What app-specific iCloud passwords are and when Apple forces you to use them

in General Discussion edited October 2020
Sometimes, an app wants your iCloud credentials for legitimate reasons, and Apple has app-specific passwords to keep your data safe -- but, there are limits to them that Apple doesn't mention. AppleInsider shows you what they do, plus how and when to use them.

You've got your Apple ID with its username and password which you look after and never tell anyone -- except here's an app asking you to hand them over. It'll be an app that uses your iCloud account for synchronization or similar, so that's anything that you'll use to share documents between devices, for instance. Or, it'll be something that accesses your iCloud password like an email app.

Whatever it is, you'll want to give them this access or the apps simply won't work. But, you also don't want to hand over your details to any company that asks.

Fortunately, there are two measures that give us a balance between functionality and security. The first is two-factor authentication which should be set up on your iPhone. If it isn't, do set it up now.

Setting up two-factor authentication

In Settings on iOS, tap on your own name then choose Password & Security. Tap to switch on Two-Factor Authentication. You'll have to then enter a phone number: it can and typically will be the number of the iPhone you're doing all of this on.

Apple sends you a verification code and you enter that. This tells Apple that the person making the request has the device that he or she is making the request on. So as far as can possibly be determined, it's proving that you are you.

You're done. Now whenever you're doing something on your phone that involves your Apple ID, you'll have to schlep through a process where a code is sent to the device. No code, no access.

Why you need app-specific passwords

You can't get a text message every single time your email app wants to check if you've got anything new in your inbox. So instead, once you have two-factor authentication switched on, you grant certain apps a password of their very own.

You don't choose the password, Apple does. Go to the Apple ID account site at appleid.apple.com and sign in. You'll go through the two-factor authentication to confirm that you are you.

That means when you enter your Apple ID username and password you'll get a notification that someone wants to sign in to your account. The notification says where the person who wants to sign in is currently located -- and this part is rubbish.

It looks like a typical location-aware notification but the location you're shown will typically be a major city near you. It won't be precisely where you are: in this example the location shown is over 100 miles away from where the iPhone actually is.

This does give people a jolt but forget distance and instead concentrate on time. If you get this when you have just tried to sign in to your Apple ID, it's you. The chance someone else is trying your account from 100 miles away at this precise moment is a bit low.

So tap on Allow and then you'll be asked to enter a six-digit that Apple sends to your devices.

Yes, that means the phone you're signing in on gets the number and it's a pain because you have to remember the code and enter it quickly. Read the number, tap Done, type it in fast.

The same authentication request does go to your other devices so it's easier to type the code off your iPad screen.

However you do it, once it's done, you're into your Apple ID page.

Security detail

In the Apple ID account page, tap on Security and then look for the section headed App-Specific Passwords.

Tap on Generate Password. You'll be prompted to enter a name or descriptive text. It doesn't matter what you put here but do make it memorable because it'll help later.

Enter whatever it is and then tap on Create.

It can take a few seconds but then you'll be given a brand new app-specific password. What you can't do easily is copy it: there's no Select All. You need to tap on part of it, wait for the selection to appear and then drag that to include the whole password. Then press-and-hold and from the menu that appears, chooseCopy.

Now you paste that into the app that asked for it. So to be clear, that app is asking for your Apple ID and you are giving it the correct username -- your email address -- but not your real password. You're giving it this new one instead.

Problems and limits

The way you step through this when an app asks you for an app-specific password, it's easy to assume that you have to do it for every app. You don't. If you're adding a new app to both iPhone and iPad, you can use the same app-specific password for both.

There's reason to, as well. While Apple doesn't a limitation until you reach it, there is a limit. You can have a maximum of 25 app-specific passwords.

However, that is "have" and not "create". If you should ever run out of them, you can remove an old one. It's called revoking and once you've revoked a password that app cannot log in again.

To revoke one or all passwords, go back in to the Security section of the Apple ID site. Underneath the App-Specific Password heading and the Generate Password option, there is a small View History.

Choose that and you'll be shown all of your existing app-specific passwords. This is where it's handy to have entered a memorable description: so that you know what each password was for.

Next to each is a grey delete button: tap on one to revoke that single password.

There is also a Revoke All option at the foot of the list.

If you ever change your actual Apple ID password then every app-specific password will be immediately revoked.

This all sounds like a lot of steps to do a simple thing and it is. You would get used to it if you did it a lot but nobody ever will: this is for adding your most important apps and their most important access.


  • Reply 1 of 6
    Sounds more like Apple requires them in certain instances, rather than forces them.
  • Reply 2 of 6
    glynhglynh Posts: 133member
    Not directly related to this but I get my iPhone constantly prompting me for my password in the following format;

    Enter the password for my.email.address

    Now I’m not paranoid but I like to know what exactly is prompting me for my password?

    I have two email addresses registered at Apple (unfortunately for me as there is no way to link accounts) one for iCloud and one for iTunes Store. It is the latter that is showing in the pop-up and is my main email address which is used for almost everything.

    Seems to me Apple could make this much friendlier/secure if it actually told me what exactly required my password as it might be some 3rd Party app (or even malware?) making the request rather than Apple itself?

    I hung out for what seemed ages the last time this happened but gave in in the end as I was fed up of having to continually hit the cancel button...

    I’m holding out again but don’t know how much longer for...
  • Reply 3 of 6
    In general, two-factor authentication is a good thing; it's much easier to deal with in practice than the author makes it out to be.  

    Don't let this article dissuade you, the reader, from trying it.

    Device-specific passwords will become less necessary as more applications and products come to embrace two-factor authentication; for example, setting up GMail in Apple Mail under older versions of OSX required device-specific passwords-- but in El Capitan, the sign-in dialogs now support 2FA directly.  Even some of the built-in apps on that brand-new Mac don't support 2FA yet-- I'm lookin' at YOU, Facetime.
    edited September 2018 caladanian
  • Reply 4 of 6
    I don’t get why the distance thing is so far off. That freaked me out the first time I saw that.
  • Reply 5 of 6
    Apple's implementation of 2FA is by far the clunkiest of any of the platforms that I use it for. Conversely, Google's would have to be the smoothest. I'm an Apple fan, not a fan of google (we use google apps for school), but that's my perspective.
  • Reply 6 of 6
    dewmedewme Posts: 5,141member
    The app-specific password feature is actually very useful for certain scenarios, one of which is almost revealed in the bottom screen shot in this article. This feature allows you to access your 2FA protected iCloud accounts from a non-Apple computer. I use the app-specific password to allow me to access my iCloud email accounts using Thunderbird running on Linux machines. It works perfectly, just use the generated password for the email password credential in Thunderbird and it just works. 

    The kludgiest operation involving 2FA (for me at least) involves accessing 2FA protected iCloud/iTunes accounts from older Apple devices running older version of iOS that do not know how to work with 2FA and never pop up a form to allow you to enter the 6-digit security code sent to your trusted device(s), e.g., your iPhone. In these cases you have to enter your iCloud password with the 6-digit security code appended to it in the password box. For example, if your password is "passweird" and your trusted device is sent the code "987509" you would have to enter the augmented passcode "passweird987509" into the password field on the old iOS version device. Odd, but it actually works if you know about this special trick. The rub with this for me is that the trusted device may be located nowhere near the device that needs the augmented passcode. That and the fact that the device that needs the augmented passcode has no way to tell you why it is failing to accept your regular iCloud/iTunes password. It just doesn't work (IJDW™) without your manual intervention and knowledge about the trick. 
Sign In or Register to comment.