> Nowadays any iOS app that doesn’t support logging in with Apple makes me think twice about whether I really need the app.
I agree. I only create accounts for things reluctantly. Because 1. Why do you want my email address, or DOB, or whatever else? I don't want your marketing, and 2. I can't be bothered, I downloaded your app because I have something I want to get done.
Because Apple's SSO will not be eternal and nobody wants to have a tier as a proxy on an important account credential.
Apple SSO is ok for throwaway account where your account has no "sentimental value" that you can't recreate easily. But the author of this post maintains a social network : nobody wants to be locked out a social network.
I have active accounts on websites that existed back when Apple was fighting not to die and I would have totally lost access to them if I had to sign-in to them through my Lycos account.
Sign In with Apple allows you to share your email so you are incorrect. If I decide to hide my email and be locked out - my choice. Developers and companies are greedy for data. Why do we have the expectation that emails should be shared? I constantly say don’t send me marketing and some services send. On my part I report them as spam every time so that algos start blocking them as they are breaking our contract and are malicious.
For every service I’ve built allow the user to create an account with email, Google, Microsoft, Apple, Twitter, Facebook and to later untie their account and move to email. Also if they ever get locked out from their oauth account they can use the email to create a password and login via the normal way.
> Also if they ever get locked out from their oauth account they can use the email to create a password and login via the normal way.
This is exactly my point ! You can't recover your account if you don't know the mail used for registration. Even if you remembered it, no check could be made if Apple stopped to proxy the mails for one or another reason.
With other providers, you could always recover an account because your email address would let you prove the ownership of the account.
You can look up any private relay email address you've had provisioned in iCloud settings. It shows what service it was used or and the email, also allowing you to disable the address. This is also available from the Apple ID manager:
Is that not the same with if Google block my account? I won't be even able to login to my email for simple password reset or to verify I'm the actual owner of the email.
This is the problem with one click account vs email entering. It is a risk users should be made aware of but it is still their choice. And for some critical services I'll use my email, for other like the app in question, or most apps on the App Store I'll use one-click install, also most of the time there is no need for me to have an account. Most data can be stored on device without the need for user authentication.
I was under the impression that the Apple email that you get is not a real email address with an inbox? Is it? How can you verify a user the real owner of the email?
If they are locked out of the oauth account, presumably they can't check their inbox.
edit: Oh, do you mean you ask for an email address after they already flow through the oauth process - because that's the worst of all :)
The Apple-provided e-mail address forwards to their real email, so you can still use it for e-mail verification and communications. It just means the user can deactivate the alias at any time and stop further spam.
Don't forget in your threat model that Apple can cancel your account at any time for any reason whatsoever. They've even done it to security researchers using Apple's own bug bounty program. If that happens, you are stranded with those accounts effectively inaccessible to you forever.
So? Google can also cancel your account at any time for any reason whatsoever, and good luck getting it back unless you're a celebrity with connections or manage to make a big enough fuss about it on social media. Using the same logic, you should not use Gmail then.
> So? Google can also cancel your account at any time for any reason whatsoever
Right, that's why. Don't ever use "sign in with XXX" for any value of XXX, whether apple or google. Any of them can erase you off their site on a whim and you've lost all unrelated accounts where you made the mistake to "sign in with XXX".
Create accounts with your own email, control your future destiny.
> Google can also cancel your account at any time for any reason whatsoever [...] Using the same logic, you should not use Gmail then.
Actually, under that logic it's only that you shouldn't use the @gmail.com domain; it should be fine to use Gmail with your own domain, since that allows you to recover if your Google account is canceled (just change the MX to another email provider).
Another thing you can do is to never use your Google account for anything other than email; that should reduce the chances of the account being canceled for no obvious reason. For instance, it's been reported that, if you used your Google account for Youtube, and Google decided your real name was not your real name (which it wanted due to the Google Plus integration with Youtube), your whole Google account could be canceled; that risk could be avoided by just never logging into Youtube with your Google account.
Google isn’t worth the trouble.
I pay for my email, you remember paying for stuff you use, an antiquated idea, I know, but restores the balance in the equation.
Apple's SSO may not be eternal but it's also very unlikely to disappear overnight. If it is indeed going to be phased out you will have advance notice of this and a transition period.
I agree that in a perfect world you'd provide your real email address and solve this problem. But developers and companies have repeatedly proven themselves to not be trustworthy and the majority will misuse any contact details for spam which users do not want. In fact there wouldn't be a business case (nor appeal to end-users) for Sign in with Apple if this wasn't a real problem.
> Apple's SSO may not be eternal but it's also very unlikely to disappear overnight. If it is indeed going to be phased out you will have advance notice of this and a transition period.
They may well offer notice and time when they cancel the service in some future.
They won't offer any of that if they happen to erase your account just because though, as has happened to many people.
Don’t use apple SSO because apple might not exist one day?
You may as well argue not signup to anything using gmail because, heck, google might go out of business.
There is no benefit to users in giving your “real” details to service providers; the benefit is entirely on their side.
You can argue that Apple is harming the opportunities for 3rd party developers, sure, taking advantage of them? Sure.
…but let’s not try to frame this as somehow “pro consumer” to give your email away so people can spam you with notifications and offers to lift their engagement rates.
I don't think your tone is warranted and in the spirit of this community.
I don't agree with GP's fear of Apple SSO vanishing without a transition period to something else, but the general premise that this form of login is not eternal but rather short lived in the grand scheme of things is reasonable and doesn't warrant your aggressiveness.
Also you might get locked out of your Apple account for a number of reasons and will then lose access to much more than just Apple services.
It is also not really a valid argument here, given that the service we are talking about was offering Facebook and Google login options, which share the exact same issue, but with the added privacy violations of those platforms.
From what I understood from these discussions, that is not an issue with Facebook and Google logins because they reveal the true user email address, so even if they no longer exist one day, that email address could be used to recover the user accounts (using a password recovery flow through email); while Apple SSO does not reveal the true user email address, only a proxy through Apple's systems, so if it no longer exists one day, there's no way to use the email address to recover the user accounts.
Apple asks the user whether they want to reveal their email or not. If you do not receive a real email address for Sign in with Apple, it is because the user did not want to give it to you.
>Don’t use apple SSO because apple might not exist one day?
>You may as well argue not signup to anything using gmail because, heck, google might go out of business.
I assume OP point is that Apple or Google could still exists but your accounts might not exist, maybe you get banned or just decide you don't want to use Apple/Google/FB anymore.
> Don’t use apple SSO because apple might not exist one day?
There might be a day when Apple is not _my_ cell phone platform. Even now I have an Android phone and iPad and I prefer to have access to same services from both.
Yes, or at least not with a @gmail.com domain. Running Google Apps with a custom domain you own and Google can't snatch away is fine (well, apart from the privacy implications of giving Google free rein to read your emails, of course). That means not using Google as your registrar, obviously.
> You may as well argue not signup to anything using gmail because, heck, google might go out of business.
I personally avoid to do it, but that's not the point.
Every other third party allows account recovery by mail : if you want to stop using FB or Google's SSO, you can ask the website to send you a mail to prove the account ownership.
If Apple's SSO stopped working (because Apple stopped it, banned you, because you dont have Apple devices anymore so you are locked out of their proprietary 2FA), none of those websites could send you a recovery email.
> That is pure BS.
I don't feel like I've been insulting, so please don't be either.
> because you dont have Apple devices anymore so you are locked out of their proprietary 2FA
They have SMS as a fallback. I know it's insecure and I'd rather they support TOTP, but let's not pretend having an Apple device is the only way to receive 2FA codes for your Apple ID.
> Don’t use apple SSO because apple might not exist one day?
Yes. And more to the point, because that Apple service may not exist in the future. Or Apple may determine that a particular app or service can no longer use its service for whatever reason, and you as a user will not have any choice in that manner. It's all been done before.
And it makes me think : what happens to the "proxy emails" affected to your application when Apple decides to ban your app from the App Store ? Are your users still reachable ? Is there any information on this ?
Given an alternative storyline where Epic Games allowed users to create account with relayed apple mails, wouldn't all those accounts suddenly became unusable today ?
Epic actually did allow users to use SWA since they have about 5 other IdPs they allow. Apple didn't suspend their access to SWA at any point, though there were stories about it at the time.
Then your issue isn't with Apple's SSO, it is with all SSO providers. Facebook/Google login are not eternal. The only difference is the proxy, which can be disabled.
Any website offering SSO options would have a sunset period to move it over if a provider went under...and if they don't, they are likely defunct at that point anyways...
Apple may not be eternal, but probably will still be around for many decades after your app is completely forgotten. I still have the same IBM and Oracle accounts from the 90's. Big enterprises tend to stick around for a friggin long time.
I agree. I only create accounts for things reluctantly. Because 1. Why do you want my email address, or DOB, or whatever else? I don't want your marketing, and 2. I can't be bothered, I downloaded your app because I have something I want to get done.