财富中文网 >> 商业
Alyssa Newcomb | 2019-07-04 21:30
Apple’s new sign in feature, which allows people to use an Apple ID to sign into websites and apps, has critical privacy and security gaps that must be fixed, according to an industry group.
The OpenID Foundation, a nonprofit with members including Google, PayPal, and Microsoft, runs OpenID Connect, an industry standard for authenticating a person’s identity across multiple websites, without requiring them to use different passwords.
Sign in with Apple has some similarities with Open ID Connect, according to the group, but it’s not entirely in line with the industry standard. That’s a problem that could expose people to “greater security and privacy risks,” according to a letter the OpenID Foundation sent to Craig Federighi, Apple’s senior vice president of engineering.
“The current set of differences between OpenID Connect and Sign in with Apple reduces the places where users can use Sign in with Apple, and exposes them to greater security and privacy risks,” Nat Sakimura, chairman of the OpenID Foundation, wrote in the letter.
Sakimura says the single sign-in feature, which has yet to be rolled out, also puts an “unnecessary burden” on developers, who must work with the OpenID Connect standard and navigate the differences in Apple’s sign in feature.
The OpenID Foundation asks that Apple join the group, and to become compliant with the industry protocol. A document tracking differences between those protocols and Apple’s product details a list of necessary coding changes to “address the gaps.”
Francis Gaffney, director of threat intelligence at cybersecurity company Mimecast, says OpenID raises valid concerns about potential security risks.
“Given the increased scrutiny by threat actors on potential vulnerabilities, it would only be a matter of time before one of these ‘differences’ is discovered and exploited,” Gaffney says.
Apple did not immediately respond to a request for comment. The company is touting Sign in with Apple as a way for privacy-minded people to log into their favorite websites. Apple says it won’t share unnecessary data with app developers.
Sign in with Apple hasn’t been publicly released, however anyone with an iPhone should expect to see it as an option in their favorite apps, since Apple requires developers who offer other single sign on options, such as through a Facebook or Google account, to also promote Apple’s sign-in as an option.
OpenID基金会指出，“Sign in with Apple”功能和Open ID Connect有一些类似之处，但它并不完全符合该行业标准。该组织写给苹果公司工程高级副总裁克雷格·费德里吉的信指出，该问题有可能让人们面临“更大的安全和隐私风险”。
OpenID基金会的主席奈特·崎村在信中写道：“OpenID Connect和Sign in with Apple目前的不同之处让人们可以使用Sign in with Apple的地方变少了，而且让他们面临更大的安全和隐私风险。”
苹果没有立即对询问做出回应。该公司一直宣称，Sign in with Apple可以帮助重视隐私的人登录他们喜欢的网站。苹果表示它不会和app开发者共享不必要的数据。
Sign in with Apple尚未发布，但iPhone用户应该会在自己喜欢的app中看到这个选项，原因是苹果已经要求提供其他单一ID登录方案（比如通过Facebook或谷歌账号登录）的开发者同样向用户推荐Sign in with Apple。（财富中文网）