New in OS X: Get MacRumors Push Notifications on your Mac

Resubscribe Now Close

Third-Party Apps Will Need App-Specific Passwords for iCloud Access From June 15

Tuesday May 16, 2017 4:55 am PDT by Tim Hardwick
App-specific passwords are set to become a mandatory requirement for third-party apps that access iCloud user data, according to an Apple Support email sent out today.

Currently, app-specific passwords are used to allow non-native apps like email clients to sign in to iCloud accounts that are protected by two-factor authentication. The security measure ensures that users can still link up their iCloud account to apps and services not provided by Apple, while also avoiding the need to disclose their Apple ID password to third parties.

However, app-specific passwords will become a basic requirement from June 15, according to Apple. The policy change basically means that users who want to continue using third-party apps with their iCloud account will have to enable two-factor authentication and generate individual passwords for each app.
Beginning on 15 June, app-specific passwords will be required to access your iCloud data using third-party apps such as Microsoft Outlook, Mozilla Thunderbird, or other mail, contacts and calendar services not provided by Apple.

If you are already signed in to a third-party app using your primary Apple ID password, you will be signed out automatically when this change takes effect. You will need to generate an app-specific password and sign in again.
Two-factor authentication ensures that you're the only person who can access your Apple account, even if someone knows your password. To turn it on from any iOS device running iOS 10.3 or later, open the Settings app, tap your name at the top, and then tap Password & Security.

If you're using iOS 10.2 or earlier, you can enable it from Settings -> iCloud -> Apple ID -> Password & Security. If you're on a Mac, go to System Preferences -> iCloud -> Account Details, click Security, and enable two-factor authentication from there.

To generate an app-specific password, sign into your Apple ID account page (https://appleid.apple.com), go to App-Specific Passwords under Security, and click Generate Password.

Tags: iCloud, Apple security
[ 132 comments ]


Top Rated Comments

(View all)

Avatar
Chupa Chupa
21 months ago
That's all fine but it's get confusing and frustrating for the nontechnically oriented user -- and even those of us who are. If Apple really wants to beef up security I don't understand why it doesn't allow keychain access to apps and also require devs to allow TouchID. The best way to ensure security is to encourage people to use long unique random passwords for every app. But you need a password manager to do this and right now Apple's only works in Safari, not apps.

TouchID is available for apps, but not mandated. It should be mandated and keychain access should be made available for devices that do not have TouchID. That would be truly usable feature and set more space between iOS and Android. I mean if Apple is really serious about user security.
Rating: 32 Votes
Avatar
maflynn
21 months ago
Awful change, makes my computing life more difficult. I think I'll be sure to avoid iCloud as much as possible. I don't want to be forced to use 2 factor. I had turned that on a couple of months ago, and it was just a nightmare trying to use. I don't know why but with multiple iOS and OS X devices, it just didn't work as I had hoped.
Rating: 21 Votes
Avatar
Otelm
21 months ago
Just to clarify: this only affects apps that access iCloud web services in a non-native way (web API). E.g. those mentioned: outlook, thunderbird, and similar. I'm a developer and I used to have only one such app, which has recently been updated to iCloud drive instead.

This change won't affect apps which use iCloud Drive, keychain (which is already accessible by devs btw, they just don't implement it) and apps which use the CloudKit framework. CloudKit already assigns app-specific containers to apps, while this change only affects services which want to access iCloud outside of their own space (which makes sense, if you consider the security risks).

A kind suggestion: please enable two-factor authentication, the risks in using a single password nowadays are just too great, whatever platform you use.
Rating: 18 Votes
Avatar
itsmilo
21 months ago
Oh god, no one in my family understands anything above a password as it is. Not even security questions "wtf how does it know where i was born? Thats creepy"
Rating: 14 Votes
Avatar
MR-LIZARD
21 months ago

If Apple really wants to beef up security I don't understand why it doesn't allow keychain access to apps and also require devs to allow TouchID. The best way to ensure security is to encourage people to use long unique random passwords for every app. But you need a password manager to do this and right now Apple's only works in Safari, not apps.


This is already available and has been since iOS 8! The uptake from developers is so low. I have one App (ASOS) that actually uses the API to access the Safari keychain's credentials.

I have contacted lots of the developers of the apps I use to add this as a feature request but it just doesn't seem to have priority, despite it seeming easy to implement.

References:

https://9to5mac.com/2014/06/13/ios-8-lets-apps-access-safari-autofill-credentials-for-quick-easy-login/

https://developer.apple.com/reference/security/shared_web_credentials
Rating: 12 Votes
Avatar
Nem
21 months ago
I accidentally changed to two factor auth a while back and had to use these app specific passwords, hated it, it seemed to work for about a week and then stop stating the password was incorrect and had to set up another one each time. After three times I turned two factor auth off and went back to normal. I can see me finally moving away from apple email entirely as it's just not worth the hassle.
Rating: 9 Votes
Avatar
sk1wbw
21 months ago
This is such a ****ing pain in the ass. What's the point of having passwords then? Such a damn pain to have to go into Apple's website, create a ****ing password for everything on top of the password that you already have for that same thing.
Rating: 8 Votes
Avatar
JGRE
21 months ago

This is terrible.
I live in a country where I can easily get my iPhone robbed. If I am without my mobile number (if it's stolen) does this mean I am locked out of my iCloud?


If you live in a country were can get robbed easily, you should be happy with two-factor authentication. Now only you phone gets robbed, otherwise also your data :)
Btw, they steel your phone not your number.
Rating: 8 Votes
Avatar
strategicthinke
21 months ago
This is terrible.
I live in a country where I can easily get my iPhone robbed. If I am without my mobile number (if it's stolen) does this mean I am locked out of my iCloud?
Rating: 7 Votes
Avatar
barthrh
21 months ago
I can't figure out why everyone is so up in arms about this. It's a great security policy. When I was setting up Spark I'm thinking to myself that this takes a decent amount of trust to type your password into someone else's app. App-specific passwords eliminates this. Now Spark can get into iCloud using a password that only works for Spark.

This matters because if you store a password in a 3rd party app, that password may be stored on their servers. If they get hacked, Apple does not control whether that password was encrypted, salted, or otherwise protected against decryption.

iCloud accounts get compromised through hacking of poorly protected services where either the iCloud account is stored or people have re-used passwords. If some celebrity's photos get compromised, it's all pitchforks and torches for Apple. Now that they protect against this, the pitchforks are out again.

I have two-factor enable and it is completely transparent unless I log into another device for the first time.

Much ado about nothing.
Rating: 7 Votes

[ Read All Comments ]