It’s time to play Pick a Door to Your Apps—a game show that, admittedly, not many people would watch.
Behind Door No. 1: That familiar username box and a never-ending hamster wheel of reused passwords and reset emails. Door No. 2: A quick login accompanied by a lifetime supply of intrusive ads. Door No. 3? A more private way in. Just be warned—for now, Door No. 3 is hard to find.
I’m talking, of course, about the sign-in screen on all favorite apps. You can either log in with username and password, or choose a gateway manned by Facebook , Google or—soon, in some cases— Apple . AAPL 0.53% In an attempt to unseat its ad-powered competitors, Apple is offering a privacy-focused app sign-in service with the arrival on Thursday of iOS 13.
What you might not have realized about those other highly convenient sign-in buttons is that your personal information can be shared behind the scenes and used to track you. Heck, there was a time when I didn’t know that myself. When I first signed up for Spotify using Facebook, I unknowingly opted to share my email address, my friends list and my birthday. That’s a lot of info, just to listen to my Acoustic Covers playlist.
Apple, on the other hand, has engineered its button so you share less with app makers. You can even create a disposable email address.
After testing out Apple’s new feature in some early supported apps, I can tell you it’s the best option—if any of the apps you use actually add it. Apple is coming from far behind, and facing some pushback from app makers that rely on those incumbents not just for marketing, but for security.
Until more companies adopt this, Apple’s greatest contribution here is to make us question why companies provide these “single sign-on” services, and what we get in return.
(Dow Jones & Co., publisher of The Wall Street Journal, has a commercial agreement to supply news through Apple services.)
How do they work, anyway?
When choosing a door into an app, you either take responsibility for your own username and password, or trust one of the big-tech companies to handle the authenticating for you. If you choose the latter, you just log in with your Facebook/Google/Apple credentials and they confirm you are who you say you are—often using two-factor authentication, where you scan your fingerprint or face, or enter a secret code sent via text or app. Then they give the app a thumbs-up, without sharing your password. (See the video for a more colorful explanation—which also involves doors.)
Why is this better than a new username and password?
If you use strong, unique passwords and store them in a password manager, as I’ve long suggested, you might be fine creating a fresh account for every app and service. Even then, security experts make a case for logging in via a big tech company.
For one thing, they have larger divisions dedicated to security. They can troubleshoot issues that smaller companies might not be able to tackle. Also, smaller companies can’t always implement two-factor authentication, a baseline requirement these days.
So what’s the problem?
Even the simplest personal information, like an email address, can be used to track you from app to app or website to website. At a minimum, Google shares your profile photo, name and email address with the app makers using its single sign-on options. Facebook requires you share to your profile photo and full name.
Apps that use Facebook often ask for even more. Take Tinder. Log in and it asks for access to your Facebook friends list, birthday, photos, page likes and email address. There’s a panel to adjust the sharing options, but all of the permissions are turned on by default.
What’s in it for Google and Facebook?
Mark Risher, senior director of product management for Google Account, says the company provides this service to help secure the Internet. (It certainly also makes it easier for Google to provide its other services, from Gmail to search.) Mr. Risher says the company doesn’t use this collected information to target ads.
But Facebook does. Facebook Login “allows businesses to create custom audiences of people who have visited their properties. That way a business can show ads to people on Facebook who have visited their sites and apps,” a Facebook spokesman said.
Even if you don’t mind Facebook profiting off of your internet behavior, the company has a history of misusing data and leaking it to outsiders, in the case of Cambridge Analytica and in many others. (The company updated its data policies last year in response.) And then there are the breaches: In 2018, a Facebook data breach was tied to its single sign-on tool.
How does Apple’s option work?
Like Google, Apple shares your name and email address with the app, but it gives you an option to hide your email or change your name: It will share an anonymized email address and then forward any email from the app maker to your real address. The Bird bike and scooter app thinks my email is email@example.com … and my name is Scooby Doo.
Developers can implement the Sign in with Apple button on Mac apps and on websites as well.
What’s in it for Apple?
While Apple has taken on the superhero role of big tech’s privacy protector, this is less altruism, more shrewd marketing: The more you trust Apple, the more you keep buying its devices and using its apps—many of which now charge monthly subscriptions.
Which apps are offering this?
The number of popular apps using this new Apple tool so far is small. I tested the feature in Bird and the family photo journal app Lifecake. Kayak, Nike , Instacart and LoseIt are also among the apps Apple confirmed to be implementing Sign in with Apple this fall.
When I contacted other top iOS app makers—those which use Facebook and/or Google sign-in buttons—some including Postmates, Pinterest and Venmo said they had no plans yet to add the feature. Others, including TikTok, Evernote and Todoist, said it was on the road map. Spotify declined to comment.
Apple’s newest developer guidelines require any apps that offer a social sign-in to also implement Sign in with Apple. As of last week, new apps submitted must offer the button. Existing apps and app updates must follow by April 2020.
What are the downsides of Apple’s option?
In cases like Tinder’s, the anonymity benefit to one user can be a problem for other users. “Verifying a user’s identity using their login credentials helps us prevent those who have been removed for their conduct from accessing our service,” a Tinder spokesman said, adding that the company looks forward to hearing more from Apple on this.
SHARE YOUR THOUGHTS
Do you prefer signing in to apps with a username and password, or letting Facebook or Google sign in for you? Why? Join the conversation below.
And finally, even when your favorite app does adopt it, you might have to create a new account to use it.
So what should I do?
I wish more app makers would run—not walk—to implement Apple’s option as an alternative to Facebook and Google. For now, just be on the lookout for it. If you don’t see it, I recommend Google as the quickest, safest alternative. Just do yourself a favor, and choose your doors wisely.
—For more WSJ Technology analysis, reviews, advice and headlines, sign up for our weekly newsletter.
Write to Joanna Stern at firstname.lastname@example.org