Apple’s new sign in feature, which allows people to use an Apple ID to sign into websites and apps, has critical privacy and security gaps that must be fixed, according to an industry group.

The OpenID Foundation, a nonprofit with members including Google, PayPal, and Microsoft, runs OpenID Connect, an industry standard for authenticating a person’s identity across multiple websites, without requiring them to use different passwords.

Sign in with Apple has some similarities with Open ID Connect, according to the group, but it’s not entirely in line with the industry standard. That’s a problem that could expose people to “greater security and privacy risks,” according to a letter the OpenID Foundation sent to Craig Federighi, Apple’s senior vice president of engineering.

“The current set of differences between OpenID Connect and Sign in with Apple reduces the places where users can use Sign in with Apple, and exposes them to greater security and privacy risks,” Nat Sakimura, chairman of the OpenID Foundation, wrote in the letter.

Sakimura says the single sign-in feature, which has yet to be rolled out, also puts an “unnecessary burden” on developers, who must work with the OpenID Connect standard and navigate the differences in Apple’s sign in feature.

The OpenID Foundation asks that Apple join the group, and to become compliant with the industry protocol. A document tracking differences between those protocols and Apple’s product details a list of necessary coding changes to “address the gaps.”

Francis Gaffney, director of threat intelligence at cybersecurity company Mimecast, says OpenID raises valid concerns about potential security risks.

“Given the increased scrutiny by threat actors on potential vulnerabilities, it would only be a matter of time before one of these ‘differences’ is discovered and exploited,” Gaffney says.

Apple did not immediately respond to a request for comment. The company is touting Sign in with Apple as a way for privacy-minded people to log into their favorite websites. Apple says it won’t share unnecessary data with app developers.

Sign in with Apple hasn’t been publicly released, however anyone with an iPhone should expect to see it as an option in their favorite apps, since Apple requires developers who offer other single sign on options, such as through a Facebook or Google account, to also promote Apple’s sign-in as an option.

行业团体OpenID基金会称，允许人们用一个苹果账号登录各个网站和app的新登录功能，存在重大隐私和安全漏洞，必须予以修复。

该基金会为非营利组织，成员包括谷歌、PayPal和微软等。它管理的OpenID Connect是一项行业标准，作用是对同一ID在多个网站上授权，而且无需设置不同的密码。

OpenID基金会指出，“Sign in with Apple”功能和Open ID Connect有一些类似之处，但它并不完全符合该行业标准。该组织写给苹果公司工程高级副总裁克雷格·费德里吉的信指出，该问题有可能让人们面临“更大的安全和隐私风险”。

OpenID基金会的主席奈特·崎村在信中写道：“OpenID Connect和Sign in with Apple目前的不同之处让人们可以使用Sign in with Apple的地方变少了，而且让他们面临更大的安全和隐私风险。”

崎村说苹果尚未推出的这项单一ID登录功能还给开发者带来了“不必要的负担”，因为他们必须使用OpenID Connect标准并对苹果此项功能的不同之处进行处理。

OpenID基金会要求苹果加入该组织并遵循OpenID Connect标准。一份追踪该标准和苹果产品差别的文件已经详细列出了“弥合差异”所需要调整的代码。

网络安全公司Mimecast的威胁情报部门主管弗朗西斯·加夫尼表示，OpenID使得人们加大了对潜在安全风险的顾虑。

加夫尼认为：“考虑到威胁行动体越发仔细地搜寻潜在漏洞，他们发现并利用某个‘差异’可能只是时间问题。”

苹果没有立即对询问做出回应。该公司一直宣称，Sign in with Apple可以帮助重视隐私的人登录他们喜欢的网站。苹果表示它不会和app开发者共享不必要的数据。

Sign in with Apple尚未发布，但iPhone用户应该会在自己喜欢的app中看到这个选项，原因是苹果已经要求提供其他单一ID登录方案（比如通过Facebook或谷歌账号登录）的开发者同样向用户推荐Sign in with Apple。（财富中文网）

译者：Charlie

审校：夏林