Following Apple’s iOS 13 debut last week, its new privacy-enhanced Sign In With Apple feature is attracting praise from an unexpected quarter: even the director behind secure sign-in solutions at Google thinks that this is a great move on Apple’s part, despite the seemingly competitive nature of the move.
In speaking to The Verge, Google product management director Mark Risher, who heads up the identity, account security, and counter-abuse teams at Google, and oversees projects like Android’s two-factor sign-on systems, was surprisingly positive about Apple’s new button, since it represents an overall win for login security.
The problem is that users have become accustomed to using passwords for many, many years, but while passwords make for a great common denominator, they’ve repeatedly proven to be a very bad idea. Passwords are vulnerable to massive data breaches, which can be catastrophic for many users who, despite advice to the contrary, reuse the same password for everything from sketchy shopping websites to email and online banking. They’re also much more susceptible to phishing attacks, and can far too often be easily guessed or socially engineered out of users in other ways.
By comparison, single sign-on solutions, like the ones that Google and Facebook already have and the new one that Apple has just introduced, are considerably less vulnerable to phishing attacks, don’t provide any information that could be discovered in a data breach, and inherently offer two-factor authentication in various ways. In fact, while Facebook has been rightly criticized for disclosing too much data to third-party developers, using their sign-in button is still considerably more secure than relying on a straight password for authentication.
Google’s login chief lauded Apple’s new sign-in button, suggesting that anything that comes from a trusted source and moves people away from using passwords is a win for security, regardless of which of those sources it’s coming from. Risher says that overall things have gotten “way, way better” in terms of moving away from passwords in recent years.
Usually with passwords they recommend the capital letters and symbols and all of that, which the majority of the planet believes is the best thing that they should do to improve their security. But it actually has no bearing on phishing, no bearing on password breaches, no bearing on password reuse. We think that it’s much more important to reduce the total number of passwords out there.Mark Risher, Director of Product Management at Google
In addition, Risher adds, these sign-in services reduce the burden on the developers of third-party apps and services, who often don’t have the expertise and resources to build the kind of secure authentication systems that Apple and Google already have in place, and — if they’re smart — don’t really want to deal with the liability and risk that comes from maintaining their own password databases.
Although Risher’s comments about Apple’s new sign-on button were mostly positive, the product management director did take umbrage at Apple’s suggestion that Google is collecting information from users — something he flatly denied that the company does, although he also admitted that Google deserves some of the blame for that, as it has not been clear enough about what’s actually going on behind its own single-sign on button.
I will take the blame that we have not really articulated what happens when you press that “sign in with Google” button. A lot of people don’t understand … so getting someone out there to reinvigorate the space and to make it clear what this means and what happens, that is really beneficial.Mark Risher, Director of Product Management at Google
In fact, Risher acknowledged that despite Apple’s innuendo that its own new sign-on button is the only “pure” option, it’s still an overall positive in that it at least opens up the discussion and helps users get a better understanding of what is going on behind all of these buttons.
However, he also pushed back slightly against Apple, suggesting that the new sign-in button could in fact be more invasive than Google due to its issuing of private email addresses. Like Google, Apple will also log the moment of authentication, but it could also potentially be logging “every email that’s ever sent by that company [developer].” However, Risher acknowledges that he doesn’t know how the details will ultimately work out, and it seems like his comments are a bit of straw man argument, especially considering Apple’s strong stance on privacy.
I honestly do think this technology will be better for the internet and will make people much, much safer. Even if they’re clicking our competitors button when they’re logging into sites, that’s still way better than typing in a bespoke username and password, or more commonly, a recycled username and password.Mark Risher, Director of Product Management at Google
Ultimately, however, Risher sees Apple’s move as good for the internet at large, but as much as he naturally feels users should be confident in Google’s single-sign-on, it’s ultimately end user perception that’s the problem, and Google’s reputation as a data-mining company has made many users cynical about tying themselves in with a Google account in any way. In the past, users who refused to go anywhere near Google or Facebook were generally left with no choice but to use a password. Now Apple is offering a much better option.