Why we won’t be supporting Sign in with Apple

As they point out at the very bottom, all their arguments apply to <i>all</i> third-party sign-ons, so they&#x27;re removing Facebook as well.<p>So there&#x27;s nothing specifically against Apple, despite the title seeming to imply it -- just that they&#x27;re taking the move right now because of Apple&#x27;s new policy coming into effect.<p>I&#x27;ve got to say, I really wish there <i>were</i> a way to know whether I already used Facebook, Google, or Apple to log into a site or app before. My password manager is usually pretty good at letting me know if I&#x27;ve got a &quot;normal&quot; account with user&#x2F;password, but it doesn&#x27;t do <i>anything</i> to remind me if I ought to log in with one of the other services.<p>Every time I&#x27;m occasionally asked to sign into Spotify, Pinterest, Medium, Quora, etc. -- it&#x27;s like, I&#x27;m <i>pretty sure</i> I&#x27;ve signed up with <i>something</i> before, but who even knows which one, or multiple?<p>If password managers could start saving that you&#x27;ve got accounts associated with Apple&#x2F;Facebook&#x2F;Google and highlight the relevant button on sign-in, it would be a big feature improvement.

A lot of the points they make here are real points, and I think AnyList has validity in their actions.<p>I also think it’s not as unmanageable as it seems.<p>Let’s analyze this quote, from the article, as it highlights what I imagine are a big crux of this issue:<p>&gt; with the “Hide My Email” option, your spouse or friends obviously won’t know your privaterelay.appleid.com email address, so when they enter your email address, our systems will believe that you don’t have an account<p>Since you know this to be the case, why not have an onboard if flow they <i>Sign In with Apple</i> where you have them A) choose a visibility email used for sharing&#x2F;communication etc. and B) allow for this email to be their backup email? So if they forget their login or whatever you could just transfer the account to this email instead? Of course this should be opt-in but you can always Under good faith explain benefits there in.<p>It’s more work, but I don’t believe that it’s going to run issue with Apple and provides end users with flexibility.<p>Of course this may not be worth it, at all. This is just a consideration worth thinking about as an app developer<p>edit: Of course another alternative here is they just make users aware of what their sharing email is and allow users to optionally change that, if they want to. This most definitely wouldn’t run counter to this I’d think

&gt; Furthermore, if there are platforms where AnyList doesn’t support Sign in with Apple, like Android, and someone wants to log into their account, they’d have to know their privaterelay.appleid.com email address. (And that certainly won’t be easy to find if you no longer have an iOS device.) And then they’d have to create a password with us, since they wouldn’t be able to sign in using Sign in with Apple.<p>The easy answer is: they should just support &quot;Sign in with Apple&quot; on every platform. (That absolutely works. Sign in with Apple is a [mostly] standard OpenID Connect provider and has a web frontend that should work on every non-Apple platform just fine, just like FB&#x2F;Google&#x2F;etc.)<p>You wouldn&#x27;t think to only support &quot;Sign in with Google&quot; only on Android devices? Maybe &quot;Sign in with Facebook&quot; should only apply to web browsers?<p>It&#x27;s an interesting misconception or miscommunication that so many developers think &quot;Sign in with Apple&quot; should only show up on Apple devices.

&gt; <i>Apple reserves the right to disable Sign in with Apple on a website or app for any reason at any time.</i><p>Holy cow, how is this acceptable to <i>any</i> app developer or software company? This is reason enough for me to never use Apple&#x2F;Facebook&#x2F;Google sign-on as a developer -- huh, or even as a user. Apple&#x2F;Facebook&#x2F;Google could lock out all your users and literally destroy your business in a split second for an arbitrary policy violation, without explaining why, with no way to contact a human being. Haven&#x27;t we seen enough HN headlines where an independent developer or a small software company is begging for help because &lt;LargeCorporation&gt; canceled their account or locked them out of something with no recourse?<p>EDIT: I know that AnyList is dependent on Apple&#x27;s app store. This is still no reason to give Apple (or Google or Facebook) even more power over you.

Buries the lede. They’ve chosen to drop support for Facebook login rather than also support Apple login. So working as intended!

This makes perfect sense from their standpoint - especially since they&#x27;ve had similar problems to what they outline with Facebook sign-in and are now dropping that as well. This is also a win for Apple &amp; end-user privacy, as there&#x27;s one less app using FB&#x27;s login feature now.<p>I think Sign in with Apple is a great step forward even if all it does is eliminate apps that <i>require</i> Facebook and&#x2F;or Google accounts to log in. I hate that - I actually ran into a feature on my mesh router system that required a FB&#x2F;G login, which made it a useless feature for me. Fortunately I didn&#x27;t need it..

Worth noting that AnyList automatically subscribed me to a marketing list without double opt-in or any kind of consent, which is exactly the kind of behaviour that makes me not want apps to have my real email address.

This seems to be a common problem, made more visible when using third-party authentication, that your application has taken the concepts of &quot;Account&quot; and &quot;Authentication Method&quot; as if they were the same thing.<p>It appears that the &quot;account ID&quot;, &quot;preferred contact method+address&quot; and &quot;authentication ID&quot; are all the same here - which then creates the &quot;account management code into a rat’s nest&quot; scenario they describe in the post.<p>If an Account is, by design, it&#x27;s own entity - you should be able to have 100 different authentication methods linked to that same account without impacting any other flow or part of the application.<p>Turn on and off authentication methods would also allow for seamless transition for users, without worrying about when one method is about to be killed.

In my experience the “Sign on with Apple“ option makes it totally risk free to click and I don’t even think twice before clicking to create an account whereas a typical registration page will definitely raise the possibility of me bouncing.<p>Sign-in With Apple is perfect for those accounts that you basically never wanted to have anyway. If it’s something where I want a “real” login, especially one that I might want to share, then I’ll go through the trouble of actually registering and picking a shared secret that my wife and I know.<p>But for the average app that needs a way to keep a user profile for me, it’s just right, and from a UI perspective on iPhone it really is magic. Two taps and I’m just <i>in</i> with zero mental baggage and an email relay to eliminate the possibility of spam.

&gt; Another issue is Sign in with Apple’s “Hide My Email” feature. With this feature, if you create an account with us, Apple will generate a special email address just for that account. So rather than your email address being john.doe@icloud.com, we will see your email address as something like dpdcnf87nu@privaterelay.appleid.com.<p>Ironically, this is also why I use Sign Up with Apple at every opportunity I can

We&#x27;ve implemented a bunch of third-party login solutions on our platform, but in retrospect I think it was not worth it for us. I think integrating third-party logins makes sense if you know that most of your target users come from a given platform or your application wants to interact with a specific platform (e.g. a Github integration).<p>Otherwise the points the author makes seem painfully correct from our experience. Adding third-party sign-in immediately complicates the frontend as you need to support OAuth&#x2F;OpenID-Connect workflows that are much more complicated than sending a password &amp; e-mail combination (and possibly an OTP token) to a backend and reading the result. In addition, even though OAuth&#x2F;OpenID-Connect are standardized it seems that almost every provider has decided to add its own quirks to it, so you can almost never just reuse the same code for integrating e.g. Github and Gitlab sign-ins.<p>What we currently do is to always add an e-mail using the third-party provider and use that to allow a password reset or password creation. You have to be quite careful with this as well though unless you want to open new security isues. Incorrectly implemented sign-in workflows via third-party providers can open avenues for account takeovers if you implement e-mail validation or account reconciliation incorrectly (e.g. an adversary might register an account with the victim&#x27;s e-mail on a third-party platform and try to use that to sign into the victim&#x27;s account; if the sign-in flow is configured incorrectly [happens a lot] the system will recognize the e-mail and sign the attacker into the victim&#x27;s account).<p>Also, don&#x27;t trust any validated information from third-party providers (especially e-mail addresses), as this can provide another attack vector. Always do your own validation.

&gt; One problem is that most Apple IDs are tied to an iCloud email address. So most accounts created via Sign in with Apple will use an iCloud email address. But many of those iCloud email addresses are unused and unchecked, because a customer’s “real” email account is their Gmail, Yahoo, or Hotmail account.<p>Wow, this is a really good point. I just checked and yup -- my AppleID is directly linked to my icloud email, and I&#x27;ve never once checked my icloud email account. I wonder what&#x27;s in there. Meh, too lazy to go check it

Another issue with Sign in with Apple is the fact that their private relay has a pre-set allow-list per app for sending email to relay addresses.<p>This means that you must either prove ownership of domains, or pre-add email addresses to Apple&#x27;s systems. I understand why they have done this, it will reduce spam considerably, but the private relay system is already designed to empower users to do this and this extra step may be impossible for some developers.<p>Take for example a retailer – they need to dispatch goods and use different carriers in different countries. When the user buys something they very likely want email notifications about delivery, a feature that most carriers provide. For the carriers to send those notification emails you&#x27;ll need to pre-add them all to Apple&#x27;s systems. You can&#x27;t prove domain ownership because fedex.com isn&#x27;t your domain, but where are those emails going to come from? Better hope your carrier doesn&#x27;t change sending address at some point or the email goes into a black hole.<p>Apple also limits the number of domains and addresses you can send from. In the original documentation it was &quot;10 domains and addresses&quot; (not sure if 10 of each, or 10 total). This was raised to 100 I believe, but that&#x27;s still probably an issue for larger multi-national companies, or those who necessarily have to integrate with many external services.<p>The really hard-line privacy stance is that the retailer shouldn&#x27;t share the emails and should do the notifications themselves, but for many this is prohibitively difficult to do, or at least detracts from places where the retailer can actually add value. The benefits are also very small, as the contracts with carriers typically protect user data, require deletion quickly after delivery, and retain most privacy benefits while allowing for a good UX.

That was an interesting read. Also, they close with...<p>&quot;These are both excellent points, and it’s absolutely true that some of the arguments above apply to creating an account via Facebook. That’s why we’re also announcing that we’ll be removing the Facebook Login from AnyList.&quot;

If you implement Sign In With Apple, you don&#x27;t have a relationship with your customers anymore. They&#x27;re Apple&#x27;s customers, and Apple can take them away at any time.

There are 3 major problems with this kind of sign-in from the user perspective they apparently omit: whenever you sign-up for a service B with an account at A (usually Google, probably applies to Apple, Facebook and the rest as well) 1. A will block your account at B at any time as soon as its (A&#x27;s) algorithms realize they don&#x27;t like you for some stupid reason they won&#x27;t even tell you (which is icky but understandable given how many users they serve) 2. A tracks your usage of B (obviously). 3. <i>The most overlooked</i> - A discloses many additional details about you (like your contacts, your location, your birth date, your real name etc.) to B. Sign up to some shitty website once and they immediately have enough data on you to apply a wide range of social engineering &#x2F; identity theft attacks with ease.<p>I actually can consciously accept the 2 in many specific cases but 1 and 3, each alone, are enough for me to avoid using this kind of sign-in.

There&#x27;s a subtle sense of exuberance shining through in this article that makes it a gratifying read, even if you&#x27;ve never heard of the company before. Kudos to them for their decision not to bow to Apple&#x27;s demands. Please tell us how it goes!

&gt; One problem is that most Apple IDs are tied to an iCloud email address.<p>Is that actually true? None in my household are.

Last year we pulled all social logins (facebook, google, yahoo) out of our app, after supporting them for years. The UX &#x2F; customer service issues mentioned in this post are absolutely legit, a complete PITA. While we were nervous about adding the extra signup friction, a year later I can easily say it was worth doing.

&gt; We’re a small company that makes money when people like our app and pay for it. We do not make money with creepy tracking or by selling your information. When you provide us with your email address, it is never sold, shared, or used to invade your privacy.<p>You&#x27;re the only one, then.<p>What&#x27;s happening here is another revolution. Email spam got so bad, that Congress actually passed a law. Which, of course, did almost nothing. People got so tired of spam, that they avoided email, and allow the services to silently remove 90% of the crap.<p>This has now spilled over into voice calls, where it got so bad, so quickly, actual legislation was considered again. But people quickly realized that their phone contained a curated whitelist. Now, I never answer unless the number is recognized, and I think most people are doing the same.<p>Texting is also similarly whitelisted.<p>At this point, email systems and clients need to start with the assumption of whitelisting. Instead of just a &quot;spam&quot; folder with obvious crap, and controls to flag or unflag messages in that folder, we also need a &quot;questionable&quot; folder, with controls to mark as &quot;known&quot; or &quot;unknown&quot;, as well as &quot;spam&quot;. Emails shouldn&#x27;t make it to my inbox unless they pass BOTH the whitelist AND the spam check.

Your iCloud account does not have to be paired with an iCloud email address. Mine is paired with my regular email address.

Apple&#x27;s developer docs on the Private Email Relay Service are relevant to those evaluating the technicals of AnyList&#x27;s position. Three specific highlights from that doc are relevant when considering AnyList&#x27;s objections:<p><a href="https:&#x2F;&#x2F;developer.apple.com&#x2F;documentation&#x2F;sign_in_with_apple&#x2F;sign_in_with_apple_js&#x2F;communicating_using_the_private_email_relay_service" rel="nofollow">https:&#x2F;&#x2F;developer.apple.com&#x2F;documentation&#x2F;sign_in_with_apple...</a><p><i>After the user has shared a private relay email address with your app, they can find, view, and manage it in their account settings at Settings &gt; Apple ID &gt; Password &amp; Security &gt; Apps Using Your Apple ID.</i><p><i>The relay server transforms your email address so it’s readable to the user. For example, sales@xyz.com may become sales_at_xyz_com_&lt;something&gt;@privaterelay.appleid.com instead of a random email address. Replies from the user are still routed back through the service to preserve the user’s privacy.</i><p><i>To send emails to users with private email addresses, you must register your outbound emails or email domains and use Sender Policy Framework (SPF) to authenticate your outbound emails.</i>

3rd party logins have the advantage that sharing content from within your app on those social platforms becomes less of a friction unfortunately - if that&#x27;s what your app relies on.<p>Email-only logins work fine with technical users, but non-technical ones absolutely suck at maintaining their logins and passwords. You lose users because they can&#x27;t login for whatever stupid reason - one of the thousand stupid reasons - and they turn away to never come back, or they register afresh. This is the reality and yes, 3rd party auth is beneficial for popular (non-techie) services.<p>As for Apple Sign-in, haven&#x27;t tried it on the development side yet but I can imagine it reduces friction even further and makes the user experience even nicer. This may be such a big bonus for your service that you may ignore the fact that you can&#x27;t always collect your users&#x27; real email addersses. Find other ways to communicate: in-app messaging for example. If the user deletes your app then retargeting via email won&#x27;t help much anyway - they will mark you as spam and overall it will probably do more harm than good, I think.

I usually uninstall apps with a 1-star review if they provide zero functionality until you provide your email address.<p>Apps and devices serve me, not the other way around.

After reading the article and comments i&#x27;m honestly a bit baffled.<p>Why is email address obfuscation an important component of online privacy? There are so many other more invasive and pernicious privacy concerns to worry about. It seems like we&#x27;re spending an enormous amount of time to build far more complex authentication systems that are brittle and confusing just to avoid sharing an email address. Why?<p>Email addresses are supposed to be semi-public. If I share it with you I want you to contact me. People do abuse this, of course, but the open nature of it is exactly its best quality. I can sign up for new services easily, they can contact me, and if they bother me I block them.<p>I&#x27;ve had the same email address for almost 20 years now and have never had issues managing it. I cannot say the same for Facebook connect and Google Auth. I actively avoid signing up for services if I have to use a 3rd party auth service.

&gt; <i>&quot;One problem is that most Apple IDs are tied to an iCloud email address.&quot;</i><p>Is this really true? I&#x27;ve had Apple IDs for pretty much as long as they&#x27;ve existed, but I&#x27;ve never had an iCloud email. Any email address can be an Apple ID.<p>(...in fact, early on, it didn&#x27;t even have to be an email address. I still have one of those old-style Apple IDs.)

In a rat-race of adding a bunch of (Sign in with xyz) buttons everywhere in the login forms, this news feels good in a weird way. Most developers use OAuth login support using several other services to reduce the friction of signing up, but this article made me think about this for a while. I&#x27;ve been in a situation where I could not remember whether I signed up using a provider.<p>Password managers and 2FA options are getting popular in the mainstream media, and most people know about it after their financial service providers are mandating 2FA. It&#x27;s probably time we figure out an easy way for users to sign in using a random alias of their email address to sign in to any service. Something that is generated using their real email address, the service provider&#x27;s domain name and some kind of salting. This is the time the plain old username-password login came back.

The only authentic point I saw in this entire article was the one about the lack of documentation by Apple in implementing this across different platforms.<p>Everything else applies to logging in with Facebook (or can be dealt with in other ways), which the company has supported for years and is now forced to remove it because of Apple’s restrictions. Without Sign In with Apple, I doubt if they would’ve chosen to remove the Facebook login anytime soon, thus putting more users into privacy hell holes despite making statements like this:<p><i>“At AnyList, we respect your privacy.<p>...<p>When you provide us with your email address, it is never sold, shared, or used to invade your privacy.”</i><p>If the documentation had been good enough, I’m sure they would’ve implemented it and also retained Facebook login for a longer time. Seeing Facebook login being removed gives me some comfort and a sense of “all’s well that ends well”.

Given all these third-party sign-ins are a fairly transparent grab for power by the central company, I&#x27;m not sure why anyone would implement any of them. By doing that you&#x27;re giving up power over your sign-in process, which is a pretty enormous concession.

Not an Apple use but I had a question. If one signs up with Signin with Apple, how can that user move over his stuff to say an Android app? Or even Desktop app? (Or does the Apple ID keep track of all this anonymous id to app mapping?)

I had never heard of AnyList and this makes sure I will never use them.<p>Before Sign in with Apple, I uninstalled most apps that required me to sign up before I could even try them at all. Now I specifically look for apps that support it.<p>I don&#x27;t want to give my email to 100 different companies (I get spam on the aliases that I did hand out long ago to apps that aren&#x27;t even around anymore).<p>Though, all these hitherto obscure companies jumping into the spotlight just by setting themselves up as the underdog against the Apple world tree gives me an idea of what to do when I want a quick boost in popularity.. :)

&gt; your email address, it is never sold, shared, or used to invade your privacy.<p>This is ambiguous. &quot;..to invade your privacy&quot;. They should have stopped at &quot;sold, shared. The &quot;to invade your privacy&quot; is a bit doublespeak. One can say &quot;we do not invade privacy, we merely inform of new products and services (aka marketing).<p>I know I am being pedantic, but hey.. it doesn&#x27;t write &quot;never&quot; it writes &quot;never for A&quot;.. we never wrote &quot;never for B&quot;, so B is allowed by our T&amp;C (which I haven&#x27;t read so I may stand corrected).

Developer should just ask for user&#x27;s email after new sign up using third party provider. Even Facebook does not require email for user to sign up. They should separate the email used for the account &amp; the email used for third party sign in. Because 1 user can have multiple third party sign in, all with different email.<p>I think they did not need to care about customer who did not check the reply email from support, because customer can also have multiple email and did not use their primary email to sign up to your service.

Recently went through the same debacle. Our hope was that we could solely rely on Magic Link instead of email&#x2F;password ... but it turns out many users don&#x27;t really understand it [1]. So your options are:<p>1) Email&#x2F;Password Sign In<p>2) Bite the bullet and add Apple &#x2F; the &quot;full auth stack&quot; (FB&#x2F;Google&#x2F;etc.) &amp; deal with account linking issues.<p>[1] <a href="https:&#x2F;&#x2F;snaphabit.app&#x2F;blog&#x2F;password-less-login&#x2F;" rel="nofollow">https:&#x2F;&#x2F;snaphabit.app&#x2F;blog&#x2F;password-less-login&#x2F;</a>

I wonder why we still have passwords. Couldn&#x27;t we have a simple USB device that is encrypted, cooperates with the native O&#x2F;S in an encrypted manner, and then allows remote login to sites also in an encrypted manner?<p>The device could be programmed to automatically generate new passwords&#x2F;keys&#x2F;whatever needed for remote authentication.<p>It would also have a &#x27;disable&#x27; functionality that would render it useless if stolen.<p>(Perhaps this thing already exists. I am too lazy to google it as I type this :-)).

Side note: there&#x27;s (almost) no problem implementing Apple sign in on Android. It is basically the same OAuth flow as Facebook or Twitter, with couple of minor quirks.

I seriously hope I&#x27;ll see the day when OpenID takes off. It doesn&#x27;t seem to be going the right way, but it would solve most of our login problems.<p>One way to sign in, used everywhere, decentralized, set up 2FA for everything in one place, switch providers with ease or be your own provider.<p>Apple could promote a decentralized solution instead of forcing the sign in with apple shit on people, but clearly they want all your data so they can lock you in.

I dunno. There are simple solutions to the issues raised in the blog post, many good ones here in the comments. Seems likely they wanted to get rid of third party logins and oddly chose to throw it on Apple. And I’m not sure anyone, including Apple, cares if they adopt Sign In with Apple. In the end, I think everyone just wants to end creepy sign-in practices. Facebook login deleted from Anylist... that’s a win for everyone.

Love it. I hate it when I&#x27;m presented with a &quot;sign in with Google&quot;. I feel pressured to have a Gmail account or a Facebook account (which I honestly don&#x27;t want).<p>I get the fact that login is broken across the web and there is no centralized login authority, but sorry Google&#x2F;Facebook are not it imho.<p>We can&#x2F;should look at other ways to authenticate, but thats a larger discussion.

It&#x27;s a grocery list app, how much customer support do they have to do!? Feels like they just really really want to have my email.

The larger problem is trying to get the average Facebook and Instagram user to care about security (if they cared about those things they wouldn’t be on a Facebook product but I digress).<p>I applaud Apple’s <i>intentions</i> but as this article proves, if the user isn’t driving the push to be more private then initiatives like Sign In With Apple cause little more than support headaches.

Is it just me or do these sites not realize that &quot;We will never sell your email&quot; does nothing for me? It&#x27;s not that you&#x27;ll sell it&#x27;s that you will get hacked or lose a laptop or have an admin email everyone and then I will get spam. How do others at HN deal with this (disposable emails and prefix&#x2F;suffix are a huge pain)

It’s pretty user-hostile to refuse to support the authentication provider the user wants to use. If I’m already in the Apple ecosystem, using Sign In with Apple, a service that doesn’t implement Sign In with Apple but could is preventing me from doing what I want, just as much as Walmart not accepting Apple Pay.

Why do you need to log in in this app? All the problems indicate that app is used on one device only

All of them good points. I&#x27;ll add another wrinkle; for some reasons I can barely remember, I have 2 different Apple IDs. I was a paid .Mac user when it was a thing, but I also had a different account to make iTunes purchases back in the day. Currently I need to log in with both in my devices; one of them is used for purchasing in iTunes&#x2F;App Store, the other one is used for iCloud Photos&#x2F;iCloud Drive. However you can also make purchases in the Books app (which I use it to sync PDFs), so this always trips me up. There&#x27;s no way to merge two Apple IDs, and setting up a new device is always an adventure. Knowing when to use which Apple ID can be confusing (don&#x27;t get me started on 2FA, I&#x27;m afraid that having 2 Apple IDs will eventually lead to me getting locked out!).<p>I liked the concept of Sign in with Apple when I first heard about it, but at this point it might be too confusing (I also never check my &quot;main&quot; Apple ID email).

Identifying users by email is a bad practice anyway. Such systems usually don&#x27;t provide a way to change the email address, because it&#x27;s literally your id. This makes it unnecessarily difficult to migrate between email addresses.

Apple having a major flaw is a pretty bad mark against this. But in my experience, companies doing it themselves are far worse.<p>The correct response to &quot;Yo, they fucked up.&quot; is not &quot;Oh screw it. We&#x27;ll just do it ourselves.&quot;

I find Apple&#x27;s Sign in approach shady (forcing apps to have it, and have it first on the list), but this response is also about not liking the privacy features of Apple Sign in so... I wouldn&#x27;t read much into it.

This is a war between apps and platforms on who gets direct access to customers.

Makes sense to support it and respect users privacy. If they forget their login, they can just sign in with apple again? And if they contact you for support they can provide their email address to you then.

Some of this can be solved by asking a user for their email when they open a support ticket. Also allowing them to link accounts from multiple login providers. These are largely &quot;solved&quot; issues.

How long till it becomes mandatory by Apple? I give it a year. Then they&#x27;ll say &quot;our users expect it, so now we do&quot; and it won&#x27;t matter if that&#x27;s true or not.

What about vendor lock-in? Apple forced many apps on the App Store to use Sign In with Apple for increased “convenience” but it also makes it very inconvenient for people to switch to Android.

I mean, if this is pushing them to remove Facebook login, Sign in with Apple and the resulting requirement to use it has been a net positive for privacy for AnyList as well.

The convenience and supposed privacy of signing in with Apple ID out weights the cons. People will still have problem remembering which email they used down the road.

I support their decision. They shouldn&#x27;t be dictating developers which SSO services to use or not. It&#x27;s developer&#x27;s app not Apple&#x27;s.

&gt; Furthermore, if there are platforms where AnyList doesn’t support Sign in with Apple, like Android, and someone wants to log into their account, they’d have to know their privaterelay.appleid.com email address. (And that certainly won’t be easy to find if you no longer have an iOS device.) And then they’d have to create a password with us, since they wouldn’t be able to sign in using Sign in with Apple.<p>I’m an avid iOS user with a Windows desktop. I will never use “Sign-In with Apple” for this reason. It’s not useable unless you exclusively use Apple devices. Which I don’t.

Well, that&#x27;s another app I won&#x27;t be using.

I’ve got a new sign in flow I’ll be using for all my indie apps. It solves 2 problems I have with Apple.<p>1) no PWA support for notifications<p>2) forcing stuff like this on everyone<p>I use a telegram chat bot. After signing up via the bot that sends you a link to set your password, you then also request a short expiry sign in link everytime you wish to sign in. The chatbot doubles as a notifications channel. I’m thinking of enhancing notifications do you can interact with them directly from the chatbot interface too.<p>The signin flow is great as it has 2fa built in by default.

AnyList does not like Sign In with Apple (and others), but they helping with the sign on jungle.

If you disable your account through Apple&#x27;s website the email is no longer valid. Does anyone know if they recycle the emails?

Why not just bind the sso Mail to an local Account, then it doesn&#x27;t matter what identity Provider gets used by the customer. In addition, add a check that prevents Account creation of ...@privacyrelay...if you have a problem with it or nag the user to provide a real mail for this account if you detect this type of mail. This way you would have a user friendly implementation without giving up on sso.

Wouldn&#x27;t their problem be solved by using usernames?! Usernames are easy to remember, share and setup.

Um, it doesn’t forward to their iCloud email address, it forwards to the email they use for their iCloud login - eg the primary gmail or whatever address.<p>Users have the option to provide their personal email address, but given the track record of these being sold it’s reasonable to expect users to not trust you.<p>You can email them correspondence because as above that goes to their primary email.<p>What you lose is the value of the email address as an asset.

Well opined piece, as a customer of Anylist for over 3 years you have my full support in this decision.

I&#x27;d like to see Apple allow users to use &quot;Sign in with Apple&quot; to maintain Apple ID account and purchase hardware&#x2F;software? Imagine if they had to go through what they&#x27;re asking all the services on their platform to go through... yeah... never gonna happen. Bravo AnyList for calling Apple out for pushing immature software ecosystem harmful software agenda.

As a user, I won&#x27;t be supporting them either.<p>Just give me sign in without involvement of a third party.

For me it sounds like they didn’t like the additional work Apple made them do, that would actually benefit the end user - I love sign in with apple, the best part is the unified workflow without typing on a phone.<p>I dream of a world when I won’t have to type passwords on a phone anymore.

so all of this could be fixed by AnyList just asking the user to type in their email address instead of tying it to a data mining operation from their login name<p>well at least they are honest!

&gt;&gt; Third-party login systems like Sign in with Apple cause many user experience and customer support headaches.<p>It’s not. It’s perfectly slick , simple and powerful and even non technical user can use. Please enable.

What a well written and forceful argument.

cry me a river

They will get removed. They don&#x27;t have the power to fight Apple.

Well, though titty. Honestly, as a user, I don’t give a damn about the pains this can cause to developers. The amount of spam and unsolicited email crap this is gonna save me from is worth it 100% for the users. And as a developer, I honestly think that Third party sign ins are lazy solutions that empower data-hungry companies way more than they deserve. If your business model relies on people giving you their data or reselling their email or using it for unsolicited purposes (these are the only reasons you would be affected financially by a privacy-driven solution like SIWA) then your business model is bullshit. Suck it up.<p>EDIT: I really love the downvotes from developers that are perfectly aware this is how the things are.

I found it jarring that Apple would present themselves as the vanguard defenders of privacy by announcing what is basically an email relay service. Most privacy-conscious people wouldn&#x27;t exactly think of their emails going through Apple as any particular win in privacy.<p>And even for the &quot;general user&quot; I find the argument very weak, since it doesn&#x27;t look as being any easier than using any other email relay, and there is a huge obvious conflict of interest for Apple here (they get data they may not have had otherwise PLUS have yet another tool to bind you to their services).<p>It reminds me of the days where everyone in the www was making OpenID providers but no one was actually willing to do an actual OpenID _consumer_. So that I could actually use _my_ identity provider on a server of _my_ choice instead of going through the hoops of yet another large company for no reason.