
How Popular Is “Sign in with Apple”? - cpach
https://daringfireball.net/linked/2020/01/28/sign-in-with-apple-popularity
======
habosa
I tried to do a Sign in with Apple integration on Android (wanted the app to
have the same options across platforms).

Testing on Android was next to impossible. To test I needed an Apple ID with
2FA. But SMS 2FA was not good enough, you need the hardware-based 2FA. To get
that you need a recent macOS or iOS device. As an Android developer I have no
reason to own either of those.

Eventually I just had a friend who owns an iPhone try my app a few times.

Besides that, the Apple interface guidelines are nearly impossible to follow
on Android because Apple doesn't provide the logo or font assets you need to
comply. There is no SDK whatsoever, just a spec.

Seems like a nice sign-in option for iPhone owners but it's a portability
disaster.

~~~
ehsankia
Apple continues to not give any care whatsoever to anything outside their
walled garden. For the longest time you couldn't even preview songs on iTunes
store without having iTunes. Want to watch their biggest WWDC live? Had to use
Safari until last year. Obviously iMessage and FaceTime are complete no-gos
outside their walled garden too.

This is how they keep people in. They have to close down their walls as
tightly as possible, to force people in. And once you're in, they make it as
hard as possible to leave.

~~~
coldtea
> _This is how they keep people in. They have to close down their walls as
> tightly as possible, to force people in. And once you 're in, they make it
> as hard as possible to leave._

I call old wives tales. I'm a close-to-20-years Apple user. The walled garden
has never been a problem, more of a strength (integration, cohesion, etc).

Especially today where everything is a subscription, there has never been LESS
of a walled garden in that regard. I can move anytime (and I do use also
Windows and Linux) and I wont have any issue with OS X/iOS.

I just wont have my apps -- which has been the case for every OS ever.

My music is in Spotify and Apple Music, my video is Netflix and Amazon Prime
and Apple+, my email is Gmail, my eBooks in Kindle for Mac and iOS, I talk
with friends with Skype, Facetime, Messenger and Whatsup. Even my iCloud apps
(Calendar, email, etc) are available from any browser.

Some "walled garden".

The reason I don't want to move from OS X/iOS is cohesion and usability.
Despite BS like the 3+ years MBP keyboard fiasco or the not-really-useful BS
touch strip, it's still the best HW/SW combo for my kind of computing
(programming, lots of UNIXy stuff, lots of video and music as well).

~~~
StavrosK
> My music is in Spotify and Apple Music, my video is Netflix and Amazon Prime
> and Apple+

Does Spotify somehow integrate with Apple Music and Netflix with Apple+?
Because, if not, your counterargument is just "there's no walled garden
because I'm outside it".

Spotify, Netflix, Google, Kindle, etc work on both platforms. Apple stuff
doesn't. That's the definition of "walled garden", that you can't use Android
and still use any Apple stuff.

~~~
denkmoon
FWIW Apple Music does work on android, reasonably well too. I switched to that
when it became apparent that Google Play Music is a dead product, soon to be
sent to the glue factory.

~~~
haecceity
Why do people use Apple Music over Spotify?

~~~
thewebcount
One reason I use Apple Music over Spotify is that Apple Music is entirely
supported by paying customers rather than by ads. This aligns thier incentives
more closely to mine.

------
tusharsoni
Developer of a recently launched app with Sign in with Apple here.

I watched the keynote where they launched Sign in with Apple and was honestly
surprised at how easy the implementation was. I thought it was a no-brainer to
add it to my app. So, I follow their (severely lacking) docs and the keynote
and get a solution working. Once the user logs in, their APIs hand you a token
that you can then send to the server.

Then, I thought, how do I verify this token on the server? While they do have
docs on it [1], they simply omitted it from the keynote to make their example
"just work". I would be very surprised if everyone was verifying the token on
their servers. Not doing so seems like a loophole for many apps.

[1]
[https://developer.apple.com/documentation/signinwithappleres...](https://developer.apple.com/documentation/signinwithapplerestapi/verifying_a_user)

~~~
Andrex
What are the security implications of this?

~~~
tusharsoni
The biggest one is that you're essentially trusting data that the client is
providing (Apple gives user id to the client and the client sends it to the
server). Unless you can verify the token and exchange it for your own session
id, you're opening up your users to be easily impersonated (if they get a hold
of the user id).

Other than that, Apple also provides server-side verification for the validity
of the token. Without that, the client could send a random string and the
server wouldn't know the difference.

~~~
ec109685
Why would someone be more likely to get a user id compared to your session id?

------
fetus8
I've seen "Sign in with Apple" exactly once since iOS 13 launched. I am kind
of surprised it's not being rolled out more widely. The first app I've seen
and used it with was Byte (the Vine successor) over this past weekend.

~~~
jandrese
Is there any good reason to do the Sign In With <giant data aggregator>?

I never take that option if there is anything else available. They don't need
to see my signins on other sites, why should I just give it to them? For a few
sites where it is utterly unavoidable I make one-off twitter accounts instead,
because Twitter doesn't require your phone number to make an account and
doesn't have a "only one account per person" policy I think.

~~~
azinman2
Well, Sign In with Apple is different because:

1\. It’s fast

2\. It gives you a pseudonym

3\. It doesn’t leak all your other social graph data

4\. Doesn’t require a new password

The rest are:

1\. Faster than creating an email, but will require redirects, and possibly
logging into fb/google

2\. May give you a pseudonym but often reveals your real name

3\. Are used typically to build profiles of you and create stats on app
popularity across demographics

4\. Don’t require a new password.

~~~
pfranz
Maybe it's just me, but one bummer about this kind of system is that's is A+
top security for a lot of stuff I don't care about. To create some account on
a random forum to give feedback about how I got a stuck oil filter off of my
'03 Civic, for example. With email+password I can just use a low security
password because I'm typing on a phone. With these all-in systems my device
isn't recognized so I'll need to type in some code from 2FA and type my long,
unique password.

I know they're very popular, but there's so much long-term unintended baggage
with using these singe signon systems...even assuming Apple's doesn't have the
nefarious parts most others have.

~~~
eropple
Even setting aside Sign In With Apple, why are you consuming mental space and
energy with a reused password and whether they should be throwaways or not in
2020, when all mobile OSes and desktop browsers integrate seamlessly with
password managers?

Over here, I just use Face ID and 1Password does the tedious filing-and-
remembering part that computers are good at.

~~~
pfranz
I use 1Password on both my phone and desktop for logging in. Saving a new
password on the desktop is easy. For the phone it seems rather tedious.
Especially when, even on the desktop, many sign up pages have me submit 2 or 3
times because the username is taken, password too complex, or I didn't give
them my phone number. I find it way less mental space and energy to reuse a
weak password.

------
booleanbetrayal
The rollout for Sign in with Apple was a disaster when it came to email
deliverability. They seem to have given zero thought to people who used third
party email services like CustomerIO or Sendgrid, indicating that they
"weren't supported," leaving those providers to scramble to meet the strict
DKIM / SPF / Return-Path requirements. Not only that, but if you were sending
from an appropriately aligned and verified domain, in the first couple of
weeks, deliverability might take in upwards of 12 hours for receipt. I believe
they've since improved on the deliverability and the third-party email
providers have accommodated appropriately, with Apple even providing brief
integration tips for the most popular ones, but it left a pretty horrible
taste in our mouths as we were jumping through all the integration hoops.

EDIT: This is referring to email deliverability when attempting to contact
private Apple relay addresses.

------
jrochkind1
> It’s utterly private, where signing in with Google or Facebook is not at
> all, yet far more convenient than signing up with your email address.

What is different in the privacy design of 'sign in with apple'?

~~~
capableweb
As a application owner, I won't see the users email, instead Apple generates a
unique address for each signup. That email also redirects any emails to the
users email.

For someone who doesn't like a lot of what Apple does, this is a really nifty
feature.

We just started integrating "Sign in with Apple" last week and are about to
deploy it. Discovering the shielding of email addresses was a happy discovery,
which I haven't seen before.

~~~
snowwolf
What happens when the customer contacts you for support and is using the
shielded email service. You don't know the "real" email for the account, and
the customer can't email you from the "shield" email. So you have limited
means of verifying they are who they say they are. So how do you for disclose
account information to them if you can't be sure they are the account owner?

~~~
derefr
I assume what Apple would like you to do is to build an "open a support
ticket" flow into the app itself, which either asks for the customer's
"contact email", or allows correspondence directly through the app. Such in-
app support flows are already pretty standard for e.g. mobile carriers' apps,
I've noticed.

------
asveikau
I feel like it isn't all that meaningful to compare Apple vs. Google vs.
Facebook auth if the data is coming from a community that already has a
favorable view of the Apple ecosystem, eg. the crowd that reads Daring
Fireball. The majority of the global market at large is not using Apple
devices and Apple sign-in is not going to resonate so strongly or even be a
possibility.

If you are developing an iOS or Mac app, sure, that's a meaningful data point
and feature suggestion. It won't be equally important for everyone.

~~~
ianamartin
1.5 billion active devices with all of them tied to an easy payment method is
very meaningful. Also, the wealthiest 1.5 billion and the most willing to
spend money on tech/app purchases.

This is a big deal. If you're trying to sell an app instead of trying to sell
ads, Apple users is your target market, even if your app is web, native
Windows, or Android.

------
cbsks
I have a similar setup for signing up for services. I set up a custom domain
with Fastmail with a wildcard alias that forwards all emails to my inbox. I
can then sign up for services with a custom email like "hn-
cbsks@myemail.example". If a service leaks my email, I'll know immediately and
I'll be able to blacklist that address.

~~~
corylulu
Yeah, I have the same setup for my self-hosted server. It's only a pain when I
don't save the login info and need to go dig it up (or if I'm on mobile). If
only I could make a custom "Sign in with" button on every site that tracked
all that for me, while remaining self hosted, I'd be in heaven.

------
Tepix
As a user, won't i

a) share my data with Apple (i.e. they get to know every time i sign in) and

b) makes me dependent on Apple (what happens to my account when i sell all my
Apple devices?) ?

~~~
tusharsoni
As a developer, it's our responsibility to provide users with at least 2
options. While Sign in with Apple is convenient and seems to be fairly
popular, users should be in control of their data.

Some stats from my app where users have the option to either Sign in with
Apple or use their phone number:

73% use Sign in with Apple and the rest using their phone number.

If it was a privacy issue, wouldn't people rather trust Apple than an indie
developer?

~~~
OrgNet
I wish I could signup with just username and password (no email)... because
gmail knows everything now (I don't mind having no password recovery option in
many cases)

------
jedberg
I’ve only looked at the docs and not implemented it, but my impression was
that if they leave the Apple ecosystem they lose access to your app.

I suppose this is similar to any other “Sign in with” option, but it just
seems more likely people will ditch Apple before they ditch gmail or Facebook,
since they can keep those around pretty easily without using them or paying
for them.

For Apple you need to pay money and actively use it to stay in the ecosystem.

~~~
samcat116
I mean if you sign into something with Google and then delete your google
account you end up with the same result no?

~~~
Xavdidtheshadow
Yes, but deletion of a Google account (for a lot of people, the core of their
whole internet experience) has way different probability than getting a new,
non-apple phone.

------
alexhayes
Does anyone have any thoughts on the security (or other) implications of all
your email for services in which you sign up using Apple SignIn now being
relayed through Apple's mail servers?

It seems like a great way for Apple to hoover up a heap information they
probably don't need.

I also wonder how they are going to combat bounces and send back a usable
error message. While they can perhaps do useful things with say a mailbox full
bounce they are probably going to have to hide or at least obfuscate some
other kinds of bounces.

~~~
toasterlovin
> It seems like a great way for Apple to hoover up a heap information they
> probably don't need.

This is not intended as a Platonic ideal of what authentication should be.
Rather, it's intended as a better alternative to being forced to log in with
Google/FB/Twitter, since those companies _for sure_ aggregate and monetize
your private information, whereas Apple _probably does not_.

------
qzx_pierri
App Devs probably want to soak up as much user info while they can. I don't
think I would ever use it, seeing as I'm trying to slowly migrate out of the
Apple ecosystem.

~~~
celeritascelery
Not sure I follow your point. The whole point of “sign in with Apple” is to
fight app devs getting more user info then they need.

------
randyrand
How does sign in with apple work when switching to android? or using a windows
PC?

~~~
fallenasleep
Similar to other 3rd party signins, you get redirected to an apple signin
form, and then redirected back.

Disclaimer: opinion/ venting my personal frustration ahead

Apple's implementation of the OAuth flow is incomplete (even compared to what
their documentation says is possible) and buggy. We've found it very
frustrating to work with. This may be one reason that widespread adoption of
apple signin is taking a while.

Of course I expect the issues will be resolved with time

------
pgkyc
I've spent the last +18 months building a product that does this with even
more privacy than Apple. It's called idvpn.ca and we assign a virtual ID
(pseudonym) to you for each app/vendor you connect to.

This way if they're breached, you don't care and they don't care, yet we can
meet any compliance requirements the app/vendor has such as age checking,
sanction list checking, anti-money laundering, counter terrorist financing
etc.

We're eagerly looking for vendors interested in beta testing our service, as
we have a working product (using OIDC, and/or we easily integrate with
Wordpress) and are looking for the MVP/business model now.

~~~
gibolt
Sounds like you should have started your last step 18 months ago.

Getting it integrated on a scale large enough to warrant regular people using
it and having it in more than one app they use will be the biggest challenge
you'll face. Focus as much percentage of your resources as possible there.

------
arvinaminpour
I've noticed it makes sign ups super easy which is great if you're building a
new service and want to get users fast.

But what I wrestled with is the verification of the user on the server side
after they've signed up (Apple suggests doing a daily verification of each
user that uses Sign in with Apple) and also the annoyance of setting up
trusted domains to be able to email your users.

Overall, it's great for users and for privacy but gosh it's a nightmare to
setup for developers. Hopefully, Apple can somehow make it more seamless for
developers in the future.

------
thedingwing
While I always prefer email/password sign-in when available, I've used Sign in
with Apple exactly once. It's on a website that only offers "Sign in with
<Google, Facebook, Yahoo, Microsoft, Apple>". Given that you don't need to log
in to use 99% of this site's functionality, and this site serves a niche
market with a small development team, I respect their decision to not try to
roll their own authentication.

I'd rather they use oAuth than blunder their own implementation and risk a
breach.

------
chrisseldo
Sign in w/ Apple has been a great user experience. Something that always stuck
in the back of my head when downloading and signing up for a new app was the
stupid email confirmation.

------
aeyes
Implementing this was a huge pain, had to turn off DKIM to get it to work.
Almost no documentation and when your mails bounce there is no information
whatsoever what went wrong.

------
mtm7
From a user's perspective, I tried "Sign in with Apple" for the first time the
other day on Dom Hoffman's new app Byte, and I'm really happy with it. Some
benefits:

1\. I don't need to remember a password to sign in

2\. My real email is never shared with the service I'm signing up for

3\. I had a new account in like 3 seconds without providing any personal
information

If any Apple employees are reading this, you guys did a great job!

------
danielrhodes
I wonder if this is due to brand/trust, that they only request an email, or
the sign in flow is a popover as opposed to going to another app.

~~~
cptskippy
Social Sign-On has a low barrier to entry, you click a button and the
necessary Authentication Context is transmitted by your Identity Provider
(IdP) to the Service Provider (SP). An SP can't implicitly trust an email
address and must ask for a corresponding password and also verify you control
the email. In this case Social wins out for a lower barrier to entry.

Unfortunately the downside of Social is that the SP can request additional
information about you from the IdP. And when the IdP is a SP, ask for
permissions to interact on the IdP's platform on your behalf. Sometimes these
requests are transparent to the user, often the user does not understand
what's being asked and permits requests for access.

Social Login also allows the IdP to track your interactions across sites, and
enables the SP to uniquely identify you across their own properties. An SP can
also do the later via Email Authentication.

Sign in with Apple prevents both IdP and SP tracking across properties. It
also completely cuts out the IdP.

I think a lot of people are more privacy conscious today and/or have been
burned by Social Sign-On. Sign in with Apple addresses those concerns and
others that come with sharing your email address with an SP.

------
eyesbear
Apple forced some of the companies that rely on Apple’s platform iOS or MacOS
to implement this feature, how is that not anti-trust?

~~~
toasterlovin
Because A) this is good for consumers, and B) Apple doesn't have the market
position to force consumers or other vendors to do anything. There is plenty
of choice and competition in the smartphone market.

------
pdimitar
I use it absolutely in every app I can find. Plus the email obfuscation option
of course.

No clue how popular it is but I quite like the idea.

~~~
withinboredom
It’s nice until you need to contact support when your apple account gets
hacked and tell me your email is pdimitar at example dot com and I can’t
verify that you’re a customer.

------
buboard
out of the 3 (google, fb , and apple) , having a fake FB profile is probably
the best for my privacy. While FB may have tracked me they probably dont know
my real name, while for apple it's mandatory, and most people probably have
used their CC details with google at some point, plus these companies have my
realtime location data as well. None of these systems are really private and
it is a lie to tell our users that it is.

That said, SSO logins are replacements for passwords, not usernames. You
should always ask users for their email afterwards if you don't want to be
bound to the service's whims who may decide to block you from their service or
impose weird terms in the future, like how FB requires various forms of
verification / interrogation to continue using their platform.

~~~
FBLOLBOT
> While FB may have tracked me they probably dont know my real name

It is highly likely they know exactly who you are via the huge amount of
metadata you and those around you leak. I would be impressed if your "opsec"
was good enough to evade Facebook.

------
tempsy
Personally prefer it when I see it, but have only seen it twice so far. Much
faster too since it’s native.

------
simple-login
Disclaimer: I'm the founder of this service.

I wouldn't trust a closed-source solution to be the privacy-focused identity
provider. And with "Apple Search Ads", Apple could also be considered as an
advertising company.

I have actually started out to create a privacy-focused SSO solution named
"Sign In with SimpleLogin" [1] before "Sign in with Apple" was announced. The
solution is from the beginning meant to be open source and even self-hostable.
It's superior than "Sign in with Apple" in several ways:

\- The dev experiences is far better

\- The random email part is customized

\- Name, avatar could also be customized

If you visit the home page, you would notice that it's talking mainly about
the email alias part as the SimpleLogin button is not implemented on popular
websites yet, which hopefully will come soon.

[1]: [https://simplelogin.io/developer](https://simplelogin.io/developer)

------
cptskippy
We have an on-going issue with Apple's protections going back almost a decade
to when they started mucking about with 3rd Party Cookies. This isn't entirely
their fault, blame also lies with the vendor we've chosen and our architecture
for SSO.

That being said, there are valid use cases for tracking users across websites.
I work for a nonprofit that does fundraising using every imaginable PaaS or
SaaS platform as well as quite a few in-house developed tools. We offer an SSO
experience across all of these various platforms and integration is a
nightmare. OpenIDC, OAuth, SAML, ADFS, and lots of custom APIs.

It works for the most part everywhere except Safari where a few of our
integrations just cannot and will not work due to their use of 3rd Party
Cookies. Fortunately the way we've had to structure our solution, Sign in with
Apple won't be much if any disruption to the status quo. It won't however help
matters either.

~~~
chrispeel
> That being said, there are valid use cases for tracking users across
> websites. I work for a nonprofit ...

Could you explain "valid use" more? I hope that you're not implying that we
should allow all non-profits to track people across websites so they can do
fundraising.

~~~
withinboredom
At WordPress.com, we have millions of sites. Having users be logged in so they
can ‘like’ a post or comment or write new content is kinda important. That
uses APIs and third party cookies (first party, but the API is a third-party
from the perspective of the site they’re on). We are constantly dealing with
Safari thinking it’s “tracking”. Disclaimer, we do track things, but only on
admin pages, not users’ sites.

------
ir77
unfortunately there are very few apps so far that allow signing in with apple
even though i see them offer email, google and facebook options. i think out
of all of the apps that i use only adobe lightroom allowed me to sign up with
apple.

~~~
ascagnel_
My understanding is that "Sign in With Apple" is still officially in beta;
once it launches in full, all iOS apps that offer third-party sign ins (like
the Google & Facebook options) will be mandated to also offer Apple's OAuth
sign-in -- and must give it more prominent placement than third-party
services.

~~~
mikece
Is Sign in with Apple compliant with OAuth2 / OpenID Conenct? If it's not I
don't see how Apple can justify mandating the inclusion of something that
isn't standards-based?

~~~
TJSomething
It's mostly compliant as of a few months ago [0]. That document is actually
out of date, because Apple added a discovery endpoint since then [1]. They
also haven't implemented the userinfo endpoint, but the only claims they
expose are openid, name, and email, so it's not that big of a deal to just ask
for those in the id_token. And the client_secret_post thing isn't much of a
problem either, since their custom JWT is a perfectly valid client secret
that's compliant with the underlying OAuth 2.0 standard and it's explained in
their discovery document.

[0] [https://bitbucket.org/openid/connect/src/default/How-Sign-
in...](https://bitbucket.org/openid/connect/src/default/How-Sign-in-with-
Apple-differs-from-OpenID-Connect.md)

[1] [https://appleid.apple.com/.well-known/openid-
configuration](https://appleid.apple.com/.well-known/openid-configuration)

------
netcyrax
Sure, it helps with privacy with regards to the services that you login. But
all the emails are forwarded by Apple. So if you don't trust the big player
(i.e. Apple) this is not privacy-friendly at all.

------
Krasnol
After the bad reputation from the "security" story recently now 3 Apple ads on
front page. Back in business on HN! Good job.

------
mistrial9
it appears that Craigslist has implemented some version of this 'psuedo-random
email in the middle' setup ?

~~~
ajford
Craigslist has used their psuedo-random email relay since at least early 2013.

[https://web.archive.org/web/20121215193303/https://www.craig...](https://web.archive.org/web/20121215193303/https://www.craigslist.org/about/help/email-
relay)

------
drywater
I just tried to register a new account at Wordpress but it's not working. Any
other sites that you know?

~~~
withinboredom
I work at WordPress, what wasn’t working?

~~~
drywater
I click the "Use Apple" button and it takes me back at the same page with "you
need a valid email account". This is on the ro.wordpress.com. Maybe it
matters.

~~~
withinboredom
That doesn't sound right :( Did you use an "anonymous" email through Apple or
your real email address?

------
mikelpr
"I kept waiting for the “confirm your email address” email to arrive but it
never did"

really John? you expected a confirmation email to arrive? also, Google and
Facebook don't require a confirmation email either

