Apple Sign In

Disposable, anonymous email forwarding is a massive step forward for privacy. I know we've all been doing it for a while, but this on a consumer level is fantastic.

According to the App Store review guidelines update posted today, Sign In with Apple will be <i>required</i> for any iOS app that implements a single-sign in button.<p>&quot;Sign In with Apple will be available for beta testing this summer. It will be required as an option for users in apps that support third-party sign-in when it is commercially available later this year.&quot;<p><a href="https:&#x2F;&#x2F;developer.apple.com&#x2F;news&#x2F;?id=06032019j" rel="nofollow">https:&#x2F;&#x2F;developer.apple.com&#x2F;news&#x2F;?id=06032019j</a>

Can’t services just disallow&#x2F;block this address?<p>Fun thing is, Apple themselves block name+addon@gmail.com addresses when using their dev console. You can bet that some companies will disallow Apple’s signature private passwords similarly if they can, in the name of ‘security’ or what have you.<p>Or am I being too cynical? Feel free to CMV.<p>EDIT: best response addressing this seems to be ‘The addresses are only generated from the &quot;Sign In With Apple&quot; workflow that a developer has to enable in the first place’

This is a huge move. Apple striking at the core of Facebook&#x27;s play to own your identity, which they had with Facebook Connect but have completely fudged out with countless breaches of user privacy and trust. I used to be the biggest fanboy of facebook connect, but now I have to say: Go Apple.

This single feature shown off today at WWDC has solidified my forever lock-in on all things Apple and especially iOS: no longer will my email be sold needlessly or be spammed and my logging into to different web properties sold to marketers and ad networks and data aggregators. I trust Apple a whole lot more becaUe they charge and arm-and-a-leg for high end hardware and soon services because the products and services are the products not their users.

Maybe I&#x27;m cynical, but this looks more like a data hording scheme than a protect my privacy enhancement. If I use Google to sign in, Google and the app has that data and can monetize it.<p>Now if I sign in using Apple, they are going to have the data to monetize. They may keep the app from getting my information, but that means that their data is better than someone else&#x27;s data, so it is more valuable. Also, they are getting app usage statistics that I may have opted out of at the OS level, but they now have due to having the sign in history.

It seems you must first have an *OS app in order to use Apple Sign In on the web, a $100&#x2F;year barrier to entry for web developers verses Google&#x2F;Facebook auth.<p>&quot;To configure web authentication, you must create a Services ID and associate your website to an existing primary iOS, macOS, tvOS, or watchOS App ID enabled for Sign In with Apple.&quot;<p>Source: <a href="https:&#x2F;&#x2F;help.apple.com&#x2F;developer-account&#x2F;#&#x2F;dev1c0e25352" rel="nofollow">https:&#x2F;&#x2F;help.apple.com&#x2F;developer-account&#x2F;#&#x2F;dev1c0e25352</a>

Sounds like a good time to remind people about Telegram having a similar function for quite some time now. And just yesterday they announced a feature to simplify logging into web sites using TG bots: <a href="https:&#x2F;&#x2F;telegram.org&#x2F;blog&#x2F;privacy-discussions-web-bots" rel="nofollow">https:&#x2F;&#x2F;telegram.org&#x2F;blog&#x2F;privacy-discussions-web-bots</a><p>It might be a personal choice, but for stuff when privacy is really important I&#x27;d definitely pick Telegram over Apple, no matter how much the latter claims to keep me safe from three-letter agencies as well as marketers.

Whoa. Apple is picking up where Mozilla’s ball dropped, but with a massively better chance of success.<p>Cheers to whoever is running this show.

This is a great idea but it kind of falls short.<p>Elaboration with example: LinkedIn is notarious for swiping up any data points that it can find. Your carrier, your GPS location, etc.<p>As long as there are two or more data points to successfully tie you to that id, it&#x27;s already game over. It&#x27;ll just be added to your &quot;targeted advertising profile&quot; and, given the wrong company getting ahold of it (looking at you, Equifax), sold&#x2F;traded on the advertising market to third-party advertisers to build better profiles because... ...advertising dollars?<p>Anyways, the premise is cool but I think - without addressing the dragnet that is targeted advertising - it&#x27;ll just be a minor inconvenience, which will be conquered over time with the collection of enough data points to tie it back to the &quot;you&quot; that they already know.<p>...unless you start-off with a brand new phone (new IMEI) and don&#x27;t associate <i>any</i> old accounts with it, that is.

I develop apps myself and I am 100% onboard with using this instead of offering the signup with google or facebook buttons (can offer those as secondary options). I might even push users slightly to use this instead of others as it gives my apps a bit of extra trust worthiness imo.<p>Only question I have is if it&#x27;s possible to integrate this on websites and for non-apple products too? Because I would like my app which is available on Android too to be able to use this.<p>EDIT: Apple&#x27;s site says it will be available on websites too. Let&#x27;s hope it&#x27;s available on non-apple devices too:<p>&gt; Apple is introducing a new, more private way to simply and quickly sign into apps and websites.<p><a href="https:&#x2F;&#x2F;www.apple.com&#x2F;ca&#x2F;newsroom&#x2F;2019&#x2F;06&#x2F;apple-previews-ios-13&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.apple.com&#x2F;ca&#x2F;newsroom&#x2F;2019&#x2F;06&#x2F;apple-previews-ios...</a>

This is a natural step that I’ve been waiting for for years. This can almost remove the need for password typing, as you don’t even need one to unlock the device anymore. Let’s hope Microsoft does the same, and integrates with apple’s solution. A lot of people are on iOS+Win10 for laptops.

Does this require that every device you&#x27;d wish to use to sign into the service be an Apple device?<p>That is, if you&#x27;re signing up for Netflix with this, would you be able to access your account from a Roku box?

Doesn&#x27;t this also lock in users to Apple? Will I still be able to use these apps on other devices?

I can already see devs implementing things such as `if email domain ends in privaterelay.appleid.com reject the email address and ask for a &quot;real&quot; one`, like what already exists for yopmail and others.

I love that TC chose a picture of &quot;fc452bd5ea@privaterelay.appleid.com&quot; to illustrate the article. When was the last time you saw a service that could be described by a single &quot;word&quot;?

&quot;without turning over any of their personal data to a third-party company&quot;<p>Uhm.. If a user sign up on my site with apple sign in then they definetly will share personal data with a third-party: Apple.<p>If user A wants to use product B and signs in using solution from C then C is the third-party.

If anyone needs this right now, we&#x27;ve been offering this for a while with <a href="https:&#x2F;&#x2F;www.faircustodian.com" rel="nofollow">https:&#x2F;&#x2F;www.faircustodian.com</a><p>Lots more planned for the future of personal privacy protection too.

I updated my AppleID since I haven&#x27;t used it in years (have other devices) in anticipation of implementing this as soon as it&#x27;s available on a site I&#x27;m working on. It appeared they offered two-factor authentication to get away from those 1990&#x27;s type of security questions. Ah, not so fast - 2FA is only enabled with Apple devices. Poor play there, Apple. This service looks like something sorely needed - bring the rest of the flock into the fold and let everyone plug in their Yubi key.

Per a screenshot in the Keynote, Sign in with Apple will also work on the Web, which will be interesting.

Free disposable forwarding email addresses that you can turn off. Built on the startup bus years ago: <a href="http:&#x2F;&#x2F;boun.cr" rel="nofollow">http:&#x2F;&#x2F;boun.cr</a><p>MailGun ( a YC company ) was providing their API for free, until another company came along and offered to take over the project. All of the code and design was built on a bus from CA to ATX.<p>(and one of the team members met their co-founder on that (StartupBus) trip and went through YC. I believe they are a unicorn now)

Finally an excuse to delete my Facebook account completely. SSO was the only reason I was still using it.<p>I do wonder how many sites will actually implement it.

So what if in the future apple decides they dont want to allow your website to use it anymore (because e.g. it violates their UX guidelines)?

What is forcing the sites that I&#x27;d want to use a fake email address with to use this? It wouldn&#x27;t be in their interest to. They will just stick with their current SSO setup of Google&#x2F;Facebook&#x2F;whatever and never touch this, if they have SSO at all. I LOVE LOVE LOVE the idea, I just don&#x27;t know if it will be useful and successful.

For a while now I’ve been using “someservice.com@account.mydomain.me” when signing up for accounts.<p>I use FastMail for my email hosting, and they allow you to turn on wildcards for any custom domain. I don’t get any spam because it’s at a subdomain — never enable *@mydomain.me because you will get a mountain of spam to admin@, webmaster@, etc.

We&#x27;ve been thinking about this for Mailsac.com. It is already possibly but clunky. Considered making browser plugins to make it easier to create and route disposable addresses, and &quot;black hole&quot; disposable email addresses once it&#x27;s clear they&#x27;ve been resold to advertisers.

If they implement it in OIDC they basically randomize the mail address for every application? What about the other scopes?<p><a href="https:&#x2F;&#x2F;auth0.com&#x2F;docs&#x2F;scopes&#x2F;current&#x2F;oidc-scopes" rel="nofollow">https:&#x2F;&#x2F;auth0.com&#x2F;docs&#x2F;scopes&#x2F;current&#x2F;oidc-scopes</a>

2019 big tech innovation is basically finding ways to ensure only <i>they</i> have access to your data

This is very cool in terms of security principles (no email that can be used to track you by default, mandatory 2FA, mandatory SPF for emails).<p>The mandatory inclusion if you use third party SSO already (smart I think as otherwise FB and Google would probably start paying developers <i>not</i> to include it) aside, this will probably get a lot of uptake for apps that dont use SSO.<p>Apps that people mainly use on mobile devices and TV&#x27;s would benefit a lot from this (as these devices arent good for typing in complex passwords). Additionally larger companies would be concerned about letting Google or FB sell their user list to competitors for targeting. Apple already has all this information, so nothing is lost by enabling SSO.

What&#x27;s the incentive for apps to offer it? Now they don&#x27;t get user data.

I&#x27;m not an Apple user, and don&#x27;t own any of their products, but this is a great step forward for privacy. I&#x27;m happy to see companies prioritizing privacy for users.<p>That being said, any company that actually cares about collecting users&#x27; identities (you know, the ones you&#x27;d actually want to use this for) will definitely block @privaterelay.appleid.com from being used. Apple would&#x27;ve been better off using a well-known domain and having both private and non-private addresses on it, like @me.com .

Will this service be available on the web? I get the feeling that this will only be available on iOS, meaning that you lose access to all your accounts if you decide to switch to Android.

&quot;Apple says it can authenticate a user using Face ID on their iPhone without turning over any of their personal data to a 3-p company.&quot;<p>So is this feature exclusive to Face ID and iPhone? Would users, Face ID enabled or not, be able to use it with only their iCloud email&#x2F;ID? And would older iPhone models incapable of FaceID still be eligible?<p>These may be just questions of a skeptical mind, but I really hope Apple isn&#x27;t using a pro-user, pro-privacy feature to phase users out of older models.

I used to do something similar when I ran my own mail server. Whenever I created an account for a new service, I would add an entry to &#x2F;etc&#x2F;aliases e.g.<p><pre><code> news.ycombinator.com: stirner </code></pre> and sign up for the service as news.ycombinator.com@mydomain.com. If I ever left a service, I would just remove the corresponding alias and restart Postfix.<p>I eventually got tired of the work required to avoid spam filters and switched to iCloud Mail, so I’m glad to see this feature built in.

This is the ultimate way to manage your incoming email - I’ll be filtering everything based on the `to:` address when this rolls out and my life will be wonderful again

Emails from companies already have a unsubscribe button. So if I unsubscribe they shouldn&#x27;t send me emails. That is not changing with the new Apple Sign In feature. Emails will still have the unsubscribe feature. The only reason for devs to push for a real email is to sell it to advertisers. They are not deleting the email once I unsubscribe. So giving them an ankoymized email is good. I hope this succeeds.

Some sites now seem to check whether an address is valid from some database or heuristic, because a random email with a valid domain is still rejected.

Companies already massive dislike fake&#x2F;temporary emails. Go find a throwaway email service and you&#x27;ll find many many websites blacklist them. I&#x27;ll actually be angry if Apple succeeds, because it&#x27;ll just mean I can only have private email address as an apple customer and not anywhere else. Many companies might make an exception for Apple, but not anyone else.

Using &#x27;Sign in with X&#x27; with service Y means you&#x27;re giving X, or anyone forcing X to abuse their position, full access to your account on Y.<p>Additionally, anything sent to you@privaterelay.appleid.com flows through an Apple server.<p>You can trust Apple with this now, but it&#x27;s not so easy to revoke that trust later. Still, it&#x27;s useful for throwaway signups and garbage I suppose.

How is this going to work with all the websites that make you login with your email address? Gonna be super hard remembering them?

Interestingly Mozilla tried something like this a while back:<p><a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Mozilla_Persona" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Mozilla_Persona</a><p>Sadly they cancelled it.<p>(I was actually hired as an intern to work on it, but they stopped paid development between me accepting my offer and my arrival in SF)

How long until sites start blocking the cloaked addresses? (although of course Apple can just churn those address patterns)

I like that you can use the feature on the web too, but it appears you need a paid developer account to generate the client id&#x2F;secret<p><a href="https:&#x2F;&#x2F;developer.apple.com&#x2F;documentation&#x2F;signinwithapplerestapi" rel="nofollow">https:&#x2F;&#x2F;developer.apple.com&#x2F;documentation&#x2F;signinwithappleres...</a>

This is neat. But I&#x27;d have thought the lower-hanging fruit anti-spam wise for Apple would&#x27;ve been to add a &quot;mark as spam&quot; button next to push notifications so users can start reporting all the apps that abuse push notifications to send them advertisements.

This is similar to Abine&#x27;s Blur service, which provides a throwaway phone number, and (seemingly) infinite throwaway emails addresses that can forward to your own personal email address.<p><a href="https:&#x2F;&#x2F;www.abine.com" rel="nofollow">https:&#x2F;&#x2F;www.abine.com</a>

Unfortunately there&#x27;s no way to implement this as a OAuth2 flow and without having an Apple device. Seems unreasonable to require an Apple dev account just for providing sign up - it can be tested without installing apps or just borrowing an iPhone.

How will this be different that anon.penet.fi? (Besides the data being held in the US, where it is very much in reach of the authorities; Apple isn&#x27;t going to shut down the service to uphold some privacy principle vs a government authority.)

Google&#x27;s + and . trick on a dummy-proof, invisible, consumer level. Nice!

I&#x27;m no big fan of Apple, but I must say I get a perverse pleasure out of moves like this because you&#x27;d probably find that 90% of Facebook employees swear by and love Apple products.

This is really good for consumers, but I&#x27;m afraid that many websites simply won&#x27;t bother to implement this. Apple just doesn&#x27;t have the unique marketshare that Google and FB have. The set of users that would use such a thing is the union of privacy focused users and users with an Apple ID and not a Facebook or Google account. This set is heavily overrepresented on HN but is relatively small overall.<p>If I run foo dot com, is that set of users attractive enough to me that I&#x27;ll spend the engineering time to implement this? I can&#x27;t think of many instances where it would be.

Great. I guess also you need to use apple machines to remember the email address and any password for you. Sometimes they ask for it.

On the downside if I use Apple Sign In on apps I probably won&#x27;t be able to sign in to that application on my Android devices.

Sounds promising, because this is where Apple is really got at: taking something “at the fringes” and taking it to the mainstream.

I&#x27;d like to have something similar for actual physical mailing addresses, perhaps UPS or Fedex could offer this.

Great feature, shame it&#x27;s tied to apple hardware - making it inaccessible to those who cannot afford it.

Will this effect apps that i use on an ipad and an android phone that share a login?

Isn&#x27;t there a flaw? What does stop service provider&#x2F;application vendor from banning this relay domain and force users to provide <i>real</i> email address for data-mining purposes aka &quot;ensuring that service&#x2F;app will work&quot;? Unless of course that Apple would deal with those who would go for this

Does this effectively kill the ability for services to have sign-up promo codes?

I&#x27;ve been predicting this since iOS 11! So good to see it come to fruition.<p>Apple SSO :)

I loved the concepts! Cannot wait to see the site with the SDKs and all.

Wish all the cc companies would do this with their numbers. Some do.

So this is only for mac&#x2F;iphone users? That&#x27;s not a large enough segment to warrant adding a sign in option for most sites. Would be nice if Mozilla had done something similar with Persona.

In order to read this article you must redeem your privacy to more than a dozen companies or go through five screens with a confusing UX to change parameters. Oh Irony

Google and FB will likely copy this asap.

Is this Safari only or for all browsers?

When Apple users use this to commit fraud&#x2F;trolling&#x2F;stalking&#x2F;etc. and get tracked down it&#x27;s going to make Apple look bad.

Seems like a direct copy of MaskMail.net<p>Nice to have the product validated, but never fun when a giant just duplicates your business

This is awesome news for developers ! They should have done this years ago.

I&#x27;ll use it.

Am I correct that TechCrunch page violates GDPR? I don&#x27;t see any option to opt-out from being tracked. There is OK button and manage option link, but I can&#x27;t manage anything, I can only agree for tracking...

&quot;This domain is not allowed.&quot;

Apple is ahead of the game officially.

right, another one to ban

Someone who is not apple should do this and charge for it. I&#x27;d pay $10 for something like that

Orr you could buy a domain, and use a catch all email rule and then use an unique rmail address per site. Like mybank@mydomain, yourepamsite@mydomain ect.. I&#x27;ve never had any security problems.

While I like this for privacy purpose this is pretty nafarious.<p>There is no mechanism by which you can use this sign-on without Apple. That means you are stuck with these specialized accounts you would need to re-setup once you leave apple. Just another lock-in.<p>This is definitely not the first time apple does anything like this. If apple really cared they would make a tool for any device or operating system to enable this. But they will not.