Apple to Require App-Specific Passwords For Third-Party Apps Accessing iCloud

[MacRumors]

Apple is now offering app-specific passwords for third-party apps that access iCloud, allowing users to generate unique one-time use passwords to sign into iCloud securely. In a support document, Apple describes app-specific passwords as a feature of two-step verification and states that app-specific passwords will be required to sign into iCloud when using a third-party app beginning on October 1, 2014.

If you use iCloud with any third party apps, such as Microsoft Outlook, Mozilla Thunderbird, or BusyCal, you can generate app-specific passwords that allow you to sign in securely, even if the app you're using doesn't support two-step verification. Using an app-specific password also ensures that your primary Apple ID password isn't collected or stored by any third party apps you might use.

App-specific passwords, which have long been used by other sites like Google, are a function of two-step verification. Typically, two-step verification requires a user to enter a verification code, but oftentimes, the codes will not work properly in third-party apps, so app-specific passwords are substituted instead.

As outlined in the support document, app-specific passwords can be generated by accessing My Apple ID, where the option to generate an app-specific password is listed under Password and Security. According to Apple, users can have up to 25 active app-specific passwords at a time, which are listed in the Password and Security section of My Apple ID.

Generating an app-specific password is limited to accounts with two-factor authentication turned on, and for security reasons, Apple sends an email whenever an app-specific password is generated. App-specific passwords will be revoked whenever a user's primary Apple ID password is changed, requiring new app-specific passwords to be generated.

Apple's new app-specific passwords follow the launch of two-factor verification for accessing iCloud.com and come after a hacking incident that saw the iCloud accounts of several celebrities compromised due to weak passwords.

Apple CEO Tim Cook has promised to improve iCloud security by increasing awareness about two-factor verification, as well as sending out security emails whenever a device is restored, iCloud is accessed, or a password change is attempted.

Article Link: Apple to Require App-Specific Passwords For Third-Party Apps Accessing iCloud

 

[Michaelgtrusa]

How will this help with the NSA/MI6 looking?

 

[webbuzz]

I like this.

 

[Apple_Robert]

How will this help with the NSA/MI6 looking?

It won't.

I am also curious as to why the number of apps is limited to 25.

 

[Bahroo]

Apple locking down on security hard I love this, this is awesome

 

[Dreday24]

so they have almost caught up to google.

 

[topmounter]

Drowssap1 thru Drowssap25

 

[jreed91]

It feels like apple had all of these securities measures built but just never released for various reasons.

 

[sniffies]

About f time!

 

[MikhailT]

It feels like apple had all of these securities measures built but just never released for various reasons.

Scaling to millions of users is a very tough task, regardless of how much money the company has. Scaling is what Google excels at, which is why they had almost all of this in place when they had 2FA on and their authenticator app.

Apple's great at creating the demand but they suck at supplying it (scaling).

 

[TsMkLg068426]

The Fappening 2015 still going to happen even if it is more secure.

 

[CrazyForApple]

This is a really good idea!!

 

[macMD]

Scaling to millions of users is a very tough task, regardless of how much money the company has. Scaling is what Google excels at, which is why they had almost all of this in place when they had 2FA on and their authenticator app.

Apple's great at creating the demand but they suck at supplying it (scaling).

Are you kidding on that? Apple has the cash hoards to buy companies, staff and figure out how to scale. There is no excuse for their utter lack of real security, celebs or not. Google has done it better for longer because they actually know what they are doing.

 

[mistasopz]

This is a really good idea!!

... That Google users have been using for about 7 years now.

 

[jarofclay73]

Thanks Kirsten Dunst!

 

[rdlink]

Scaling to millions of users is a very tough task, regardless of how much money the company has. Scaling is what Google excels at, which is why they had almost all of this in place when they had 2FA on and their authenticator app.

Apple's great at creating the demand but they suck at supplying it (scaling).

Or here's another reason: Apple wants to make sure their users' experience is predictable and as simple as possible.

App specific passwords, and setting up 2FA in Google is a kludgy mess, and has run inconsistently at times, to the point that many people I have recommended do it end up going back to simple password authentication out of pure frustration. Their experience has been similar to mine (and I know what I'm doing). But I recognize the risk involved with using gmail without 2FA, so I have put up with it.

 

[solamar]

It won't.

I am also curious as to why the number of apps is limited to 25.

It won't.. You can use an App specific password with multiple Apps.. like one for financing apps, one for health apps, etc.

 

[webbuzz]

Apple is also forcing everyone to change your Apple ID passwords. I just checked 3 of my accounts, each one required a password change.

All 3 passwords were 20 characters generated by LastPass.

eta: Just tried two other accounts and it didn't force a change. Strange, the other three account passwords were changed last week.

 

[rdlink]

... That Google users have been using for about 7 years now.

And by 7 years you mean 3, correct?

http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html

Way to build credibility. Oh, and by the way, if you ask 10 gmail users on the street today whether they use 2FA on their gmail account I would be willing to bet at least 7 of them say, "What's that?"

 

[Primejimbo]

... That Google users have been using for about 7 years now.

Your point? I be people didn't use it back then also

Thanks Kirsten Dunst!

I think this was coming out soon seeing it was tested a few months ago

----------

And by 7 years you mean 3, correct?

http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html

Way to build credibility. Oh, and by the way, if you ask 10 gmail users on the street today whether they use 2FA on their gmail account I would be willing to bet at least 7 of them say, "What's that?"

Very true, so many people have no clue what it is.

 

[outphase]

The Fappening 2015 still going to happen even if it is more secure.

That's because people will still use "hunter2" as their password but not 2FA.

 

[Parasprite]

I haven't heard or thought about using passwords like this before, but finally!

 

[Apple_Robert]

It won't.. You can use an App specific password with multiple Apps.. like one for financing apps, one for health apps, etc.

Unless I misread, the article states that 25 will be the limit as to the number of apps using the app specific password.

 

[BigBeast]

so they have almost caught up to google.

Was there a point to your statement?

 

[Sonmi451]

Yeah I just got that email too.