Do you recall those Facebook and Google buttons that allow you to sign in to almost any app nowadays? Well, soon they won’t be the only option available to you and your app users. At the latest annual World Wide Developers Conference, held on June 3-7 in Silicon Valley, Apple announced their game-changing “Sign in with Apple,” a privacy-focused login system for iOS.

Given that other social login systems have been affected by massive security and privacy concerns and violations in the past, this new system seems to be quite a big deal.

What kind of issues are we talking about?

Well, global companies like Google, Facebook, Amazon, Microsoft etc. collect users’ data and metadata which they later use to create personalized ads and content. This wouldn’t be the worst thing in the world as targeted ads already exist on various platforms, but these players sell datasets to third parties without users’ consent.

And some of them have already paid the price (literally). In July 2019, Facebook was charged with $5bn fine which has already been called the biggest financial punishment imposed on anyone for violating consumers' privacy.

Apple Sign In might become a trigger for change in companies' attitude to data privacy. But what exactly does this new system change for existing app owners or people considering building new applications? Today, I’ll be taking you through the potential changes, outlining what, why, and when. You’ll see how Apple’s new sign-in is going to impact your app and how to prepare for the official release of iOS 13 in the fall of 2019.

How Does It Work?

Sign In with Apple makes it easy for users to sign in to your app or website using their Apple ID and start using the app right away. An Apple user doesn’t have to fill out any forms, verify email addresses or choose new passwords anymore. As a result, Apple is able to successfully log the user in while transferring only a minimum amount of data (name, email address) to third parties.

Notably, accounts are automatically protected with two-factor authentication for superior security. Generally, two-factor identification vastly improves the security of the Apple ID and all the personal information stored with Apple. On Apple devices, users are persistently signed in and can re-authenticate anytime with Face ID or Touch ID.

On non-Apple devices, Apple sends a six-digit verification code to a trusted device or phone number besides providing their password.

An integral part of the whole Sign In with Apple idea is the additional protection afforded to sensitive personal data, as data collection is limited to just the email address and the user’s name. Additionally, if a user requests so, Apple will generate a random email address to use for registration and then route the email traffic the app wants to send to that address, leaving the app without knowledge of the user’s primary email.

The default option is to use the real email associated with the Apple ID, leaving the user to choose whether to use the real or anonymized email address (as pictured below). Also, Apple will not track user activity in your app or website.

Craig Federighi introduces Sign In with Apple at WWDC 2019. Source: Apple

Sign In with Apple will work natively on iOS, macOS, tvOS, and watchOS. It will also work in any browser via email and password with two-factor authentication, which means you can deploy it on your website and in versions of your apps running on other platforms.

What about non-iOS devices?

If a user signs up for an app on their Apple device, e.g their iPhone, then wants to use the app on a non-Apple device, like their Android tablet, they’re sent to a Web view that allows them to authenticate their Apple ID via email and password with two-factor authentication.

What’s Good About Sign In with Apple?

The advantages offered by this new sign-in system include:

Increased user privacy. With Sign In with Apple, the user remains anonymous to both the app owner and other apps, as their user data is not shared with any third party.

With Sign In with Apple, the user remains anonymous to both the app owner and other apps, as their user data is not shared with any third party. Increased credibility of your app users. Sign In with Apple is designed to give you confidence in your new users. It uses on-device machine learning to provide a new privacy-friendly signal that helps you determine whether a new user is a real person.

Sign In with Apple is designed to give you confidence in your new users. It uses on-device machine learning to provide a new privacy-friendly signal that helps you determine whether a new user is a real person. Integration with all iOS products. Sign In with Apple will be available for all Apple products, allowing users to log in once and get remembered everywhere.

Sign In with Apple will be available for all Apple products, allowing users to log in once and get remembered everywhere. Extremely easy and quick process. It takes a second to log in with Face ID or Touch ID, as only Apple has to verify a user’s identity and can do so on device, without having to redirect them to other pages.

Working against Apple in this particular instance are the company’s strict app review guidelines, but on the other hand, from a user perspective, those guidelines are what makes all App Store apps look consistent and work great.

Sign In with Apple allows the user to show or hide their email, Source: Apple

What Changes for Your Business?

At the WWDC keynote, Apple claimed that their focus on privacy and their minimalist approach to sharing user profile data, as well as storing and sharing with third parties, is what stood them apart from their key competitors, like Facebook, Google, etc.

Sign In with Apple is obligatory only if an app allows third party login. If there's no such choice available, then it's optional. The third party, however, doesn’t have to be a social platform, though—it could be any other site.

So basically, if your app allows login via anything external than just standard in-app email+password, you must allow Sign in with Apple. This includes all social media, SSO platforms, and any other service that offers an external sign-in feature. Think Facebook or Google, but also Twitter, Instagram, Snapchat, etc. Moreover, Apple has strong design guidelines for the authentication flow and the visual side of the sign-in button.

If you already have an app, the migration to Sign In with Apple is left up to developers, who should always offer a way for users to stop using their social login or allow using email instead.

If you’re thinking about building an app soon, this change will apply to your software from the very beginning and will be built into your software, just like any other feature.

Apple has launched a public beta of Sign In with Apple in July 2019, while the official release will be bundled with the latest iteration of iOS, expected in the fall of 2019.

A Few Words for Developers

As Apple itself compiled a comprehensive information package on their latest privacy-focused feature, I’ll only be mentioning a handful of general guidelines concerning Sign In with Apple development.

iOS devs

AuthenticationServices for iOS developers:

Give users the ability to sign in to your services with their Apple ID.

Enable users to look up their stored passwords from within the sign-in flow of the app.

Share data between an app and a Web browser using technologies like OAuth, to leverage existing Web-based logins in the app.

Create a single sign-on (SSO) experience within an enterprise app.

ReactNative devs

So far, there’s no working library for integrating Sign In with Apple with ReactNative. For now, RN devs would need to figure out themselves how to implement the authentication flow using native frameworks. But a dedicated library will probably be released in the wake of the release of iOS 13.

I found one library under construction that’s worth bringing up:

apple-authentication, where you can also find ongoing discussions on interface structure (I even saw an Expo contributor taking part).

Web devs

In Web browser, we can authenticate with Apple ID using the email+password form with two-factor authentication (as described previously).