Third-Party Apps Will Need App-Specific Passwords for iCloud Access From June 15

[Otelm]

As an older, semi non-techy, I am encountering my first confusion in setting this up. I went into my appleid settings and found where I could create an app generated request for a password. I entered my userid and then my own chosen password (unique for this), hit enter and it responded "here is your password" giving me one it created for me. Now, that's fine, it's just that Apple has never chosen my password for me when I am setting things up. Soooo, is their "created for me" going to work come the day I need it or will I be locked out of the app? I did record both my chosen one and "theirs" but...

ETA: came back to say now Apple has sent me an email acknowledging that I have set this up and included the password that I entered vs the one that popped back to me (theirs) during setup. So now even more confusing. First place, I dont remember Apple sending me back an acknowledgement email showing a password I have selected for something!

I'm not sure I understand, did an application explicitly request you to create an app specific password or you created it "just in case"? There's no need to create an app-specific password just in case, that is something you need to do only when an app explicitly requests you to do so.

Two-factor authentication is a different thing. Two factor authentication allows you to access your devices using a phone number and/or another apple device as a verification, while blocking anyone else who only has your password (e.g. a remote hacker).

 

[Fixey]

Awful change, makes my computing life more difficult. I think I'll be sure to avoid iCloud as much as possible. I don't want to be forced to use 2 factor. I had turned that on a couple of months ago, and it was just a nightmare trying to use. I don't know why but with multiple iOS and OS X devices, it just didn't work as I had hoped.

Your quite correct about it being a hassle, it can't be used if your a developer and use the connect app, by Apple when you have two step turned on the app goes into restricted mode, yes restricted it is Apple's app for iOS devs and can't be used in two step and when using multiple iOS and Mac devices nothing but type in this code every single time none stop, no Dec uses two steps as it is totally useless and just makes using any iOS device impossible

 

[Chupa Chupa]

This is already available and has been since iOS 8! The uptake from developers is so low. I have one App (ASOS) that actually uses the API to access the Safari keychain's credentials.

I have contacted lots of the developers of the apps I use to add this as a feature request but it just doesn't seem to have priority, despite it seeming easy to implement.

References:

https://9to5mac.com/2014/06/13/ios-...ri-autofill-credentials-for-quick-easy-login/

https://developer.apple.com/reference/security/shared_web_credentials

Yes, TouchID is available (though keychain access is not for apps, only Safari). My point is that it is only optional, not mandated. That IS the problem. Apple should require this functionality to be included in all iOS apps that require a password if Apple really wants to be true to its word that it is serious about user security. If it's not in the app it doesn't get approval. End of story. I think nearly all my bank, credit card, and investment account apps allow for TouchID. So if it's good with them it should be good for all.

 

[Otelm]

Your quite correct about it being a hassle, it can't be used if your a developer and use the connect app, by Apple when you have two step turned on the app goes into restricted mode, yes restricted it is Apple's app for iOS devs and can't be used in two step and when using multiple iOS and Mac devices nothing but type in this code every single time none stop, no Dec uses two steps as it is totally useless and just makes using any iOS device impossible

I have two factor authentication turned on (note: two-factor, not two-step, two step was the old system and is now deprecated) and have no problems with iTunes Connect neither on my device neither some testing devices.

 

[Chupa Chupa]

Enpass is free on the desktop, works in all browsers, and is a few $$ for mobile (iOS/Android/Windows)

Yes. There are lots of password managers. Not my point though. Some people know about them, some don't. Some don't want to configure, etc., etc. If anything Apple is about ease of use and, of late, so TC states, security. So there is zero reason why Apple isn't requiring TouchID to be part of every iOS app that requires a password. It's a simple, transparent solution to people's password anxiety without an add-on.

 

[Rossatron]

Dear god, why
I hate this thing, always got my gmail account disconnected and then had to get a new password and... please, no more passwords

 

[aevan]

A kind suggestion: please enable two-factor authentication, the risks in using a single password nowadays are just too great, whatever platform you use.

Only I can't because Apple didn't include my country, Serbia, on the list of countries to receive the verification SMS making it impossible to turn it on here. This, even though they officially sell iPhones and Macs here.

Every other company does 2FA here with no issues: Google, Microsoft, Facebook, etc - but not Apple.

 

[2010mini]

This is terrible.
I live in a country where I can easily get my iPhone robbed. If I am without my mobile number (if it's stolen) does this mean I am locked out of my iCloud?

No. App specific passwords are there to separate them from your main (AppleID) password.

 

[macduke]

What I hate is when apps like Fantastical will pop up repeatedly every few months needing a new app password. I go and generate one, which is in itself a process, and then it won't take it. It repeatedly asks for the password, and then eventually it just stops for a few more months. It's super annoying.

 

[DBZmusicboy01]

Apple get your **** together

 

[imronburgundy]

If an app stores your password for a nefarious use, that app wouldn't actually have access to your Apple ID - only iCloud through that facet.

You'd also be able to disable that one key without having to reset your passwords everywhere -and- if that key was lost and seeded somewhere you didn't want, you'd know exactly what app was loose with it.

Though it's a pain, it's a system being forced on you because other people (maybe even you!) are too irresponsible with their passwords and iCloud accounts are just too valuable and have too much control over a persons Apple ecosystem.

I think you're the only person so far that gets the purpose of this.

 

[Otelm]

Only I can't because Apple didn't include my country, Serbia, on the list of countries to receive the verification SMS making it impossible to turn it on here. This, even though they officially sell iPhones and Macs here.

Every other company does 2FA here with no issues: Google, Microsoft, Facebook, etc - but not Apple.

That's crazy... well hopefully they'll implement a way alternative to SMS. (By the way SMS authentication for 2-factor has been declared deprecated by NIST since SMS can be easily spoofed, so I hope for them that they are already working on alternatives).

 

[AdonisSMU]

This is messy and hard to manage for the end user...if I'm understanding it correctly.

 

[ChrisCW11]

Yes, because Apple's solution to security is to require you to enter numerous different passwords, frequently and repeatedly, just like on macOS.

Apple has taken a naive approach to security in this way, and while the motivations for having different iCloud based passwords might make sense from their POV, I am finding it incredibly frustrating every time I go to use a product or service on an Apple product having to re-enter a password over and over again, and I don't want this kind of stupidity to increase when using my phone.

If you are holding a hardware device that has unique ID built into it, there is a difference between a specific phone accessing a service vs someone trying to hack into the service from a remote IP address. The two are NOT the same procedures. I should never have to enter a password on a phone, period, except to unlock the device to use in the first place. The threat is not from someone picking up your phone and accessing a service, unless you are stupid, never password protected access to your phone and have a habit of leaving it lying around, then that is ALL your fault, period. The REAL threat is someone hacking into an iCloud service from a computer in some troll's basement.

Apple should understand and recognize the difference between a specific PHONE accessing iCloud, which should not require a ridiculous multitude of passwords and multi-stage protection, vs a HACkER accessing someone else's iCloud account. There must be numerous ways for a SMART company to figure out the difference between a person holding an actual SMART device to access a service vs someone trying to emulate a device, maybe start using all those ****ing gyroscopes, GPS and barometer and other sensors on the phone to identity when a real person is accessing their account vs some ****tard hacker 12 time zones away.

If I access iCloud from a web browser on some random computer then sure, require 2 stage authentication and challenge me to enter credentials often, but if I have to do this on my own phone it is ALL unnecessary.

The whole industry is being stupid and naive about security. YES there are real and terrible threats out there to our digital privacy and security, but these billion dollar companies are just not using their money to invest in smart ways to achieve the right balance of ease of access for the right user vs impossible to access for someone else. Adding more passwords and layers or password protection is just a cheap and stupid solution.

I.e. maybe its time to apply that MACHINE LEARNING that Apple seems to be all talk and no action about, and figure out a way for a service to understand a request for access from a legit user vs general hackery without gobs of ****ing passwords.

 

[rctlr]

Im wondering whats to come of people with two apple ids.
[doublepost=1494940549][/doublepost]So two factor becomes mandatory, but third party apps require app-specific passwords to access, like now - apps that do not understand two factor (like imap).

Meh.

 

[jimthing]

That's crazy... well hopefully they'll implement a way alternative to SMS. (By the way SMS authentication for 2-factor has been declared deprecated by NIST since SMS can be easily spoofed, so I hope for them that they are already working on alternatives).

The 2FA "code" should appear on your screen via a push notification, i.e. without SMS, for the most part. The trouble is that there is a fallback to SMS when the device trying to be authenticated is already used by a different AppleID (e.g. those of us forced to use one A-ID for "Stores" and another A-ID for "iCloud", et al.).

This is where some issues on security with 2FA fall into the "SMS 2FA being better than no 2FA". As any extra step to stop your account nefariously being accessed is better then no extra step; despite the security concerns with SMS.


As others have said, the main problem is users actually realising that they need an app-specific password (ASP) in order to proceed with the app they are using. As there is no ADVICE on the app set-ups saying "please use an app-specific password from your provider" or similar. Meaning users who don't know, end-up flummoxed as to why their generic A-ID pw doesn't work with said app.

I presume this 'announcement' (both in the press release, and likely at WWDC in a couple of weeks) is somewhat of an attempt to publicise the matter amongst the general public.

The other issue is the somewhat long-winded manor of obtaining an ASP in the first place. Having to login to the A-ID website, and fiddle around (then save to your password manager, if sensible), then paste into said app after already entering the right A-ID first; is all a complete PITA.

 

[Crosscreek]

Awful change, makes my computing life more difficult. I think I'll be sure to avoid iCloud as much as possible. I don't want to be forced to use 2 factor. I had turned that on a couple of months ago, and it was just a nightmare trying to use. I don't know why but with multiple iOS and OS X devices, it just didn't work as I had hoped.

Totally agree. I have found myself moving farther away from Apple each year. It use to be it just works and now you have to make it work.

 

[jadot]

This morning has been a bit of a nightmare with this stuff for me. I'm just about done with iCloud - what a mess. All they had to do was enable shared data (including shared central photo library) between family members and I would be OK with any TFA, but it's just another lockout to work around and I'm sick of it.

iCloud data is expensive when compared to others, and I'm really ready to just ditch iCloud for storage - I can easily switch to gmail and google calendars, or microsoft - one drive is pretty awesome.

Apple need to be careful how much they try to tie people into their eco system. It's getting easier to jump to cross platform alternatives, and once that's done, it's going to be easier to start looking at different hardware too.

 

[HappyMBAowner]

Has Apple given up on touch id?

I just started using an iPhone with touch id. You know, that's absolutely not safeproof against thieves. If someone wants to steal your data or have access to your stuff on your iphone, the 'attacker' has to knock you out. While you're unconscious, all they have to do to open up your iphone and access all you credit cards and anything else on your iphone is to take your thumb, put it on the device and everything will be revealed. Or your girllfriend just has to wait until you're deep asleep with your arm out of the bed, take your iphone, take your thumb gently and VOILA! With a 4 digit password, you just can't do that. I thought it was a great option, but not really when you think of it.

 

[j-beda]

App specific passwords for third-party software might actually be pretty good - addressing the problems of rouge developers and limiting the damage due to loss of that one password. For my purposes, however, 2-factor authentication is too difficult to reliably implement for the majority of people I deal with. Good idea in principle, but the rate of problems working with it is vastly greater than the rate of exploits it protects against.

 

[dominiongamma]

Apple sucks with the cloud. Google mastered it so well!

 

[snow755]

looks like i will make a swich too android with my next upgrade

 

[barthrh]

I can't figure out why everyone is so up in arms about this. It's a great security policy. When I was setting up Spark I'm thinking to myself that this takes a decent amount of trust to type your password into someone else's app. App-specific passwords eliminates this. Now Spark can get into iCloud using a password that only works for Spark.

This matters because if you store a password in a 3rd party app, that password may be stored on their servers. If they get hacked, Apple does not control whether that password was encrypted, salted, or otherwise protected against decryption.

iCloud accounts get compromised through hacking of poorly protected services where either the iCloud account is stored or people have re-used passwords. If some celebrity's photos get compromised, it's all pitchforks and torches for Apple. Now that they protect against this, the pitchforks are out again.

I have two-factor enable and it is completely transparent unless I log into another device for the first time.

Much ado about nothing.

 

[LordQ]

So what's the point for Keychain and Touch ID then? -.-

 

[papacuppa]

This kind of announcement used to strike the fear of God into me, but since I started using a PW manager it's a huge load off my shoulders. Perhaps Apple should buy one of these companies [I use 1Password but there are a few good ones], offer it for free at the 1 - 20 password limit, and then charge a fee for power users? It's in their best interest to be seen as a company who values security. There are clearly ways to do that without making your users miserable.