App-specific passwords are set to become a mandatory requirement for third-party apps that access iCloud user data, according to an Apple Support email sent out today.
Currently, app-specific passwords are used to allow non-native apps like email clients to sign in to iCloud accounts that are protected by two-factor authentication. The security measure ensures that users can still link up their iCloud account to apps and services not provided by Apple, while also avoiding the need to disclose their Apple ID password to third parties.
However, app-specific passwords will become a basic requirement from June 15, according to Apple. The policy change basically means that users who want to continue using third-party apps with their iCloud account will have to enable two-factor authentication and generate individual passwords for each app.
Beginning on 15 June, app-specific passwords will be required to access your iCloud data using third-party apps such as Microsoft Outlook, Mozilla Thunderbird, or other mail, contacts and calendar services not provided by Apple.
If you are already signed in to a third-party app using your primary Apple ID password, you will be signed out automatically when this change takes effect. You will need to generate an app-specific password and sign in again.
Two-factor authentication ensures that you're the only person who can access your Apple account, even if someone knows your password. To turn it on from any iOS device running iOS 10.3 or later, open the Settings app, tap your name at the top, and then tap Password & Security.
If you're using iOS 10.2 or earlier, you can enable it from Settings -> iCloud -> Apple ID -> Password & Security. If you're on a Mac, go to System Preferences -> iCloud -> Account Details, click Security, and enable two-factor authentication from there.
To generate an app-specific password, sign into your Apple ID account page (https://appleid.apple.com), go to App-Specific Passwords under Security, and click Generate Password.
Top Rated Comments
TouchID is available for apps, but not mandated. It should be mandated and keychain access should be made available for devices that do not have TouchID. That would be truly usable feature and set more space between iOS and Android. I mean if Apple is really serious about user security.
This change won't affect apps which use iCloud Drive, keychain (which is already accessible by devs btw, they just don't implement it) and apps which use the CloudKit framework. CloudKit already assigns app-specific containers to apps, while this change only affects services which want to access iCloud outside of their own space (which makes sense, if you consider the security risks).
A kind suggestion: please enable two-factor authentication, the risks in using a single password nowadays are just too great, whatever platform you use.
I have contacted lots of the developers of the apps I use to add this as a feature request but it just doesn't seem to have priority, despite it seeming easy to implement.
References:
https://9to5mac.com/2014/06/13/ios-8-lets-apps-access-safari-autofill-credentials-for-quick-easy-login/
https://developer.apple.com/reference/security/shared_web_credentials