Apple Begins Reminding Two-Factor Authentication Users About App-Specific Passwords

[MacRumors]

Apple has begun emailing iCloud users who have enabled two-factor authentication on their Apple IDs, reminding them that application specific passwords will be required when trying to access iCloud data on third party apps starting tomorrow.

In addition to the email reminders, Apple last week published a new support document educating users on how to use app-specific passwords. While the feature was originally intended to require the feature on October 1, it's unclear why two-factor authentication users are being reminded of it a week later.

App-specific passwords are a new feature Apple introduced in mid-September, following the launch of two-factor authentication for accessing iCloud.com. The changes arrived after a hacking incident that saw the iCloud accounts of several celebrities compromised due to weak passwords.

CEO Tim Cook has promised to improve iCloud security by increasing awareness around Apple's security features like two-factor authentication as well as a sending out email notifications whenever a device is restored, an account is accessed or a password change is attempted.

Article Link: Apple Begins Reminding Two-Factor Authentication Users About App-Specific Passwords

 

[AlecZ]

A ridiculous bandaid fix for their apparently weak password reset system. Three security questions, and anyone gets in without a verification email. So you have to bother with this annoying double authentication system to avoid that... or provide bogus security answers. I might as well just make my security answers random codes themselves rather than dealing with this. My first pet was Aahs8y238899_!!3.

I remember Gmail randomly rejecting authentication from third-party mail clients after they messed with their authentication system like this. I was too lazy- er, I mean optimized to try and fix it and switched to iCloud email as my "anonymous/internet" account instead.

 

[droppingbasses]

Had to Quickly Remind Myself...

When I read that email, I immediately though "Dammit that sounds so inconvenient" but I took a few steps back and realized how helpful that will be. I appreciate Apple's multiple levels of security

 

[zorinlynx]

Which apps will this affect? I've never been asked for my Apple ID by an app. Calendar apps, for example, simply ask for access to my calendar. Apps like Cyclemeter that store stuff in the cloud just do so, without asking for passwords.

Can someone name an app that asks for an Apple ID + password? And whyfor when they can just ask for the appropriate permissions?

 

[nikicampos]

A ridiculous bandaid fix for their apparently weak password reset system. Three security questions, and anyone gets in without a verification email. So you have to bother with this annoying double authentication system. I might as well just make my security answers random codes themselves rather than dealing with this.

I remember Gmail somehow not working properly with third-party mail clients after they messed with their authentication system like this. I was too lazy to negotiate with it and switched to iCloud email as my "anonymous/internet" account.

People complain about eeeeverything!!!!!

 

[AlecZ]

People complain about eeeeverything!!!!!

Yeah, I should. On computers, everything has to work (1 - 10^(-9000))*100% of the time. Leave the possibility for error to SHA-256 collisions and cosmic radiation flipping bits, not stupidly designed systems and human error.

 

[saxman]

Which apps will this affect? I've never been asked for my Apple ID by an app. Calendar apps, for example, simply ask for access to my calendar. Apps like Cyclemeter that store stuff in the cloud just do so, without asking for passwords.

Can someone name an app that asks for an Apple ID + password? And whyfor when they can just ask for the appropriate permissions?

Likely any third-party app that accesses your iCloud email and/or calendar. Outlook is a good example as you can grant access for both. Apple apps shouldn't need this.

 

[ThunderSkunk]

Trying to figure out why I don't worry about lockscreens or passwords or 2 step authentication or app-specific pswds and all that...

I think it's a pretty well-founded lack of faith in corporations or governments in matters of respecting personal privacy, that I don't take nudes or hardcore action pics & vids of myself doing career-ruining things and keep them handy on my phone.

On top of that, I don't put any factual personal information on these devices whatsoever. Everything I have digitally refers to a nickname, a made-up business name, an outdated work address, a phone number typo'd by a digit, etc.

Even if I were an 18 year old actress, if someone guessed my password, they'd be very bored and confused.

 

[Apple_Robert]

A ridiculous bandaid fix for their apparently weak password reset system. Three security questions, and anyone gets in without a verification email. So you have to bother with this annoying double authentication system to avoid that... or provide bogus security answers. I might as well just make my security answers random codes themselves rather than dealing with this.

I remember Gmail randomly rejecting authentication from third-party mail clients after they messed with their authentication system like this. I was too lazy- er, I mean optimized to try and fix it and switched to iCloud email as my "anonymous/internet" account instead.

I do think you should make your security answers just as hard, if not harder than your Apple ID password.

Unfortunately, no matter what Apple does to try and help wake up users, there will be some who continue on blindly as always. There comes a time when people need to be responsible for their own actions, or lack thereof.

 

[nikicampos]

Yeah, I should. On computers, everything has to work (1 - 10^(-9000))*100% of the time.

Oh kid, welcome to life, if there's something that doesn't work at 100% all the time are computers, you are going to have a bad life thinking computers should work (1 - 10^(-9000))*100% of the time.

Welcome to the real world, you can complain all you want, but technology has it flaws..

 

[Robert.Walter]

I wish Apple would make use of their patent (as I understood it) leveraging iCloud to generate single-use email addresses to be used as the user-name part of a u/n + p/w authentication pair.

If a user was able to generate a unique email address and password for every site, a site breach would not result in the loss of a user's email address.

Furthermore, if Apple compared every incoming email relating to an iCK-generated single-use email address against the site for which that email address was related, any mis-match could throw a warning flag to the user.

This would essentially eliminate spear-fishing and allow the customer to know which site had been breached (even if the site never disclosed it) so the customer could (inquire) and create a new unique email address for that site.

 

[scaredpoet]

A ridiculous bandaid fix for their apparently weak password reset system. Three security questions, and anyone gets in without a verification email. So you have to bother with this annoying double authentication system to avoid that... or provide bogus security answers. I might as well just make my security answers random codes themselves rather than dealing with this. My first pet was Aahs8y238899_!!3.

So in place of two-factor authentication, what would you propose to better secure your account information?

I think we have years of break ins and empirical evidence to show that passwords alone are inadequate security measure.

I remember Gmail randomly rejecting authentication from third-party mail clients after they messed with their authentication system like this. I was too lazy- er, I mean optimized to try and fix it and switched to iCloud email as my "anonymous/internet" account instead.

Too funny, considering that once you tie an iCloud account to any device, it ceases to be anonymous.

 

[fortysomegeek]

A ridiculous bandaid fix for their apparently weak password reset system. Three security questions, and anyone gets in without a verification email. So you have to bother with this annoying double authentication system to avoid that... or provide bogus security answers. I might as well just make my security answers random codes themselves rather than dealing with this. My first pet was Aahs8y238899_!!3.

I remember Gmail randomly rejecting authentication from third-party mail clients after they messed with their authentication system like this. I was too lazy- er, I mean optimized to try and fix it and switched to iCloud email as my "anonymous/internet" account instead.

This is basically how gmail works because 3rd party apps have no cookie mechanism & challenge follow-up. You need app specific passwords.

Apple's implementation is exactly like Google except you have more trusted device than SMS.

 

[bozzykid]

I do think you should make your security answers just as hard, if not harder than your Apple ID password.

Unfortunately, no matter what Apple does to try and help wake up users, there will be some who continue on blindly as always. There comes a time when people need to be responsible for their own actions, or lack thereof.

So you are saying it is the fault of the people's who's account were comprised because they chose to use regular security questions? The issue is Apple only requires answering a few questions to reset the password without any actual verification of the user (unlike Google and Yahoo). You can't expect millions and millions of users to not follow Apple's own directions and make up ridiculous questions and answers. While I am glad they are fixing 2 factor authentication for non-Apple logins, they really haven't fixed anything as I doubt many people are using 2-factor.

 

[APlotdevice]

Fortunately I already have everything set up properly.

(This has however had the effect of reminding me of the existence of Mozilla Thunderbird. I haven't heard that name in years...)

 

[goobot]

I wish Apple would make use of their patent (as I understood it) leveraging iCloud to generate single-use email addresses to be used as the user-name part of a u/n + p/w authentication pair.

If a user was able to generate a unique email address and password for every site, a site breach would not result in the loss of a user's email address.

Furthermore, if Apple compared every incoming email relating to an iCK-generated single-use email address against the site for which that email address was related, any mis-match could throw a warning flag to the user.

This would essentially eliminate spear-fishing and allow the customer to know which site had been breached (even if the site never disclosed it) so the customer could (inquire) and create a new unique email address for that site.

That sounds cool, like an alias for your email that is specific to each site and iCloud would remember which alias belonged to each site.

 

[fortysomegeek]

So you are saying it is the fault of the people's who's account were comprised because they chose to use regular security questions? The issue is Apple only requires answering a few questions to reset the password without any actual verification of the user (unlike Google and Yahoo). You can't expect millions and millions of users to not follow Apple's own directions and make up ridiculous questions and answers. While I am glad they are fixing 2 factor authentication for non-Apple logins, they really haven't fixed anything as I doubt many people are using 2-factor.

Gmail (without 2-factor) can be unlocked just by answering multiple series of questions. They do have the option of a recovery email address/text message but you can always do the click I no longer have access to these

Source:https://support.google.com/mail/answer/185710?hl=en

If you're unable to use any of your existing account recovery options on the password assistance page, click I no longer have access to these and you’ll be given a series of questions to verify that you own the account.

The questions we ask to verify your identity are intentionally difficult. Answer as many questions as possible, and make sure your answers are accurate. If you’re unsure about an answer, provide your best guess. It also helps to submit your answers from a computer you've used in the past.

I've done this on countless of throw-away gmail accounts where I don't have a phone or recovery email.
In short, those accounts could be easily phished if they knew where I had my honeymoon, street I lived on, and my favorite author.

 

[fortysomegeek]

I have enabled on both iCloud and in Gmail/Google Service.

Here is my take.
They're both essentially the same method.

You create app specific passwords and the system generates a random password like this:
kgoi-ytbe-fdgb-poyc

So instead of using your icloud email password for Thunderbird or regular gmail password,you use that random password.

I do this because I run Linux and use Thunderbird to access both gmail/icloud on Linux. I do this on Windows outlook for the same reason. That password would only be used for mail or calendaring. So you won't use that for iTunes purchases or log into your iCloud account.

The reason why you have this is because with 2-factor, there is a follow-up pin and you can't enter in a follow-up pin in 3rd party apps.
I just set up my HTC to connect to iCloud.

There are some differences:

Apple has a limit of 25 devices/app passwords. I can't see any for Google.

Google use a pre-set pull down for the description whereas Apple allows you to type in the description.
E.G. "IMAP password for WinTablet" or "CalDav on Linux Desktop" whereas Google has a list of OS/phones/apps.

Both can revoke.

Lastly, I like Apple's ability to use a non-phone as a trusted device. You can have multiple. I use my iPhone and iPad.
I have my iPad get the code and it works great. I also like Apple's device section where you can revoke devices. I had a few iPod and old iPhones on my list didn't know!
But you have to explicitly tell Apple which device you want trusted. It isn't going to send random codes to an iPhone you sold on Craigslist.

Google uses SMS text messages. This could possibly be intercepted. Who knows. If you have a SMS proxy account, that is one vector of attack.
One more thing...
When Apple sends the temp pin, you have to unlock your phone to see it. It is hidden in the notification view.

On my Android phone, the notification temp-pin from Gmail is a SMS text message and I don't need to be unlocked to see it. It pops up as a text message with the code right there for anyone to see. This is on a locked password protected pin.

That is definitely something Apple got right.

 

[terryzx]

I found out from it not loading and telling me my password was wrong in my Mac App Store FANTASTICAL. Easy to fix though but you can only have about 25 keys set up and since I have that on 4 computers, it uses 4 of the 25. Not sure if I will need many others but they might want to revise that key limit higher a bit.

 

[fortysomegeek]

I found out from it not loading and telling me my password was wrong in my Mac App Store FANTASTICAL. Easy to fix though but you can only have about 25 keys set up and since I have that on 4 computers, it uses 4 of the 25. Not sure if I will need many others but they might want to revise that key limit higher a bit.

You don't have to use all of your 25 limit. I just found out.
I created one called "IMAP" and used that SINGLE password for both my Windows tablet and Android Phone.
This is so they can connect for mail.
Both used the same auto-generated app-password and I plugged them in and it works. Just like Google's method.

If it compromised, I just revoked that one called "IMAP" and I'd just have to reset my non-macs email clients.

 

[Ms6boost]

Yeah, I should. On computers, everything has to work (1 - 10^(-9000))*100% of the time. Leave the possibility for error to SHA-256 collisions and cosmic radiation flipping bits, not stupidly designed systems and human error.

 

[H2SO4]

…………... I might as well just make my security answers random codes themselves rather than dealing with this. My first pet was Aahs8y238899_!!3.

Strangely enough this is exactly the kind of thing I do.

 

[bushido]

i dont get it???

so i have to remember a different password for each app?

my family doesnt even understand security questions. "how does it know my favorite book?" they will never understand this lol

 

[H2SO4]

Gmail (without 2-factor) can be unlocked just by answering multiple series of questions. They do have the option of a recovery email address/text message but you can always do the click I no longer have access to these

Source:https://support.google.com/mail/answer/185710?hl=en



I've done this on countless of throw-away gmail accounts where I don't have a phone or recovery email.
In short, those accounts could be easily phished if they knew where I had my honeymoon, street I lived on, and my favorite author.

It doesn’t matter what questions they ask you. It matters what answers you give. If they ask where I had my honeymoon I could say OnCloud9 for example.

 

[AlecZ]

So in place of two-factor authentication, what would you propose to better secure your account information?

I think we have years of break ins and empirical evidence to show that passwords alone are inadequate security measure.



Too funny, considering that once you tie an iCloud account to any device, it ceases to be anonymous.

I've heard that the break-ins to iCloud were done through exploitation of the password reset system. In any case, one password is secure as long as it's a good password. That's how your Mac's login works. I propose that, like the Mac login system (or BSD or Linux), there be no dumb password reset system with security answers (aka passwords) that are all real info people can guess or obtain. This two-step authentication thing is meant for people who use weak passwords or companies who use weak password reset systems.

By "anonymous", I meant that the email address doesn't have my name in it. I know Apple could maybe trace that to my real name, but I'm only concerned with random sites and people I give the address to.