[sturgill]

But this explicitly doesn’t work as an SSO. How can I tie that back to the actual email address they would have used to create an account using their FB / Google account?

This sounds like a tremendous headache that I really don’t want to worry about. But Apple is looking to leverage their power in the app market to force me to implement a tool I may not be interested in as a merchant?

I despise being strong armed. I hope the EU crushes this.

[natch]

It’s the users who are being given power here over their own data. Yeah it’s tough but it’s been a long time coming.

[dionian]

I trust apple w/ my data way more than the EU

[toyg]

A non-sequitur if I ever saw one.

[cavisne]

It seems the email part is optional (ie you can choose to share your verified email with the company if you want).

The above scenario goes against what they are trying to achieve though

1) If you support SSO and email/password - then the email and password are still stored (and possibly not hashed and salted if the developer is incompetent) - so you are at risk of compromise if you reuse passwords 2) If you store the users actual email, you are putting them at risk of credential stuffing, as well as opening them up to tracking

The EU can always surprise, but I suspect they would actually like this because it addresses key risks to consumers of password reuse, credential stuffing, and tracking. Additionally it competes against their ideological targets, Facebook and Google.

[danielscrubs]

EU is not picking on FB and Google specifically. This mindset is toxic. They are picking on all monopolies for European customers and have been for a long time. Basically we believe the market is not healthy if there isn’t any competition.

[jkirsteins]

This is a bit rose tinted outlook. GDPR does not increase competition, the amount of regulation in EU and worker protections in place raise barriers for new competitors. France has laws that prohibit new movies from being put on Netflix in order to support local distributors etc.

Not saying what the EU does is goos or bad, but painting it as pro free market competition seems unfounded.

[addicted]

GDPR isn’t about addressing monopolies. It’s about addressing privacy and data ownership.

Every tech related legislation doesn’t and shouldn’t need to so,be every tech related problem. The EU has other, non GDPR related, mechanisms to handle monopoly issues.

[jkirsteins]

My point is EU will adopt regulation that actively harms competition (such as GDPR), because they have different priorities (e.g. privacy, data ownership as you mentioned).

So to me it seems unfounded to say EU cares about market health and is not, in fact, just picking on FB and Google.

I am honestly curious what you think are examples of EU mechanisms fostering healthy markets. Maybe the MS case but that is the same “EU picks on US tech giant” genre.

[danielscrubs]

Like breaking up the Samsung-Philips cartel?

I’m not sure what kind of examples you want.

[EGreg]

Presumably it’s always the same address every time they sign in. It is used for single sign on after all!

However, I wish email and sms would go away as a way to authenticate. Until it does I will be using foo+aliashere@gmail.com so that my account can’t get transferred to someone else through socially engineering a tired rep.

[sturgill]

But someone who has already signed up via FB is going to click that button and then get angry when we can’t log them into their account.

I personally don’t use FB login. And I use `+merchant` to keep track of bad actors. But from a merchant perspective this will likely be a chore. And Apple has decided that we don’t get to decide if it’s worth it. We can’t disable FB login because we’ve supported it for a long time and a ton of accounts only have a FB-synced profile.

To be clear, it’s not the product I have issue with. It’s the draconian ultimatum that because we are in bed with FB we have to also get in bed with Apple Sign In.

They could have just built this into their form system. It already recommends my personal email / credit card / auto generated password. Why not prepopulate / suggest an Apple-generated email? Why force the merchant to implement another standard which breaks all other SSO integrations _by design_?

I don’t have answers to those questions. If this was a consumer feature embedded into their keyboard I’d be ecstatic. Strong arming merchants to implement and bear the full cost of confused consumers who can’t seem to login to their app _even when they click the Apple button_ is inexplicable (to me).

[ryandvm]

"+merchant" doesn't do squat to prevent bad actors from selling your email address. Anyone so inclined to sell your address would just strip off the postfix since they know it's unnecessary per the spec.

[bscphil]

One of the many advantages of using a hosted solution with your own domain is that you can receive email from arbitrary addresses in the same inbox. For example merchant1@inboxname.mydomain.com gets sent to my inbox at Fastmail. inboxname@mydomain.com doesn't exist, so there's no way to get my "real" email address from what I give out to merchants. If I start getting spam on an address, whoops, you and everyone you sold my email to get sent to a black hole in the cloud.

[JustSomeNobody]

This is called subdomain addressing or subdomain stripping in case anyone wants to look up how to do this with your hosting provider.

[cbsks]

Per what spec? Having “a+b” deliver to address “a” is Gmail specific, as far as I know.

[tekknik]

It’s called subaddress extension: https://tools.ietf.org/html/rfc5233

Can confirm what parent poster is saying, we remove them on signup.

[nprateem]

I wonder whether that's GDPR compliant. If I give you permission to contact me on me+alias@example.com and you strip off +alias and then contact me on me@example.com, you've inferred data about me I haven't explicitly given you. One could argue that's in a similar ballpark to running a geoIP lookup and then sending me mail through the post.

[hutattedonmyarm]

> we remove them on signup.

But why?

[cachvico]

RFC 5233: Sieve Email Filtering: Subaddress Extension

https://tools.ietf.org/html/rfc5233

Not Gmail-specific. Labels however are ;)

[cbsks]

Thanks! I did not know it was a standard!

[alanh]

Gmail ignores (or ignored?) dots on the left of the @, so some.person@gmail.com and someperson@gmail.com and s.om.e.person@gmail.com all went to the same inbox. That is gmail-specific.

[CaptainMarvel]

If you email me without the +merchant postfix I gave you, your email will go into the trash without me even knowing you sent it.

[philwelch]

Apple's auth does allow you to use the canonical email address associated with your Apple ID rather than a one-off generated by Apple.

[tinus_hn]

You can’t, that’s the idea. What do you need it for?

[sturgill]

Because thousands of people already have an account tied to a specific email and are going to click the Apple button and get really mad when we can’t log them in.

[tinus_hn]

So then you ask them for their email address and password once and link the accounts together?

[sturgill]

And Apple Sign In helps this user, how?...

[tinus_hn]

Apparently they want to use it, otherwise they wouldn’t, right? This way they can have the easy login using Face ID and you can use the account they already have.

[LunaSea]

Sending invoices, GDPR exports, validating that a user contacting you is a certain account, etc.

[jeremyjh]

You send information to the apple address, that's what its for. You can still send it invoices or a magic link, the user gets it and clicks on it, nothing is changed in that regard. The difference is they can turn off that email address and never hear from you again if that is what they want.

[addicted]

Stuff sent to the fake email address will be forwarded to the user’s real email address, from what I understand. So you will still be able to communicate with them.