Apple reminds iCloud users of new app-specific password requirements

in iCloud edited October 2014
Apple on Wednesday sent out emails reminding iCloud users that a new security protocol requiring app-specific passwords for third-party software is scheduled to go live tomorrow.

The reminder, sent to customers who have two-step Apple ID verification activated, notes that third-party services will need app-specific passwords to access iCloud data starting Thursday. Apps not switched over to the new process will be automatically signed out until a unique password is generated.

Apple originally announced the new security feature in September, saying at the time that app-specific passwords would become mandatory starting Oct. 1. No explanation was offered regarding the change in date.

Users running third-party email clients like Outlook and Mozilla Thunderbird, as well as contacts and calendar syncing services, will need to visit the Apple ID website to generate specific passwords for each app instance. As noted by Apple, app-specific passwords will work even if the target app does not support two-factor authentication.

Apple provides the following instructions for users affected by the security change:

To generate an app-specific password: The company also points users in the direction of a Support Pages document that further explains the extra layer of security and how it protects iCloud data.

App-specific passwords have been successfully employed by major Web service providers like Google to lock down apps tying in to accounts that manage sensitive information. The method is more secure than using a single password to link up services like email and social networks as the code can be revoked if a device is stolen or lost, thus protecting the underlying iCloud account.

Apple's system only allows 25 unique passwords, though users can revoke, add and manage app priorities through the Apple ID website.


  • Reply 1 of 8
    kt62kt62 Posts: 1member
    I do not have two-step verification activated, and therefore cannot generate an application-specific password for Evolution email, which stopped authenticating with iCloud. Generating a password is not even an option when I go to the above mentioned address.

    So, I am slightly confused; is two-step authentication mandatory and live tomorrow, or can I opt out? If I choose to opt out, how do I get my email client working again?

    And if the new security measure is not live now, and if I haven't already activated it, why is my email client locked out?
  • Reply 2 of 8
    solipsismxsolipsismx Posts: 19,566member
    This is great and I feel like Apple has actually listened to me (even though I'm sure I wasn't the only one requesting this feature), but there is a lot Apple can do to make this easier and better for the customer.
  • Reply 3 of 8

    I just got my reminder overnight also... problem is that they turned this on 2 days ago!!

  • Reply 4 of 8

    I think it´s a good idea to protect iCloud apps but why isn´t Find my iPhone protected? Sure It could be good to leave the part for just finding the iPhone open (for most parts) but why leave the erase function open too? Isn´t that a bit risky if someone should get access to your iCloud?

  • Reply 5 of 8
    Will this apply to the iCloud dashboard? That still allowed login with userID/password last time I upgraded (V4) with no use of 2-factor auth. And given that was alledgedly the source of some photo leaks, that would be a good way to tighten the security in a simple way.
  • Reply 6 of 8

    It´s good to tighten up the security. But why is Find my iPhone left without this extra security feature? Ok, maybe the find part and play sound can be good to keep since you can locate your iPhone this way if you lost track of it. But to be able to erase it as well? That makes me puzzled. Of course you want to be able to erase your iPhone if it´s stolen and that can´t be done if you have to lock up Find my iPhone with your iPhone (of course). BUT, what if someone gets into your iCloud account, then your iPhone can be deleted - isn´t that a security threat?

  • Reply 7 of 8
    chasmchasm Posts: 1,044member
    The iCloud web portal continues to use your actual Apple ID and associated password. As made clear in the article, this change of making app-specific passwords for iCloud access applies to, well, apps. Third-party apps. Like, for example, Airmail, which will want access to your iCloud email account.

    If you are interested in increasing the security of your iCloud account and cannot use 2-factor authentication, my suggestion would be to change your default iCloud/Apple/iTunes password to something strong. Then use iCloud keychain to fill it in.
  • Reply 8 of 8
    philboogiephilboogie Posts: 7,435member
    solipsismx wrote: »
    This is great and I feel like Apple has actually listened to me (even though I'm sure I wasn't the only one requesting this feature), but there is a lot Apple can do to make this easier and better for the customer.

    Fully agree. One simple question, if I may: how do I find out which app is using my iCloud pw? I went to the Manage AppleID page, and wanted to activate this 2-step authentication but it asks for a label. How can I give it a meaningful label when I don't know which app I used my AppleID with?

Sign In or Register to comment.