Apple's new login is a small, yet powerful step toward digital ID
Any bank, mobile wallet provider or retailer pushing for consumers to download their apps will be paying close attention to the new Sign in with Apple service — especially since Apple is making it mandatory for any app that allows third-party logins.
The project runs parallel to the card networks' efforts at tokenizing payment credentials and expanding those services. Much like Apple Pay tokenizes card account numbers — replacing them with a separate "token" value for security — Apple's sign in offers to do the same for e-mail addresses.
Though Sign in with Apple is limited in its capabilities and doesn't support payments, it is a bold step in efforts to create a digital ID system that could work across companies and devices.
"It is essentially a federated ID and Apple is controlling it," said Richard Crone, chief executive of San Carlos, Calif.-based Crone Consulting LLC. "Anyone who wants to do this would have to have an unblemished record and strong stance on privacy, and that has been Apple's positioning for several years."
Apple has come a long way since its iCloud service was implicated in the exposure of celebrities' intimate photos ahead of the launch of Apple Pay. Apple's recent, bold statements on privacy include a major billboard ad at this year's Consumer Electronics Show, declaring that iPhones keep data secure and local. Rivals such as Google are also hammering this message, with the next version of Google Assistant handling speech recognition on the handset instead of in the cloud.
Apple's service is designed in a way that would appeal to those pushing the General Data Protection Regulation in Europe or the Secure Remote Commerce efforts of the card brands that stress a universal buy button that uses bank apps for authentication.
"If there is anything that mobile wallets or mobile banking enabled, it is that you have to authenticate your customer; it's in the KYC regulations, and Apple will be doing this on behalf of everyone in the ecosystem," Crone said. "It gives them a unique position for the value-added services that come from that."
If Apple were to expand Sign in with Apple as an authorization model that could link to Apple Pay or banking apps, its first stop would be its own Apple Card, which is managed in Apple's Wallet app instead of issuer Goldman Sachs' app.
"It really does extend the original benefits they talked about for Apple Card, and they may pass payments credentials on securely in a single sign in just for the card to give them a leg up on others," Crone suggested. "We don't know about that yet, of course, but we do know that if you are controlling sign in, you are controlling checkout."
Apple declined to comment to PaymentsSource about future use cases for Sign in with Apple, but acknowledged its past experience with banks gives the company a full understanding of the additional requirements banking or payments apps would call for in a customer identification program.
"With the success and momentum of Apple Pay, we've learned a lot about credit cards," said Apple CEO Tim Cook when announcing the product. "While we all need them, there are some things about the credit card experience that could be so much better."
Because organizations like FIDO Alliance and W3C have been pushing for alternatives to static passwords for the past several years, the notion that there are far better options has been pretty well established.
"We are certainly seeing a lot of businesses recognize that the current username/password paradigm is fatally flawed," said Julie Conroy, research director and fraud expert with Boston-based Aite Group. "I do like the idea of tokenized user IDs from a security perspective — that means that any given breach has limited utility elsewhere."
But it won't be easy for the Apple e-mail tokenization concept to operate out of its own ecosystem, Conroy added.
"The part that would cause me consternation, however, if I were the developer, is that the generation of those randomized emails that were part of the announcement then eliminates a valuable tool for risk evaluation," Conroy said.
The bulk of mobile developers today leverage Apple's platform as their payment engine, Conroy added, which means liability for fraud rests with Apple.
"But if this federated identity were to someday extend outside the Apple ecosystem, then this would create a blind spot for anyone accepting this federated credential," she said.
Those on the frontlines of delivering security products and monitoring fraud trends aren't ready to predict any potential breakthrough measures based on Apple's announcement.
"While capabilities such as e-mail address tokenization may help eliminate some consumer concerns related to sharing information, it is too early to predict the impact it may have on mobile app registrations," said John Horn, director of SecureNow Cyber Security Services at Fiserv. "Those are driven by multiple factors, including convenience."
Still, the use cases for tokenized e-mails will likely become more apparent in time.
Crone contends that a Wall Street Journal report about recent incidents with Square in delivering millions of digital receipts to wrong e-mail addresses would not happen if a tool like Sign in with Apple were in place for consumers, providing multi-factor authentication to activate digital receipts with Square before passing along the tokenized e-mail credentials.
One thing seems certain. Apple's move into privacy controls, in combination with its security chops, provides some footing and future options that others may not have.
"I do think it’s a matter of time before one or more players emerge to fill the gap of a trusted steward of identity, capable of brokering authentication and validation on behalf of consumers and third parties," said Aite analyst Trace Fooshee. "I also believe that the devil will be in the details in terms of execution and that there are more than a few unanswered questions relative to privacy law."