Apple Begins Reminding Two-Factor Authentication Users About App-Specific Passwords

A ridiculous bandaid fix for their apparently weak password reset system. Three security questions, and anyone gets in without a verification email. So you have to bother with this annoying double authentication system. I might as well just make my security answers random codes themselves rather than dealing with this.

I remember Gmail somehow not working properly with third-party mail clients after they messed with their authentication system like this. I was too lazy to negotiate with it and switched to iCloud email as my "anonymous/internet" account.

People complain about eeeeverything!!!!! :rolleyes:

Had to Quickly Remind Myself...

When I read that email, I immediately though "Dammit that sounds so inconvenient" but I took a few steps back and realized how helpful that will be. I appreciate Apple's multiple levels of security:apple::cool:

Yeah, I should. On computers, everything has to work (1 - 10^(-9000))*100% of the time.

Oh kid, welcome to life, if there's something that doesn't work at 100% all the time are computers, you are going to have a bad life thinking computers should work (1 - 10^(-9000))*100% of the time.

Welcome to the real world, you can complain all you want, but technology has it flaws..

A ridiculous bandaid fix for their apparently weak password reset system. Three security questions, and anyone gets in without a verification email. So you have to bother with this annoying double authentication system to avoid that... or provide bogus security answers. I might as well just make my security answers random codes themselves rather than dealing with this. My first pet was Aahs8y238899_!!3.

I remember Gmail randomly rejecting authentication from third-party mail clients after they messed with their authentication system like this. I was too lazy- er, I mean optimized to try and fix it and switched to iCloud email as my "anonymous/internet" account instead.

This is basically how gmail works because 3rd party apps have no cookie mechanism & challenge follow-up. You need app specific passwords.

Apple's implementation is exactly like Google except you have more trusted device than SMS.

A ridiculous bandaid fix for their apparently weak password reset system. Three security questions, and anyone gets in without a verification email. So you have to bother with this annoying double authentication system to avoid that... or provide bogus security answers. I might as well just make my security answers random codes themselves rather than dealing with this. My first pet was Aahs8y238899_!!3.

So in place of two-factor authentication, what would you propose to better secure your account information?

I think we have years of break ins and empirical evidence to show that passwords alone are inadequate security measure.

I remember Gmail randomly rejecting authentication from third-party mail clients after they messed with their authentication system like this. I was too lazy- er, I mean optimized to try and fix it and switched to iCloud email as my "anonymous/internet" account instead.

Too funny, considering that once you tie an iCloud account to any device, it ceases to be anonymous.

Trying to figure out why I don't worry about lockscreens or passwords or 2 step authentication or app-specific pswds and all that...

I think it's a pretty well-founded lack of faith in corporations or governments in matters of respecting personal privacy, that I don't take nudes or hardcore action pics & vids of myself doing career-ruining things and keep them handy on my phone.

On top of that, I don't put any factual personal information on these devices whatsoever. Everything I have digitally refers to a nickname, a made-up business name, an outdated work address, a phone number typo'd by a digit, etc.

Even if I were an 18 year old actress, if someone guessed my password, they'd be very bored and confused.

I have enabled on both iCloud and in Gmail/Google Service.

Here is my take.
They're both essentially the same method.

You create app specific passwords and the system generates a random password like this:
kgoi-ytbe-fdgb-poyc

So instead of using your icloud email password for Thunderbird or regular gmail password,you use that random password.

I do this because I run Linux and use Thunderbird to access both gmail/icloud on Linux. I do this on Windows outlook for the same reason. That password would only be used for mail or calendaring. So you won't use that for iTunes purchases or log into your iCloud account.

The reason why you have this is because with 2-factor, there is a follow-up pin and you can't enter in a follow-up pin in 3rd party apps.
I just set up my HTC to connect to iCloud.

There are some differences:

Apple has a limit of 25 devices/app passwords. I can't see any for Google.

Google use a pre-set pull down for the description whereas Apple allows you to type in the description.
E.G. "IMAP password for WinTablet" or "CalDav on Linux Desktop" whereas Google has a list of OS/phones/apps.

Both can revoke.

Lastly, I like Apple's ability to use a non-phone as a trusted device. You can have multiple. I use my iPhone and iPad.
I have my iPad get the code and it works great. I also like Apple's device section where you can revoke devices. I had a few iPod and old iPhones on my list didn't know!
But you have to explicitly tell Apple which device you want trusted. It isn't going to send random codes to an iPhone you sold on Craigslist.

Google uses SMS text messages. This could possibly be intercepted. Who knows. If you have a SMS proxy account, that is one vector of attack.
One more thing...
When Apple sends the temp pin, you have to unlock your phone to see it. It is hidden in the notification view.

On my Android phone, the notification temp-pin from Gmail is a SMS text message and I don't need to be unlocked to see it. It pops up as a text message with the code right there for anyone to see. This is on a locked password protected pin.

That is definitely something Apple got right.

A ridiculous bandaid fix for their apparently weak password reset system.

This is an industry-wide and fairly secure solution, used by the likes of Google, Microsoft, and Yahoo.

It's just very unclear who would use app-specific passwords and who wouldn't, how they would be used, and how they would benefit the user.

If you want third party apps to have access to your iCloud account (eg. Outlook), you create a specific password for Outlook to use.

The app does not know your real iCloud password, and you can revoke the app specific password if you want to.

Yeah, I should. On computers, everything has to work (1 - 10^(-9000))*100% of the time. Leave the possibility for error to SHA-256 collisions and cosmic radiation flipping bits, not stupidly designed systems and human error.