement Android App Links to receive the confirmation from Apple servers. In my experience, there’s a small percentage of the population that has both Android and iOS devices, and migrations from iPhones to Android phones do happen. Because these users exist, it’s a good idea to allow them to keep using Sign-In with Apple or to provide a way to convert their account to another Sign-In provider.

On September 12, 2019, Apple updated itself to a newer App Store policy and announced that, from that day forward, all new applications that “exclusively use a third-party or social login service” must include Sign-In with Apple. Existing applications have until April 2020 to update and include the new service. Unless an application meets an exception, via the criteria listed in section 4.8 of the App Store Review Guidelines, application developers must add the service to their app.