
Ask HN: Mobile devs who added Apple Sign In, what conversion changes? - davidajackson
Curious if adding apple sign in substantially affected conversion rate for mobile apps, thanks.
======
shadowgoat
Haven’t done anything with Apple sign in, but I worked with a lot of other
providers before. If you have multiple options, users might forget what
service they used. This becomes an even bigger problem if the paid for a
service with a different provider and can’t find their purchase. If you do use
something like this, only having one provider (only Apple) makes things less
confusing.

~~~
m0dest
I worked on the design and rollout of multiple sign in providers on a popular
app. There are best practices that avoid these issues (users forgetting which
service they used), but they are rarely implemented.

The trick is to be very forgiving: If a user tries to sign in using provider
X, and we discover an email address conflict with an account that uses
provider Y, we would simply ask users to confirm by clicking a button to sign
in with provider Y. From that point forward, both provider X and provider Y
can be used to sign into the account.

So many apps miss the importance of this and cut corners by only allowing an
account to be associated with 1 sign-in provider, or forcing users to create
passwords for these accounts, or differentiating between login and signup.

~~~
DerJacques
Interesting. Wouldn’t that allow someone to sign up for service Y with an
email address associated with an account in your system using service X, in
order to get access to the account in your system?

Maybe there’s something I’m not seeing, but it seems dangerous to rely on the
identity provider’s email address to authenticate the user.

~~~
earenndil
It's assumed that, if you're signed up for a service with an email address,
you control that email address.

This is generally a reasonable thing to assume, and can be verified for
whatever account providers you support.

------
laser
On one consumer iOS app with email and apple sign in as the two available
options, 34% opt for apple, 66% for email. No meaningful change in conversion
rate, but this generally isn't an issue 90%+. The prior arrangement wasn't
just email, though, it was email or phone sign up, so take what you will.

~~~
ketzo
34% actually strikes me as pretty good for a new and not-particularly-well-
advertised service.

------
gigatexal
I’m not a dev but a consumer in this question and I’d just say a service or
site that has Sign In with Apple and Apple Pay available on the web is and
instant use on my end. I will continue to vote with my paltry wallet for these
technologies to take off even more, especially Sign In with Apple.

I don’t want to give my actual email out. I like the relay aspect. And it
should make logging in and user management and single sign on and all that
much easier no?

~~~
jrockway
What apps are using Apple Sign In, anyway? I haven't run into any and kind of
just assumed it died or hasn't launched yet.

~~~
ShakataGaNai
Originally Apple set a very aggressive due date for this feature and the dev's
fought back. So the due date was pushed back to April 2020. Moving forward you
should start to see it appear on almost any app that already has social auth.

[https://developer.apple.com/news/?id=09122019b](https://developer.apple.com/news/?id=09122019b)

[https://developer.apple.com/app-
store/review/guidelines/#sig...](https://developer.apple.com/app-
store/review/guidelines/#sign-in-with-apple)

~~~
bdcravens
Yesterday they announced that requirement (among others) was pushed back to
June 30, presumably due to COVID-19.

------
unexaminedlife
I hate technologies like this. Not because I don't think they at least
contribute some benefit to end users.

I see it as oblivious executives trying to monopolize whatever they think they
can monopolize.

The future is in yubikey-style authentication.

~~~
hombre_fatal
Yubikey-style is dead in the water since you can't back them up or exfiltrate
the key. It will never appeal to more than a handful of users willing to jump
through those hoops.

Just needing to have every hardware key on hand to register with each new
service is so bad I thought I was misunderstanding the UI. I never used them
again.

The hoops might be worth it for a critical service that holds your $millions.
But hardware keys are never going to compete on the 99% of services that
people use, from the trivia app on their phone to Uber.

~~~
closeparen
I think we will see most client devices natively implement something like
WebAuthn with their onboard TPMs. Enrolling new devices for a service would
then by a matter of approving the attempt from an already-enrolled device,
iCloud style.

~~~
krrrh
[https://krypt.co/](https://krypt.co/) Does something like this now by
leveraging your mobile device as a security token for desktop logins.

------
steveharman
Apple Sign in to be mandatory by June 30th for certainuse cases (source: Apple
WWDC update email from a few days back).

Along with a number of other enforcements.

------
pedalpete
I'm looking at adding this into a new app I'm developing, and assumed I'd do a
default apple login on IOS and google login on Android (with the option to go
see more login options on other devices)

Anybody think this is a bad idea for some reason?

~~~
geuis
Remember that google login works cross platform. So it makes sense to show
Apple for only iOS/Mac users, but you shouldn’t hide the other options.

------
hestefisk
I’m about to embark on a new iOS built with SwiftUI. What backend would you
recommend for authentication (server side) when using Sign In with Apple? Do
you all use Firebase?

------
greggman3
I will never use the same service to sign into multiple things. It's a single
point of failure. If Apple ever decides to close your account you're S.O.L.

I made the mistake once, had an account closed, got royally screwed. It wasn't
Apple but it doesn't matter. I learned my lesson. Don't tie things together.

I don't follow that for everything but for anything important I do as well as
anything involving money.

~~~
xref
Similarly if your Apple (or other SSO) login is compromised the blast area is
much bigger as all linked sites are now compromised

You could make the same argument if your password manager is compromised, but
definitely worth being aware of

~~~
buzzerbetrayed
Just to expound on what you're saying, won't there always be a single point of
failure? For example, for the majority of people there are only a few options.

1\. Use the same password for all logins because you don't know how to manage
unique passwords for all your logins. Obviously this is about as unsecure as
you can get.

2\. Write your unique passwords down somewhere. This can be in a notebook, or
a password manager (1password and the like). In this case, there is still a
single point of failure (as you pointed out) if someone finds your book or
compromises your password manager.

3\. Use some sort of SSO service. Still a single point of failure (Apple,
Google, Facebook).

I feel like using Apple SSO with 2-factor authentication is just as secure as
any of these options.

Is there any "secure" system that doesn't have a single point of failure?

~~~
earenndil
You. You are the single point of failure; if you are compromised, then all
your accounts can be accessed by the compromisor.

If you're looking for a point outside yourself, then memorising all your
passwords would be an option.

But beyond that, I don't think your criticism is warranted. There's always a
single point of failure - sure - but we can still consider gradations of _how_
centralised that point is, and how likely it is to fail.

With a hosted password manager, you're at the mercy of their server code;
specifically, at least for 1password, I think they have a 'dead man's switch'
which lets you get at the encrypted content without the master password. This
is more likely to fail than a password manager which stores all its content
locally and really encrypts it (e.g. keepass). In this case, human error
outside of yourself can't compromise you. But technical error can, which is
why there are more steps that can _meaningfully_ increase your level of
security. Like running your password manager on a separate, air-gapped
computer; or sandboxing everything you run a la qubes.

Are any of these especially likely to compromise you, as a user? No, but
reducing centralisation and dependency still improve your chances, and are
definitely worth considering if you are e.g. running a drug smuggling ring.

