Apple reminds iCloud users of new app-specific password requirements
Apple on Wednesday sent out emails reminding iCloud users that a new security protocol requiring app-specific passwords for third-party software is scheduled to go live tomorrow.
The reminder, sent to customers who have two-step Apple ID verification activated, notes that third-party services will need app-specific passwords to access iCloud data starting Thursday. Apps not switched over to the new process will be automatically signed out until a unique password is generated.
Apple originally announced the new security feature in September, saying at the time that app-specific passwords would become mandatory starting Oct. 1. No explanation was offered regarding the change in date.
Users running third-party email clients like Outlook and Mozilla Thunderbird, as well as contacts and calendar syncing services, will need to visit the Apple ID website to generate specific passwords for each app instance. As noted by Apple, app-specific passwords will work even if the target app does not support two-factor authentication.
Apple provides the following instructions for users affected by the security change:
To generate an app-specific password:
App-specific passwords have been successfully employed by major Web service providers like Google to lock down apps tying in to accounts that manage sensitive information. The method is more secure than using a single password to link up services like email and social networks as the code can be revoked if a device is stolen or lost, thus protecting the underlying iCloud account.
Apple's system only allows 25 unique passwords, though users can revoke, add and manage app priorities through the Apple ID website.
The reminder, sent to customers who have two-step Apple ID verification activated, notes that third-party services will need app-specific passwords to access iCloud data starting Thursday. Apps not switched over to the new process will be automatically signed out until a unique password is generated.
Apple originally announced the new security feature in September, saying at the time that app-specific passwords would become mandatory starting Oct. 1. No explanation was offered regarding the change in date.
Users running third-party email clients like Outlook and Mozilla Thunderbird, as well as contacts and calendar syncing services, will need to visit the Apple ID website to generate specific passwords for each app instance. As noted by Apple, app-specific passwords will work even if the target app does not support two-factor authentication.
Apple provides the following instructions for users affected by the security change:
To generate an app-specific password:
- Sign in to My Apple ID (https://appleid.apple.com)
- Go to Password & Security
- Click Generate App-Specific Password
App-specific passwords have been successfully employed by major Web service providers like Google to lock down apps tying in to accounts that manage sensitive information. The method is more secure than using a single password to link up services like email and social networks as the code can be revoked if a device is stolen or lost, thus protecting the underlying iCloud account.
Apple's system only allows 25 unique passwords, though users can revoke, add and manage app priorities through the Apple ID website.
Comments
So, I am slightly confused; is two-step authentication mandatory and live tomorrow, or can I opt out? If I choose to opt out, how do I get my email client working again?
And if the new security measure is not live now, and if I haven't already activated it, why is my email client locked out?
I just got my reminder overnight also... problem is that they turned this on 2 days ago!!
I think it´s a good idea to protect iCloud apps but why isn´t Find my iPhone protected? Sure It could be good to leave the part for just finding the iPhone open (for most parts) but why leave the erase function open too? Isn´t that a bit risky if someone should get access to your iCloud?
It´s good to tighten up the security. But why is Find my iPhone left without this extra security feature? Ok, maybe the find part and play sound can be good to keep since you can locate your iPhone this way if you lost track of it. But to be able to erase it as well? That makes me puzzled. Of course you want to be able to erase your iPhone if it´s stolen and that can´t be done if you have to lock up Find my iPhone with your iPhone (of course). BUT, what if someone gets into your iCloud account, then your iPhone can be deleted - isn´t that a security threat?
If you are interested in increasing the security of your iCloud account and cannot use 2-factor authentication, my suggestion would be to change your default iCloud/Apple/iTunes password to something strong. Then use iCloud keychain to fill it in.
Fully agree. One simple question, if I may: how do I find out which app is using my iCloud pw? I went to the Manage AppleID page, and wanted to activate this 2-step authentication but it asks for a label. How can I give it a meaningful label when I don't know which app I used my AppleID with?
TIA