New in OS X: Get MacRumors Push Notifications on your Mac

Resubscribe Now Close

Apple to Require App-Specific Passwords For Third-Party Apps Accessing iCloud

Apple is now offering app-specific passwords for third-party apps that access iCloud, allowing users to generate unique one-time use passwords to sign into iCloud securely. In a support document, Apple describes app-specific passwords as a feature of two-step verification and states that app-specific passwords will be required to sign into iCloud when using a third-party app beginning on October 1, 2014.

appspecificpasswords
If you use iCloud with any third party apps, such as Microsoft Outlook, Mozilla Thunderbird, or BusyCal, you can generate app-specific passwords that allow you to sign in securely, even if the app you're using doesn't support two-step verification. Using an app-specific password also ensures that your primary Apple ID password isn't collected or stored by any third party apps you might use.
App-specific passwords, which have long been used by other sites like Google, are a function of two-step verification. Typically, two-step verification requires a user to enter a verification code, but oftentimes, the codes will not work properly in third-party apps, so app-specific passwords are substituted instead.

As outlined in the support document, app-specific passwords can be generated by accessing My Apple ID, where the option to generate an app-specific password is listed under Password and Security. According to Apple, users can have up to 25 active app-specific passwords at a time, which are listed in the Password and Security section of My Apple ID.

appspecifichistoryGenerating an app-specific password is limited to accounts with two-factor authentication turned on, and for security reasons, Apple sends an email whenever an app-specific password is generated. App-specific passwords will be revoked whenever a user's primary Apple ID password is changed, requiring new app-specific passwords to be generated.

Apple's new app-specific passwords follow the launch of two-factor verification for accessing iCloud.com and come after a hacking incident that saw the iCloud accounts of several celebrities compromised due to weak passwords.

Apple CEO Tim Cook has promised to improve iCloud security by increasing awareness about two-factor verification, as well as sending out security emails whenever a device is restored, iCloud is accessed, or a password change is attempted.


Top Rated Comments

(View all)

22 months ago

... That Google users have been using for about 7 years now.


And by 7 years you mean 3, correct?

http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html

Way to build credibility. Oh, and by the way, if you ask 10 gmail users on the street today whether they use 2FA on their gmail account I would be willing to bet at least 7 of them say, "What's that?"
Rating: 10 Votes
22 months ago

It feels like apple had all of these securities measures built but just never released for various reasons.


Scaling to millions of users is a very tough task, regardless of how much money the company has. Scaling is what Google excels at, which is why they had almost all of this in place when they had 2FA on and their authenticator app.

Apple's great at creating the demand but they suck at supplying it (scaling).
Rating: 4 Votes
22 months ago
Drowssap1 thru Drowssap25
Rating: 3 Votes
22 months ago
so they have almost caught up to google.
Rating: 3 Votes
22 months ago
iCloud Mess

is it me or is this all getting to be a mess.

Steve was all about simplifying things. iTunes is an utter mess. It doesn't even have an identity of purpose now.

Plug in syncing, wireless syncing, management of syncing through itunes on both wireless and wired, manual management of content that gets rid of previous said options. icloud downloading of content, itunes match, home sharing (which never works), now account sharing between people in your family, iphoto streaming, iphoto library with video and photo backup, icloud 2 question authentication, icloud 2 factor authentication, app specific password, icloud keychains.

HONESTLY?? Can we not do a better job of simplifying this? Then you get constant backup error messages saying icloud couldn't backup guilting you into buying more icloud storage.

Now every time you change something on your account you get 5-10 emails in a row telling you something changed and a message popping up on every device telling you something changed.

This is a complete mess. and NO MERE MORTAL will understand what this all means.

Seriously. The whole Spirit of Steve was to do better on issues like this.
Rating: 3 Votes
22 months ago

How will this help with the NSA/MI6 looking?


It won't.

I am also curious as to why the number of apps is limited to 25.
Rating: 2 Votes
22 months ago

The Fappening 2015 still going to happen even if it is more secure.


That's because people will still use "hunter2" as their password but not 2FA.
Rating: 2 Votes
22 months ago

Or here's another reason: Apple wants to make sure their users' experience is predictable and as simple as possible.

App specific passwords, and setting up 2FA in Google is a kludgy mess, and has run inconsistently at times, to the point that many people I have recommended do it end up going back to simple password authentication out of pure frustration. Their experience has been similar to mine (and I know what I'm doing). But I recognize the risk involved with using gmail without 2FA, so I have put up with it.


Wow, some of you really like just making stuff up on these forums huh?

As long as you sound like you know what you're talking about, and praise Apple, no one will really question you.

Gotta support the team, I guess. :apple:
Rating: 2 Votes
22 months ago


Very true, so many people have no clue what it is.


And it seems like most of the people that do know what it is are unwilling to go through the trouble to set it up, and use it.

My wife finally allowed me to set it up for her on Google Mail last weekend, after a bunch of allegedly valid Gmail passwords were published.

I enable 2-factor authentication wherever I can. Since Google Authenticator is open, you can implement it in your own application. Here's how to use it in an SSH server:

https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-two-factor-authentication
Rating: 1 Votes
22 months ago

Are you kidding on that? Apple has the cash hoards to buy companies, staff and figure out how to scale. There is no excuse for their utter lack of real security, celebs or not. Google has done it better for longer because they actually know what they are doing.


Yeah google has never gotten 5 million usernames and passwords posted on russian sites this month

Oh wait....[emoji57]


http://m.nydailynews.com/news/world/5-million-gmail-usernames-passwords-posted-online-article-1.1935155
Rating: 1 Votes

[ Read All Comments ]