Third-Party Apps Will Need App-Specific Passwords for iCloud Access From June 15

[Weaselboy]

The main problem I have with two factor identification is, as I understand it, it uses one of your devices as an authentication factor. So what happens when I upgrade to another device, or my device gets lost/stolen? I get a new device, and now what?

To guard against that problem you need to setup some other "trusted phone numbers". So in your scenario you could have Apple call your home phone if it was on the trusted phone numbers list. I have my iPhone and also my home phone and a family member's mobile phone on the list as fallback for the scenario you mentioned.

https://support.apple.com/en-us/HT204915

A trusted phone number is a number that can be used to receive verification codes by text or phone call. You must verify at least one trusted phone number to enroll in two-factor authentication.
You should also consider verifying other phone numbers you can access, such as a home phone, or a number used by a family member or close friend. You can use these numbers if you temporarily can't access your own devices.

 

[Night Spring]

To guard against that problem you need to setup some other "trusted phone numbers". So in your scenario you cold have Apple call your home phone if it was on the trusted phone numbers list. I have my iPhone and also my home phone and a family member's mobile phone on the list as fallback for the scenario you mentioned.

https://support.apple.com/en-us/HT204915

I didn't know this, thanks! Is this a standard thing with all two factor systems, or only some of them do this? This is the kind of thing I wish articles about two factors would mention, as it makes recovering from loss of device easier.

Also, when you say have Apple call my home phone, do I have to actually speak to a person? I'm hard of hearing, so carrying on a phone conversation is difficult.

 

[Weaselboy]

I didn't know this, thanks! Is this a standard thing with all two factor systems, or only some of them do this? This is the kind of thing I wish articles about two factors would mention, as it makes recovering from loss of device easier.

Also, when you say have Apple call my home phone, do I have to actually speak to a person? I'm hard of hearing, so carrying on a phone conversation is difficult.

I have no idea if other 2FA systems use this, I'm only familiar with Apple's. I have not read about this method being used elsewhere though.

The call to your home phone is a robocall with no human.

 

[Shirasaki]

I didn't know this, thanks! Is this a standard thing with all two factor systems, or only some of them do this? This is the kind of thing I wish articles about two factors would mention, as it makes recovering from loss of device easier.

Also, when you say have Apple call my home phone, do I have to actually speak to a person? I'm hard of hearing, so carrying on a phone conversation is difficult.

It will probably be conpleted by some sort of automated phone system reading out some sort of verification code. No need for actual conversation.

 

[Michaelgtrusa]

This will mean a lot more steps.

 

[citysnaps]

This will mean a lot more steps.

I haven't found that to be the case. Once the app is set up, and that involves one extra step handled transparently and easily by Keychain, you never think about it again. It just works from that point going forward with no additional steps or hassle.

 

[RMo]

Has Apple given up on touch id?

How would Touch ID help this situation? I'm not sure if you understand what two-factor authentication is used for or--more to the point here--where Apple's two-factor authentication can't be used and where the app-specific password will now be necessary. For example, say you want to check your iCloud e-mail in Thunderbird rather than Mac or iOS Mail. Now you'll need an app-specific password because Thunderbird (and basically any non-Apple app) doesn't have any way to summon Apple's two-factor authentication. I don't think I need to say that Touch ID couldn't even fit into this equation.

I find two-factor authentication to really not be that inconvenient--you pretty much just set it up once for a specific app (or a few specific apps) and never have to worry about the password again. The password is complex and randomly generated, but the idea is that you might "save" it in the app and thus don't need to enter it all the time. You can remove the app-specific password if you know it's no longer being used or if for some reason that app-specific password does get compromised (presumably quite rare but still a possibility since it's just a password--but at least now it's not also your account's real password or any password you'd use elsewhere).

 

[whyamihere]

 

[Brien]

Has Apple given up on touch id?

No, I think Apple is gearing up to require all users have three-factor (password, touch ID and unique code). Too many security issues nowadays.

 

[sk1wbw]

No... Reread what I said. I never claimed what you're suggesting. What I said is I have two factor set up on all my devices, AND, I use Fantastical which mandates an app-specific password to access my contacts. And that it all works together seamlessly and hassle-free.

I have no idea why you brought "email accounts" into the conversation.

Fantastical doesn't mandate the app specific password, Apple does. And two factor authentication and having Apple require an app specific password aren't the same thing, so why do you keep saying that they work seamlessly together? You can chose not to have two factor authentication set up and yet you are required by apple to have an app specific password in order to use a third party email or calendar app.

 

[bobbybrooksatx]

Fantastical doesn't mandate the app specific password, Apple does. And two factor authentication and having Apple require an app specific password aren't the same thing, so why do you keep saying that they work seamlessly together? You can chose not to have two factor authentication set up and yet you are required by apple to have an app specific password in order to use a third party email or calendar app.

This is not my understanding, two-factor must be turned on in order to generate app-specific passwords. So users must use two-factor authentication going forward. Is that not the case?

I had two factor authentication on for 3 days, after having to do two factor verification on my appleTV 3 times I turned it off, its a complete cluster.

 

[ipedro]

I hope that this means that Apple will be bringing a Keychain app or dedicated Settings menu to iOS. Right now, it sort of works, hiding "Passwords" in the Safari Settings but passwords aren't just in Safari, they're in apps themselves.

A request for a password in iOS should generate an app specific password on the spot, right in iOS or fetch one if it had already been generated and used before for that app.

 

[sk1wbw]

This is not my understanding, two-factor must be turned on in order to generate app-specific passwords. So users must use two-factor authentication going forward. Is that not the case?

I had two factor authentication on for 3 days, after having to do two factor verification on my appleTV 3 times I turned it off, its a complete cluster.

No, you have to go into Apple's website and generate manually an app specific password. And as soon as it appears on the screen, you have to copy and paste it somewhere because it won't be shown again. Ever. If you lose it, you have to go back in Apple's site, revoke that password for that app, and then manually generate another one. I ****ing hate doing this. it's among the stupidest damn security practices besides having a password that 18 characters long, numbers and special characters and uppercase and lowercase letters and you can't use the prior 12 passwords.... And then having to change it every two months. Password policies have gotten out of control.

Two factor authentication is when a popup appears on your phone letting you know someone, most likely you, is trying to login somewhere and you have to hit yet if it's you. Google does this nicely and doesn't require an app specific password, I can use the same Google password on a thousand different email and calendar apps on macOS, iOS, Windows...

 

[John.B]

This will break iCloud access from Yosemite Macs.

 

[JGRE]

Good intention but somehow flawed implementation.
The key is to recognize someone IS legitimately someone yes. But, why Apple Connect is not compatible with 2FA? What if trusted device is lost/stolen/damaged? Added security is achieved in exchange of fragile system. Adding more steps also adds the chance of "something is going wrong".

Regarding security question thing, my security question answer is immune to social engineering. All answers are random characters. Good luck for those hackers guessing the answer.

Issue is: if his trusted device is stolen, alongside SIM card, he will have a very hard time trying to access his data and set up a new trusted device. SMS is not always a good idea, and it is easy to be stolen.

I have two Apple ID one for store one for both store and data and more.
Two factor is just a pure pain for me to even consider using it.

Once you have trusted the device or browser you do not have to enter it again until you are using a different browser or device. What is so painful about this?

 

[citysnaps]

Fantastical doesn't mandate the app specific password, Apple does. And two factor authentication and having Apple require an app specific password aren't the same thing, so why do you keep saying that they work seamlessly together? You can chose not to have two factor authentication set up and yet you are required by apple to have an app specific password in order to use a third party email or calendar app.

You're still not getting it. Intentionally so, likely...

Today Apple announced: "App-specific passwords are set to become a mandatory requirement for third-party apps that access iCloud user data, according to an Apple Support email sent out today."

I have been using Fantastical with two factor authorization for around six months. Fantastical, back then, before Apple made their announcement today, mandated an app-specific password if two factor were were to be used with your system. Before I set up two-factor authorization six months ago, Fantastical (and Apple) never required an app-specific password for data access - and I have been using Fantastical for years.

"And two factor authentication and having Apple require an app specific password aren't the same thing, so why do you keep saying that they work seamlessly together? "

Once more, I never claimed they were the same thing - stop putting your words into my mouth.

Fantastical is an app, that if you decide to use two-factor authorization on your system, requires an app-specific password to access your data. Because Fantastical is an app, that runs under your system, I'm saying they work well together when two-factor is used along with an app-specific password. It is set up once, and then you never need deal with it again.

I'm saying they work seamlessly well together because there are a lot of people here posting that today's Apple announcement on an Apple mandated app-specific passwords being used is going to create a lot of hassle and extra steps.

It won't.

 

[sk1wbw]

You're still not getting it. Intentionally so, likely...

Today Apple announced: "App-specific passwords are set to become a mandatory requirement for third-party apps that access iCloud user data, according to an Apple Support email sent out today."

I have been using Fantastical with two factor authorization for around six months. Fantastical, back then, before Apple made their announcement today, mandated an app-specific password if two factor were were to be used with your system. Before I set up two-factor authorization six months ago, Fantastical (and Apple) never required an app-specific password for data access - and I have been using Fantastical for years.

"And two factor authentication and having Apple require an app specific password aren't the same thing, so why do you keep saying that they work seamlessly together? "

Once more, I never claimed they were the same thing - stop putting your words into my mouth.

Fantastical is an app, that if you decide to use two-factor authorization on your system, requires an app-specific password to access your data. Because Fantastical is an app, that runs under your system, I'm saying they work well together when two-factor is used along with an app-specific password. It is set up once, and then you never need deal with it again.

I'm saying they work seamlessly well together because there are a lot of people here posting that today's Apple announcement on an Apple mandated app-specific passwords being used is going to create a lot of hassle and extra steps.

It won't.

Going to? It already does. And it's already been mandated for a very long time.

 

[citysnaps]

Going to? It already does. And it's already been mandated for a very long time.

Not true. Read the first sentence of the MR story.

And then read the first sentence of the third paragraph: "However, app-specific passwords will become a basic requirement from June 15, according to Apple."

 

[IPadNParadise]

I'm not sure I understand, did an application explicitly request you to create an app specific password or you created it "just in case"? There's no need to create an app-specific password just in case, that is something you need to do only when an app explicitly requests you to do so.

Two-factor authentication is a different thing. Two factor authentication allows you to access your devices using a phone number and/or another apple device as a verification, while blocking anyone else who only has your password (e.g. a remote hacker).

I know what 2FA is, I have that set up. And no, an App did not request I create one, I thought we were supposed to create one so that in the future when they are required, I would have one, i went into my AppleID and saw something to click on to create one. I did and as my post stated, that started my confusion when Apple popped back with one of their own after I entered mine. As I said, I am not very techy. I do see in my settings that I have icloud turned off for all my apps except Calendar and Reminders so hopefully I will figure this stuff out when the time comes. I do have a monthly Reminder set up so I do use that App but I dont have my Mail app setup in icloud.

 

[Apple_Robert]

In my opinion. Apple should make this optional. Put a warning in the appropriate update etc., and put the onus on the user where it belongs.

Creating a secure and safe an OS as possible is one thing. Forcing a consumer to use his or her phone in the manner in question, is too big brother for me. If a person doesn't want to use prudent security and gets hacked etc. that is the individual consumer's problem.

I don't need a mother and father, Apple. I already have parental units. I am more than capable of making decisions for myself.

 

[Weaselboy]

Going to? It already does. And it's already been mandated for a very long time.

This is a little confusing, and I had to read the article twice then research Apple's documentation to understand what this change means.

Prior to this change if you wanted to use something like Fantastical to access iCloud information (CalDAV) and you did not have 2FA turned on, you could just use your iCloud password.

But if you turned on 2FA, Apple required you to generate and use an app specific password for Fantastical. I have been running this way for several months, so this change on June 15 will mean no change for me.

What this change means is if you want to use an app like Fantastical with iCloud you will need an app specific password, and that in turn requires turning on 2FA.

So before you could use your iCloud password if you did not have 2FA turned on, and that is what will be going away. The only way forward will be an app specific password with 2FA on.

 

[Bazza1]

Sorry - but for all the arguments why this is A Good Thing, it looks less like a security 'feature' and more like Apple dissuading users (especially those who want no part of their 2-part authentication) from using apps that are superior to their own.

And remember, this process means you're not just creating new passwords for your 3rd Party apps, but you are having to buy into Apple's 2-factor authentication and its process. As far as the 3rd Party app developers and their access to our iCloud accounts, well, that horse has already left the barn, because I've already given these 3rd Party apps the access code. And the letter doesn't say anything about changing your master password to iCloud before doing all this. If you can.

And frankly, given the companies' apps I have given access to iCloud, I'm not sure they are any worse threat than Apple is.

Apple tried to initiate this a few years ago and it simply didn't fly then. Daresay they are using currently media reports as 'incentive' to make it seem like you'll be more secure. Not convinced.

May yet end biting the bullet - or, contrariwise, say' screw it' and use other apps and syncing bypassing iCloud entirely.

 

[shamino]

This is terrible.
I live in a country where I can easily get my iPhone robbed. If I am without my mobile number (if it's stolen) does this mean I am locked out of my iCloud?

If that's your only device, then yes. But you can authorize other devices (Macs, iPads, etc.) to receive authentication codes. You can also, I believe, provide a voice phone number (like a landline) for this purpose.

So there are options. The important thing is to set them up before your phone gets stolen!

I think the problem is that 3rd party apps cannot "summon" the two-factor authentication.

Bingo!. This whole problem could be solved if Apple would publish a mechanism for third party apps to support 2FA. Google does this so when I use Thunderbird to access GMail, it asks me for the authentication code and I'm good. There's no reason Apple can't also do this, and the really should.

It's in their own best interests to allow third party products to work with 2FA. Otherwise they're going to end up with a lot of disgruntled customers and I suspect a lot of them will decide to give up on iCloud before they give up on their favorite mail/calendar/contacts app.

That's the whole point of two factor authentication, is it not? Making you generate a separate password to use an email client on a different platform does not add more security for you. It's just another password.

Not quite. It is another password, but it's a password that can only be used for a single application.

I haven't used them with iCloud yet, but on the Google platform, an application-specific password is tied to one app on one device. If I use three different mail apps on my laptop, I need three app-specific passwords. I can't create one and use it on three apps - it will work on the first one and be rejected by the others.

This improves security because a malicious/infected application that steals your password won't get anything useful. The thief won't be able to use it on any other device or app.

I assume (hope) Apple has implemented them the same way. If you can generate a password and use it in multiple places then it is pretty pointless. (Well, a thief wouldn't be able to use it on a 2FA application like the iCloud web page, so he probably couldn't use it to change your actual password, but he could still cause quite a bit of damage.)

Why do we still need passwords in 2017? Surely Apple could extend Touch ID to replace all passwords.

And do what with it? Touch ID can protect an app or the device. It can't protect a web site - they will still need a password or authentication token or something similar. Touch ID unlocks a keychain location where the app can store a password, but the app is still using that password.

The only way for Touch ID to work completely without password would be if Apple uploaded your fingerprint data to iCloud. They don't do this, and you really don't want them to. You never want it to be possible for a server breach to get customer biometric data. You can revoke and regenerate passwords and digital certificates, but not fingerprints!

 

[Shirasaki]

Once you have trusted the device or browser you do not have to enter it again until you are using a different browser or device. What is so painful about this?

Because I constantly need to switch between two accounts, even just in iTunes Store?

 

[lkalliance]

That's all fine but it's get confusing and frustrating for the nontechnically oriented user -- and even those of us who are. If Apple really wants to beef up security I don't understand why it doesn't allow keychain access to apps and also require devs to allow TouchID. The best way to ensure security is to encourage people to use long unique random passwords for every app. But you need a password manager to do this and right now Apple's only works in Safari, not apps.

TouchID is available for apps, but not mandated. It should be mandated and keychain access should be made available for devices that do not have TouchID. That would be truly usable feature and set more space between iOS and Android. I mean if Apple is really serious about user security.

Actually I do believe that apps have had an API to tap into iCloud Keychain for some time now. They've had it for longer than they've had a TouchID API. But no one ever used it.