New in OS X: Get MacRumors Push Notifications on your Mac

Resubscribe Now Close

Apple Begins Reminding Two-Factor Authentication Users About App-Specific Passwords

Apple has begun emailing iCloud users who have enabled two-factor authentication on their Apple IDs, reminding them that application specific passwords will be required when trying to access iCloud data on third party apps starting tomorrow.

Screen Shot 2014-10-08 at 8.13.42 PM
In addition to the email reminders, Apple last week published a new support document educating users on how to use app-specific passwords. While the feature was originally intended to require the feature on October 1, it's unclear why two-factor authentication users are being reminded of it a week later.

App-specific passwords are a new feature Apple introduced in mid-September, following the launch of two-factor authentication for accessing iCloud.com. The changes arrived after a hacking incident that saw the iCloud accounts of several celebrities compromised due to weak passwords.

CEO Tim Cook has promised to improve iCloud security by increasing awareness around Apple's security features like two-factor authentication as well as a sending out email notifications whenever a device is restored, an account is accessed or a password change is attempted.



Top Rated Comments

(View all)

62 months ago

A ridiculous bandaid fix for their apparently weak password reset system. Three security questions, and anyone gets in without a verification email. So you have to bother with this annoying double authentication system. I might as well just make my security answers random codes themselves rather than dealing with this.

I remember Gmail somehow not working properly with third-party mail clients after they messed with their authentication system like this. I was too lazy to negotiate with it and switched to iCloud email as my "anonymous/internet" account.


People complain about eeeeverything!!!!! :rolleyes:
Rating: 18 Votes
62 months ago
Had to Quickly Remind Myself...

When I read that email, I immediately though "Dammit that sounds so inconvenient" but I took a few steps back and realized how helpful that will be. I appreciate Apple's multiple levels of security:apple::cool:
Rating: 10 Votes
62 months ago

Yeah, I should. On computers, everything has to work (1 - 10^(-9000))*100% of the time.


Oh kid, welcome to life, if there's something that doesn't work at 100% all the time are computers, you are going to have a bad life thinking computers should work (1 - 10^(-9000))*100% of the time.

Welcome to the real world, you can complain all you want, but technology has it flaws..
Rating: 5 Votes
62 months ago

A ridiculous bandaid fix for their apparently weak password reset system. Three security questions, and anyone gets in without a verification email. So you have to bother with this annoying double authentication system to avoid that... or provide bogus security answers. I might as well just make my security answers random codes themselves rather than dealing with this. My first pet was Aahs8y238899_!!3.

I remember Gmail randomly rejecting authentication from third-party mail clients after they messed with their authentication system like this. I was too lazy- er, I mean optimized to try and fix it and switched to iCloud email as my "anonymous/internet" account instead.


This is basically how gmail works because 3rd party apps have no cookie mechanism & challenge follow-up. You need app specific passwords.

Apple's implementation is exactly like Google except you have more trusted device than SMS.
Rating: 4 Votes
62 months ago

A ridiculous bandaid fix for their apparently weak password reset system. Three security questions, and anyone gets in without a verification email. So you have to bother with this annoying double authentication system to avoid that... or provide bogus security answers. I might as well just make my security answers random codes themselves rather than dealing with this. My first pet was Aahs8y238899_!!3.


So in place of two-factor authentication, what would you propose to better secure your account information?

I think we have years of break ins and empirical evidence to show that passwords alone are inadequate security measure.

I remember Gmail randomly rejecting authentication from third-party mail clients after they messed with their authentication system like this. I was too lazy- er, I mean optimized to try and fix it and switched to iCloud email as my "anonymous/internet" account instead.


Too funny, considering that once you tie an iCloud account to any device, it ceases to be anonymous.
Rating: 3 Votes
62 months ago
Trying to figure out why I don't worry about lockscreens or passwords or 2 step authentication or app-specific pswds and all that...

I think it's a pretty well-founded lack of faith in corporations or governments in matters of respecting personal privacy, that I don't take nudes or hardcore action pics & vids of myself doing career-ruining things and keep them handy on my phone.

On top of that, I don't put any factual personal information on these devices whatsoever. Everything I have digitally refers to a nickname, a made-up business name, an outdated work address, a phone number typo'd by a digit, etc.

Even if I were an 18 year old actress, if someone guessed my password, they'd be very bored and confused.
Rating: 3 Votes
62 months ago
I have enabled on both iCloud and in Gmail/Google Service.

Here is my take.
They're both essentially the same method.

You create app specific passwords and the system generates a random password like this:
kgoi-ytbe-fdgb-poyc

So instead of using your icloud email password for Thunderbird or regular gmail password,you use that random password.

I do this because I run Linux and use Thunderbird to access both gmail/icloud on Linux. I do this on Windows outlook for the same reason. That password would only be used for mail or calendaring. So you won't use that for iTunes purchases or log into your iCloud account.

The reason why you have this is because with 2-factor, there is a follow-up pin and you can't enter in a follow-up pin in 3rd party apps.
I just set up my HTC to connect to iCloud.

There are some differences:

Apple has a limit of 25 devices/app passwords. I can't see any for Google.

Google use a pre-set pull down for the description whereas Apple allows you to type in the description.
E.G. "IMAP password for WinTablet" or "CalDav on Linux Desktop" whereas Google has a list of OS/phones/apps.

Both can revoke.

Lastly, I like Apple's ability to use a non-phone as a trusted device. You can have multiple. I use my iPhone and iPad.
I have my iPad get the code and it works great. I also like Apple's device section where you can revoke devices. I had a few iPod and old iPhones on my list didn't know!
But you have to explicitly tell Apple which device you want trusted. It isn't going to send random codes to an iPhone you sold on Craigslist.

Google uses SMS text messages. This could possibly be intercepted. Who knows. If you have a SMS proxy account, that is one vector of attack.
One more thing...
When Apple sends the temp pin, you have to unlock your phone to see it. It is hidden in the notification view.

On my Android phone, the notification temp-pin from Gmail is a SMS text message and I don't need to be unlocked to see it. It pops up as a text message with the code right there for anyone to see. This is on a locked password protected pin.

That is definitely something Apple got right.
Rating: 3 Votes
62 months ago

A ridiculous bandaid fix for their apparently weak password reset system.


This is an industry-wide and fairly secure solution, used by the likes of Google, Microsoft, and Yahoo.
Rating: 3 Votes
62 months ago

It's just very unclear who would use app-specific passwords and who wouldn't, how they would be used, and how they would benefit the user.


If you want third party apps to have access to your iCloud account (eg. Outlook), you create a specific password for Outlook to use.

The app does not know your real iCloud password, and you can revoke the app specific password if you want to.
Rating: 3 Votes
62 months ago

Yeah, I should. On computers, everything has to work (1 - 10^(-9000))*100% of the time. Leave the possibility for error to SHA-256 collisions and cosmic radiation flipping bits, not stupidly designed systems and human error.


Rating: 3 Votes

[ Read All Comments ]