Apple to introduce app-specific passwords for iCloud-connected titles

Posted:
in iCloud edited September 2014
Come October, Apple's iCloud will have yet another layer of protection, as the company is scheduled to implement app-specific passwords for third-party programs tying in to the cloud service.




According to a Support Document posted to Apple's website on Tuesday, the new security feature will be employed to all third-party apps connecting with iCloud even if that program does not support two-step verification. In conjunction with new two-factor authentication protocols activated on iCloud.com on Tuesday, Apple is showing serious advances in cloud security.
If you use iCloud with any third party apps, such as Microsoft Outlook, Mozilla Thunderbird, or BusyCal, you can generate app-specific passwords that allow you to sign in securely, even if the app you're using doesn't support two-step verification. Using an app-specific password also ensures that your primary Apple ID password isn't collected or stored by any third party apps you might use.
When the system goes live, iCloud users can generate new passwords by visiting the My Apple ID home page, then create a new code from the Password and Security settings pane. The system is limited to 25 active passwords, though users have the ability to manage which apps get priority through the same setup process.

Apple's app-specific password program is akin to others already in place, including a long-standing system from Google. The method is safer than entering in a global password for connecting to services like email and social networks as the code can easily be revoked if a device is stolen of lost, thus protecting the underlying iCloud account. Additionally, many apps don't support two-step authentication and issuing an app-specific code is one way of getting around the problem.

The iCloud security feature will roll out on Oct. 1, on which day third-party apps connecting with the service will be required to sign in using a specific assigned password.

Comments

  • Reply 1 of 17
    pmzpmz Posts: 3,433member
    I'm a little unclear on what this implies....

    All I care about is can I use Touch ID to skip having to enter the damn thing.
  • Reply 2 of 17
    pmz wrote: »
    I'm a little unclear on what this implies....

    All I care about is can I use Touch ID to skip having to enter the damn thing.

    It's not very clear from reading the article but I would assume if it's used for iCloud features such as Mail & calendar (based on the 3rd party apps listed in the article) that once you have entered the password into the app you won't need to re-enter it every time you open the App. At least I hope that's the case. TouchID would be one way of addressing the issue but I'm not sure I would want to touch the home button every time I open a 3rd party email or calendar app.

    I'm all for improvements to security but there has to be a balance between security and usability... No point having my calendar so secure that I don't want to go to the effort of using it.
  • Reply 3 of 17
    pmz wrote: »
    I'm a little unclear on what this implies...
    lolliver wrote: »
    It's not very clear from reading the article....

    What this sounds like is exactly what I've wanting Apple to do with iCloud for awhile now. Google already does this for Gmail.

    Essentially it works like ?Pay insofar as you don't use your actual password when you let these 3rd-party companies gain access to your iCloud account, but rather use a representational password. This is generated by Apple's iCloud servers and is typically gets used with your actual username/email and the generated password it creates per app and/or per device.

    Scenario 1 - Part 1: You install SuperDuperMailbox, a 3rd-party app. You hear it's good but you don't know anything about the company. You use iCloud for email but you don't really want to give them access to your iCloud username and password, but you have to if you want to set up mail through their app. This is where the representational password comes into play. This gets associated with the 3rd-party app and/or device so they can only access your iCloud mail for you. Sure, still a security risk, but they won't be able to use that representational password to log into iCloud.com to grab your contacts, calendar, backups, wipe your phone, whatever.

    Scenario 1 - Part 2: Now I know SuperDuperMailbox is on the up-and-up — well, they are nice guys — but their servers get hacked and they foolishly stored your password and username which the hacker was able to find the encryption key for. With the representational password they can't access anything because it's tied to that app and/or device.

    That's how I read it, but then again I've been begging for this and have submitted the request to Apple while using Gmail as an example of doing it right so I may be seeing this article through rose coloured glasses.
  • Reply 4 of 17
    chasmchasm Posts: 3,610member
    solipsismx: Congrats! You have it exactly right. Good job explaining it.
  • Reply 5 of 17
    calicali Posts: 3,494member
    Replace passwords with Touch ID. Done.

    %83 of iPhone 5s owners using Touch ID is not enough. With ?Pay coming Apple needs to be more aggressive on touch ID awareness.

    5c owners and older will have to deal with passwords but will feel the need to upgrade even more so.
  • Reply 6 of 17
    cali wrote: »
    Replace passwords with Touch ID. Done..

    And your Mac? And other iPhones that can access iCloud? The iPod Touches and iPads? Any potential web-based apps that you can access via their webpage but also have an app so data is synced via iCloud Drive?

    Touch ID is a nice option for making it quick and convenient but it still needs this representational password to help stave off potential risks.
  • Reply 7 of 17
    Originally Posted by pmz View Post

    All I care about is can I use Touch ID to skip having to enter the damn thing.

     

    I find it odd that Safari in OS X saves and autofills passwords for websites so beautifully but does NOT save or autofill iCloud.com...

  • Reply 8 of 17
    john.bjohn.b Posts: 2,742member
    Quote:

    Originally Posted by SolipsismX View Post

     
    Quote:

    Originally Posted by cali View Post



    Replace passwords with Touch ID. Done..




    And your Mac? And other iPhones that can access iCloud? The iPod Touches and iPads? Any potential web-based apps that you can access via their webpage but also have an app so data is synced via iCloud Drive?



    Touch ID is a nice option for making it quick and convenient but it still needs this representational password to help stave off potential risks.

     

    If the new iPads to be announced in October don't get Touch ID, someone in Cupertino should get their walking papers.  Maybe several someones.

  • Reply 9 of 17
    john.b wrote: »
    If the new iPads to be announced in October don't get Touch ID, someone in Cupertino should get their walking papers.  Maybe several someones.

    How delightful. But you're not in Apple's management, so you don't get to set arbitrary deadlines.
  • Reply 10 of 17
    Quote:

    Originally Posted by Suddenly Newton View Post





    How delightful. But you're not in Apple's management, so you don't get to set arbitrary deadlines.

    He gets to set whatever he wants. Then the rest of the world gets to ignore them :D

  • Reply 11 of 17

    I'd be shocked if they dont have Touch ID on all new iPad models this autumn. 

     

    (And of course it's entirely probably they will continue to sell older iPad models and they will be without though)

     

    I wouldn't even be that surprised if the next iPod Touch has it. (though quite when they will be, what size etc, and indeed whether economically feasible  makes me less certain.)

  • Reply 12 of 17
    cali wrote: »
    Replace passwords with Touch ID. Done.
    You forget that iCloud is accessible from both Macs and PCs running Windows.
  • Reply 13 of 17
    chabig wrote: »
    You forget that iCloud is accessible from both Macs and PCs running Windows.

    It also doesn't resolve the actual issue of passwords being sent from a device to some third-party website. It only adds a convenience and local secure enclave aspect to the routine.
  • Reply 14 of 17
    solipsismx wrote: »
    It also doesn't resolve the actual issue of passwords being sent from a device to some third-party website. It only adds a convenience and local secure enclave aspect to the routine.

    Is there a way to send verification i.e. TouchID from an iOS device via Continuity to a web page or login?
  • Reply 15 of 17
    Quote:
    Originally Posted by SolipsismX View Post







    What this sounds like is exactly what I've wanting Apple to do with iCloud for awhile now. Google already does this for Gmail.



    Essentially it works like ?Pay insofar as you don't use your actual password when you let these 3rd-party companies gain access to your iCloud account, but rather use a representational password. This is generated by Apple's iCloud servers and is typically gets used with your actual username/email and the generated password it creates per app and/or per device.



    Scenario 1 - Part 1: You install SuperDuperMailbox, a 3rd-party app. You hear it's good but you don't know anything about the company. You use iCloud for email but you don't really want to give them access to your iCloud username and password, but you have to if you want to set up mail through their app. This is where the representational password comes into play. This gets associated with the 3rd-party app and/or device so they can only access your iCloud mail for you. Sure, still a security risk, but they won't be able to use that representational password to log into iCloud.com to grab your contacts, calendar, backups, wipe your phone, whatever.



    Scenario 1 - Part 2: Now I know SuperDuperMailbox is on the up-and-up — well, they are nice guys — but their servers get hacked and they foolishly stored your password and username which the hacker was able to find the encryption key for. With the representational password they can't access anything because it's tied to that app and/or device.



    That's how I read it, but then again I've been begging for this and have submitted the request to Apple while using Gmail as an example of doing it right so I may be seeing this article through rose coloured glasses.

    And in either of those scenarios, not only do you limit what the third party can access but you can revoke their access completely at any time.

  • Reply 16 of 17
    anomeanome Posts: 1,545member
    Dagnabbit, wrong thread.
  • Reply 17 of 17
    d4njvrzf wrote: »
    And in either of those scenarios, not only do you limit what the third party can access but you can revoke their access completely at any time.

    Adding to your second point, it also makes it easy if a third-party server is hacked as you don't have to change iCloud password, you can just revoked that representational password and then instantly create a new one.
Sign In or Register to comment.