Many will tell you that two-factor authentication is more secure without using phone numbers, and Google is putting that wisdom into practice. The internet giant will make phone verification prompts the default for two-step sign-ins for “all eligible users” starting on July 7th unless they’re already using security keys. So long as you’re signed into Google on your phone, you’ll get a notification that asks you to prove it’s really you signing in elsewhere.

You’ll still have the option of different methods (such as SMS codes) if they’re available to you, but you’ll have to choose them.

Nintendo shut down NNID logins back in April after it discovered hackers had compromised some 160,000 accounts using legacy credentials. Now, the company says that figure was more like 300,000. In a Japanese language statement posted today, Nintendo says that in continuing the investigation, it found “approximately 140,000 additional NNIDs that may have been accessed maliciously.” It also clarified that the issue was not the result of a direct Nintendo breach, but rather customers using the same passwords in multiple places. Those compromised on other platforms were likely sold or harvested from the dark web.

By taking advantage of vulnerabilities surrounding legacy accounts, hackers were able access newer accounts, and subsequently the PayPal funds associated with it. While credit card information was not directly accessible, hackers were able to exploit their access to these PayPal accounts to make fraudulent purchases. Details such as nicknames, email addresses and dates of birth were also potentially viewed by third parties.

‘Sign in with Apple’ is potentially more private than other login options, but it apparently included a serious security flaw. Researcher Bhavuk Jain recently received a $100,000 bug bounty for discovering (via Hacker News) a flaw in the sign-in service when available through third-party apps. If an app didn’t have its own security measures, an attacker could forge a token linked to any email ID and verify it as ‘valid’ using Apple’s public key. That could allow a “full account takeover” even if you chose to hide your email from other services, Jain said.

Jain found the flaw in April, and it’s already fixed. Apple said there was no evidence of accounts being compromised as a result of the flaw.

Blix has previously accused Apple of unfairly suppressing Blue Mail. It claimed that Apple’s acknowledged problems with App Store rankings pushed Blue Mail down to 143rd in search results (it’s since back to 13th). It also disputed Apple’s statement that it removed Blue Mail from the Mac App Store for supposedly copying another program, TypeApp. The developer said that TypeApp had been voluntarily removed and that Apple was promoting market monopolization by limiting the number of competing apps.

It’s too soon to know who will prevail. If Blix succeeds, though, Apple faces both an injunction as well as damage claims. It wouldn’t necessarily have to modify Sign in with Apple, but it might have to compensate Blix to keep using the privacy-minded concept.

The iCloud website is handy when you want to check info from an unfamiliar device or just prefer to use a browser, but the need to enter your password could be enough of a pain that you might just pull out your phone instead. Soon, though, it could be relatively effortless. The company is testing a beta iCloud site that uses Face ID or Touch ID to sign you in. You’ll need a beta version of iOS 13, iPadOS or macOS Catalina, but after that it’s just a matter of using your face or finger to sign in with compatible Apple gear.

On the potential of Sign in with Apple

Ray Walsh, data privacy expert at ProPrivacy.com: “The concept of being able to sign in without using a real email address is a step in the right direction for consumers. Being able to sign in without sharing a real email address removes one crucial bit of data from those service’s hands. However, web services still get to collect other crucial data from users when they visit their sites — which can still be used to track them. When you visit a website, that service automatically receives your IP address; this is an extremely valuable tracking tool. Thus, Sign in with Apple is only removing one small piece of trackable data from the equation.”

Dana Simberkoff, chief risk, privacy and information security officer at AvePoint: “[Sign in with Apple] represents another opportunity for Apple to use its long-standing commitment to privacy to enter a new market and to take some market share from their competitors that have been less privacy forward-thinking. If it’s done right, not only [is it] a win for Apple but also a win for consumers that may be able to take advantage of a more privacy-centric sign-in option. Apple CEO Tim Cook has frequently spoken about the company’s position against the collection of personal data. In particular, Cook has singled out the assembly of profiles of consumers for the purpose of targeting advertisements — the heart of how Google and Facebook make money.”

Matthew Hudnall, PhD, associate director and assistant professor of management information systems at the University of Alabama: “‘Sign in with Apple is a much needed feature that fits in well with [Apple’s] evolving user-centric ecosystem. [It] represents the first shift away from the traditional keychain paradigm to one where hardware verified biometric identities coupled with dynamic credential generation, storage, and verification remove the need for traditional passwords. While Apple is certainly not the only game in town trying to kill off passwords, they are definitely doing so in the manner with which we have come to expect from Apple, all or nothing.”

Florian Schaub, assistant professor at the University of Michigan School of Information: “The ability to easily generate random email addresses and Apple handling the management of those credentials will make it much easier for consumers to protect their personal information when interacting with mobile apps and online services. It’s interesting to see Apple take on the well-established single sign-on offerings by Google, Facebook and others but with a focus on making it easier for people to protect their privacy. It will of course require you to trust Apple to stay true to their promise and not track or analyze with which services you have accounts and how often you log in to those.”

On whether Sign in with Apple is a viable, safer alternative to Facebook or Google’s sign-in options

Walsh: “Signing into a service automatically using Google or Facebook is seen as problematic because it allows a connection to be made between those services. This leads to data being shared across the platforms and can cause varying levels of corporate tracking to take place from Facebook/Google to the service in question and vice versa. Allowing Apple to sign you into a service simply connects the service to Apple rather than Google or Facebook. However, it is still allowing a connection to be made between two services that could lead to data being accessed and shared across those platforms. Thus, it really depends how much you trust Apple over Facebook or Google as to how much better having them sign you in really is.

My advice to consumers is for them to log in to all services directly each time; without connecting them to any third-party services. This will require an email address, but the consumer can simply use a burner email – or an alias provided by a secure email provider. This removes the privacy and security concerns associated with sharing their email address but also removes the bigger problem of giving cross-platform access to information across distinct platforms and services.”

Simberkoff: “The answer depends in part on the website and service for which you are registering. Arguably, a company like Apple may be better positioned to protect your identity and privacy than a number of smaller organizations and services that you might join and provide credentials to individually. Additionally, because consumers are often sloppy when it comes to creating accounts and passwords, they often use the same username and password in multiple locations. If this is the case, trusting that ‘identity’ to a smaller business may increase the likelihood of it being compromised in a breach or through a security issue.

By using a single sign-on with privacy protections, consumers may be better protected. With that being said, if Apple were to have a failure it would create a significant impact. However, at least we know that they are unlikely to monetize this personal information in the same way that Facebook and Google have historically done.”

Hudnall: “It is very viable, and due to Apple’s tight control over its entire ecosystem, it is very likely that this will be rapidly adopted. The ‘who has the fastest/best hot rod’ competition that currently exists between Apple/Google/Facebook/Microsoft is excellent for consumers as technology is evolving rapidly. It is great to see that privacy and security will now be one of those contested battlegrounds and this announcement will pour fuel on that fire.

There is no one technology or company that has significantly better enterprise stack, personnel, or resources. Apple does though have far greater control over its products and services than any of its competitors. Unlike Facebook who is solely reliant on host system hardware devices and Google who has limited input/control on the majority of devices running its software, Apple has complete control over the hardware and software verification processes. This certainly better positions Apple to implement a system that better ensures user privacy.”

Schaub: In terms of viability, I have little concern. Apple is using its Apple ID accounts for authentication with a large number of Apple services already so it’s now just making some of that functionality available for use with third parties. The big difference is that Apple is positioning Sign in with Apple as a privacy feature, whereas Facebook and Google present their single sign-on services as a convenience feature. Apple is and has been using privacy as a differentiating factor given that their business model centers around selling devices and now service subscriptions to its customers, as well as profiting from content provided through their platforms.

Facebook and Google’s business models, on the other hand, are largely based on being very good at targeting ads to people, which requires tracking people’s online and app behavior. Having their single sign-on buttons on more webpages gives Facebook and Google more data points about which apps and services you use and how often. At least so far, Apple doesn’t.”

The technology links unique encrypted login details to each website, reducing the risks of phishing, keystroke logging and other attacks that watch for your input. It’s also theoretically more private when those same unique site credentials prevent across-the-web tracking.

You don’t really have to wait for the software you use to support Web Authentication. It’s already supported on a system level in Android, Chrome OS and Windows 10 as well as most common browsers, including Chrome, Edge, Firefox and Safari. The greater challenge is convincing the sites themselves to use this method — there are many, many web pages, and not all of them will be in a rush to ditch passwords. An official standard could still boost adoption, though, if just by reassuring site operators that Web Authentication won’t vanish overnight.