Apple enters the identity ring

Posts

This post is cross-posted from my joint newsletter with Ranjan Roy, The Margins. Please check it out, and consider subscribing.


I love WWDC, Apple’s annual developer’s conference. Ever year Apple announces new software in early June, and then in September the new devices come out. It’s always fun to play with new the new iGizmos, for me at least, but there’s something fundementally more fun, more exciting with seeing new software, bestowing your existing stuff with new functionality.

This year’s WWDC was sort of special too. As many others have pointed out, it seemed like the first developers conference Apple ever held since it got over the iPhone. Mind you, iPhone is still the rainmaker, but it’s not the main focus anymore. There are new technologies like SwiftUI, setting the tone for the next few decades of iPhone UI development. There’s Catalyst, bridging the gap between iPad and macOS apps. What stole the show for me was Sign In with Apple.

Here’s the short version: Apple now allows (more on this “allows” later) developers to eschew building their own authentication mechanism and just delegate it to Apple. In more human terms, you can now sign in to your favorite app using your Apple ID, just like you could with Facebook or Google. And of course, it works everywhere including the web. In one swoop, Apple joined the fight to be the identity provider online. 

There were many things that leaked before this conference, but as far as I could tell, this announcement came out of nowhere, which makes it doubly exciting, as well as scary.

Of course this new feature comes with Apple-esque twists, main one being privacy. First of all, Apple will not share anything with the developers other than your name and email (and a stable key that you can use in your database). That is a big departure from Facebook or Google’s systems, where the developers can request myriad of information on the users. Of course, Apple doesn’t have the same high fidelity of data on its users that social media / adtech companies in the first place.

Adtech Won’t Like This

The real surprise came late though. Apple will just allow a third-party sign in, but also allow users to hide their email addresses from the developers. When a user wants to “hide their email”, Apple will generate a throwaway email address (per user and account combination), pass that on to the developer, and relay all the messages to the user.

This is not a novel feature; you could always do this to some degree with Gmail with the “address+suffix@gmail.com” trick. This isn’t perfect, but it at least allows you to give individual email addresses per service. There are also services that will generate throwaway, disposable emails. However, both of those options remained popular only among a small group of people. Deploying this relatively sophisticated approach to privacy in such a user-friendly manner to billions is a true and true Apple move.

This will change things. There are two main reasons why developers want you to create an account on their platform. The first is that having a persistent identity. This buys you the ability, for example, to store the data on the server so that you can later sign-in from a different device, or after a device reset. If this explanation is bland, it’s only because this is something we take for granted that every service should do this.

The other reason why developers do want you to login has only emerged in the last few years. As more and more of our lives moved into the apps, and those apps began sucking more and more types of data, smart people realized all this data can be turned into cold-hard cash, especially in the form of hyper-precise (though rarely hyper-accurate) profiles for ad targeting. The interesting thing is, the sum of all this information these apps collect is generally bigger than its parts.

Differently put, if you want to maximize the value, you need to “join” (or merge) different types of data from different apps. Now, you can see where I am going with this. The unique identifier that ties your data from all the different apps is your personal email address. This is why Apple providing a unique email, in essence hiding the primary key for those accounts to be merged, is a big, big deal. For many years, many developers, especially small ones, would essentially build apps not to make money via the app itself, but rather to have enough users to sell their user’s profiles to the highest bidder.

Will Developers Adopt Apple Sign In?

Let’s assume for now Sign in With Apple is “good” for the end-users. Yet, Apple would still need to get the developers on board. So, will they? I’m going to try to answer two questions at the same time, from the developers’ perspective: A) Are third party logins good? B) Is Sign in With Apple a good option?

First of all, this third party sign in stuff generally works. If anything, they work too well. Facebook Login, for all its flaws, is much easier to use than having to enter a username and password for every app you use. Sure, very rarely it is down, and you are royally screwed for a few minutes, but that’s few and far between. And yeah, it does add a bit of complexity maintaining multiple identity profiles for each account, but that’s a small variable cost, on top of the fixed cost of supporting third-party logins in the first place.

But the wins are huge. Having worked on this stuff professionally across many companies, I can tell you that there are more ways for users to get confused and mess things up filling in the most basic form than there are stars in the sky. If you can make a user simply tap a blue button that says “Login with Facebook”, you’d much rather do that than build a huge login form with all its intricacies. 

If anything, I’d expect Apple’s solution to be even more frictionless since they fully control the OS and they can build native interactions. Things like Facebook Login do work, but only through elaborate hacks. Every once in a while, you’ll have users who get stuck in some weird loop because their connection to Facebook dropped, or their phone failed to open a browser app. Apple’s system, at least on the UI side, will be more robust and less error prone.

Lastly, this might make a tiny sliver of users more likely to use your product. There’s a small, but arguably vocal, set of people for whom privacy is a major concern. An Apple provided login system where your identity is protected could make your product more attractive to some. 

It also helps that the system will come with some anti-fraud mechanisms.Apple’s login system will tell you whether a user who just signed in might be a fraud-y user, based on device level data. Google can, to some extent, provide similar functionality but Facebook is limited to what it can gather via its apps and server side data. If you want to adjudicating a user’s identity, it’s generally better to do it closer to the user. Such set of features might be attractive to some developers and users alike, but it probably won’t move the needle much.

That’s…about it? What about the cons? There are not that many, but they matter.

Well, the major one is that using a third-party login system severs your direct relationship with your users. This is not a binary thing, of course. In either you will still have an email address to reach your users, but it’ll always be mediated by Apple, in the case of Apple Sign In. Not only you’ll be unable to work with data brokers for some cheap ad dollars, but also you’ll also lose the ability to buy services from other brokers, link your users’ profiles with data from other providers, with whom you might have legitimate agreements with.

But, that’s not all. Apple didn’t obviously mention this in the presentations, but it didn’t take long people to find out the stick in the documentation. If you are using a third-party login provider in your app, you have to . support Sign in with Apple as well. Now, that is fun! I have been thinking about this since I’ve watched the keynote and read the documentation up and down (hope your weekend was as fun as mine!).

The Verdict on Apple Sign-In

I think Apple Sign-In is a good thing for the world. However, I do not think it’s not something many developers will be jumping at implementing. But they will have to, and we’ll be better for it.

First of all, while I acknowledge the ease of using third-party logins on the apps I use, the privacy implications of using them make me uneasy. I try not to use third-party whenever possible, and instead create individual accounts that I manage with 1Password. This is admittedly a bit more work, but not too tedious. Thus, I welcome Apple butting its way into the apps and providing a more privacy-focused alternative.

Of course, you could make the argument that the fact Apple “forcing” its developers to use these products is a cheap shot. This, I think, overlooks a bit of reality. Look, I see the aesthetic appeal of letting the “better product win in the free market”, where Apple converts developers by building a “better” login system. But it’s not that simple.

I am not huge a free-market dogmatist, but if you were to take the free-market idea to its extreme, you’d also concede that this is, after all, Apple’s walled garden and it has the right to enforce any rule it so damn wishes. Of course, market definition is a tough one, and given the increasing scrutiny of Apple using its dominant position in one market to hurt competition in others would make tamper this instinct a bit.

Moreover, I do think that Apple will have to work hard to get this right. There’s a common tripe in Silicon Valley that Apple doesn’t get social. Now, I don’t think authentication systems are particularly “social” things, but they are still not in Apple’s usual bailiwick. The reason why third party logins work is partly they absorb the complexity, and expose very little to the end user. This stuff isn’t that trivial to build, and nothing is ever easy at Apple’s scale. 

Other companies like Snapchat and Twitter also built similar systems before, but neither of them gained much traction, simply due to the vast popularity of Facebook and Google’s systems. Networks effects are hard to overcome. More ironically, Facebook itself touted an anonymous login option a few years back, but it was never rolled out.

It’s worth thinking whether Apple could make Apple login more attractive to developers by providing certain privileges to certain apps. There are definitely some levers here. Screwing with the App Store search results would be a bridge too far, but Apple could potentially feature apps it likes prominently on the App Store. But then, I think Apple would try to steer clear of explicit rewards to those apps over that don’t, especially to protect itself against regularity scrutiny but also to maintain the quality of the App Store.

A lot of this will also depend how constraining Apple’s guidelines will be for developers who use Sign in with Apple. For example, the company requires the Apple Sign In option be placed on top of other providers, and be very prominent. The Cupertino-based company could be notoriously picky but also capricious with such details.

In the end, I view the world of business through the lens of competition. It’s the fear of competitors that your consumers can flock to that aligns a company’s incentives with its users. For many years, social networks like Facebook and search engines like Google enjoyed a relatively relaxed marketplace where there wasn’t much to worry about in terms of rivalry. This came at huge costs to us all, including erosion of privacy. I am glad Apple is taking a stab at this. Whether this will work, that’s a different question. I am keeping my hopes up.


What I’m Reading

WWDC 2019: The Things You May Have Missed: The list of things Apple announced on stage and in developer sessions at WWDC this year was staggering. I’ve watched the keynote and perused some of the new documentation and definitely missed some stuff. This by Patrick Balestra is a good comprehensive list. Most them are on the technical side, but there are some interesting gems here that point to where Apple might be going next. A few definitely jumped at me. (Ordering mine)

  • IMDF (Indoor Mapping Data Format) is a new concept introduced by Apple that provides a generalized, yet comprehensive model for any indoor location, providing a basis for orientation, navigation and discovery. @ortwingentz
  • Apps are to request “Always” access to the device location but users will see an alert when an app tries to access the location from the background that prompts them to “Always Allow” or to “Change to Only While Using”. Users are also presented with a map clearly showing that the app was tracking the location. In this way, users are not forced to take a decision upfront when installing the app for example. quicklywilliam
  • App Store Connect will soon get a near real time sales view showing you the last 24 hours. @lesmond
  • App deletions statistics will also be available as part of App Analytics in App Store Connect. @ilyakuh

Why Bankers Can’t Stop Running (Subscription Required): I’ve only recently picked up running as a hobby. There are definitely days I dread going for a run. But never have I felt, after a run, that it was a bad idea. It messes with your head. This Financial Times columnist runs through (hah!) a bunch of high powered executives who make time for their runs, no matter how busy they are, and wonders why and how. I’ve went on a 5 mile run after reading this.

Mora also runs with colleagues and is one of the organisers of an annual event for Goldman’s summer interns and other runners at the bank. “For a junior out of college looking for a job, it’s another way for them to connect,” Mora says. “One day they’re sitting at a desk working with them, the next day at 5.30am they’re running the Brooklyn Bridge with a managing director, a partner, someone from the firm, running alongside them.”

Between 40 and 50 people join the run annually. Hu says he tries “to run with colleagues in every city” when he travels —something that I’ve done too, with varying levels of success. On a trip to Dublin, where Citigroup Europe is based, he went running with Ireland’s then junior finance minister Eoghan Murphy, who took him on the same stretch of beach where I once enjoyed my daily runs.