Is sign-in with Apple the biggest development in information security of recent times?

It's not just shiny over-priced cheese graters you know

2019-06-06 12:10:16

is-sign-in-with-apple-the-biggest-development-in-information-security-of-recent-times

At WWDC 2019, Apple announced, once again unveiled a bunch of shiny, overpriced technology.

You know that we love a Mac or two (Cortex HQ is littered with iMacs) but this isn't about that - the big news that wasn't about $5,000 cheese graters was Sign-In with Apple. On the scale of 1 to new Mac Pro - we think this one fell slightly under the radar in terms of its potential impact.

Sign-in with Apple is Apple's foray into the federated login realm. If you want to know how it all works - then see here. TL;DR - it's OAuth and OpenID.

Signing-in to stuff with other services is obviously not a new thing at all. We've been able to login to a load of stuff with our Google, Facebook and Twitter accounts - for ages. Big woop.

BUT the reason this has the potential to be an absolute game-changer for information security and protecting your privacy is the "hide my email" feature. Again - nothing, new - particularly - you've been able to do this with Gmail accounts forever - except the ease of use in this case plus the fact that it enforces 2FA to use it.

In simple terms, it allows you to sign-in to a service but Apple will provide that service with a single-use email - so they never actually see your real email address.

This is absolutely monstrous - how many of the data breaches that we've seen over the last few years have seen the attack vector being email address (and password) - as the means to authenticate? That we then see traversal attacks when you reuse email address (and password) across services? That email is typically the primary account recovery method and so if someone gets in to your email they moreorless own you?

In this case, the companies you are communicating with never see your real account details - and so - if they do get breached - the information that is breached is all but useless to anyone else. We wonder if this is almost becoming 3FA? As in - no longer can you have a distinct password, a secondary login - but you can now have a distinct email address. The potential to brute force this is computationally nil.

And the application doesn't end there - how many times have you unsubscribed from something only to continue receiving emails or suspected that your email address has been sold on? You can no uniquely identify every single person who has your email address.

Of course - this means you become even more tightly embedded with Apple - and your primary account is still a major target - but we can't help feeling that nowadays that is becoming harder and harder to avoid.

None of this hasn't been tried before - but with a giant like Apple wading in to the mix; maybe this time it will have a big impact.