Apple’s new sign in feature, which allows people to use an Apple ID to sign into websites and apps, has critical privacy and security gaps that must be fixed, according to an industry group.
The OpenID Foundation, a nonprofit with members including Google, PayPal, and Microsoft, runs OpenID Connect, an industry standard for authenticating a person’s identity across multiple websites, without requiring them to use different passwords.
Sign in with Apple has some similarities with Open ID Connect, according to the group, but it’s not entirely in line with the industry standard. That’s a problem that could expose people to “greater security and privacy risks,” according to a letter the OpenID Foundation sent to Craig Federighi, Apple’s senior vice president of engineering.
“The current set of differences between OpenID Connect and Sign in with Apple reduces the places where users can use Sign in with Apple, and exposes them to greater security and privacy risks,” Nat Sakimura, chairman of the OpenID Foundation, wrote in the letter.
Sakimura says the single sign-in feature, which has yet to be rolled out, also puts an “unnecessary burden” on developers, who must work with the OpenID Connect standard and navigate the differences in Apple’s sign in feature.
The OpenID Foundation asks that Apple join the group, and to become compliant with the industry protocol. A document tracking differences between those protocols and Apple’s product details a list of necessary coding changes to “address the gaps.”
Francis Gaffney, director of threat intelligence at cybersecurity company Mimecast, says OpenID raises valid concerns about potential security risks.
“Given the increased scrutiny by threat actors on potential vulnerabilities, it would only be a matter of time before one of these ‘differences’ is discovered and exploited,” Gaffney says.
Apple did not immediately respond to a request for comment. The company is touting Sign in with Apple as a way for privacy-minded people to log into their favorite websites. Apple says it won’t share unnecessary data with app developers.
Sign in with Apple hasn’t been publicly released, however anyone with an iPhone should expect to see it as an option in their favorite apps, since Apple requires developers who offer other single sign on options, such as through a Facebook or Google account, to also promote Apple’s sign-in as an option.
More must-read stories from Fortune:
—Slack went public without an IPO. Here’s how a direct offering works
—4 reasons to be skeptical about Facebook’s Libra cryptocurrency
—Bank of America CEO: “We want a cashless society”
—Fintech startup Tally has raised $50 million to automate people’s finances
—Listen to our new audio briefing, Fortune 500 Daily
Follow Fortune on Flipboard to stay up-to-date on the latest news and analysis.
