AppleInsider Staff
Come October, Apple's iCloud will have yet another layer of protection, as the company is scheduled to implement app-specific passwords for third-party programs tying in to the cloud service.
According to a Support Document posted to Apple's website on Tuesday, the new security feature will be employed to all third-party apps connecting with iCloud even if that program does not support two-step verification. In conjunction with new two-factor authentication protocols activated on iCloud.com on Tuesday, Apple is showing serious advances in cloud security.
If you use iCloud with any third party apps, such as Microsoft Outlook, Mozilla Thunderbird, or BusyCal, you can generate app-specific passwords that allow you to sign in securely, even if the app you're using doesn't support two-step verification. Using an app-specific password also ensures that your primary Apple ID password isn't collected or stored by any third party apps you might use.
When the system goes live, iCloud users can generate new passwords by visiting the My Apple ID home page, then create a new code from the Password and Security settings pane. The system is limited to 25 active passwords, though users have the ability to manage which apps get priority through the same setup process.
Apple's app-specific password program is akin to others already in place, including a long-standing system from Google. The method is safer than entering in a global password for connecting to services like email and social networks as the code can easily be revoked if a device is stolen of lost, thus protecting the underlying iCloud account. Additionally, many apps don't support two-step authentication and issuing an app-specific code is one way of getting around the problem.
The iCloud security feature will roll out on Oct. 1, on which day third-party apps connecting with the service will be required to sign in using a specific assigned password.
William Gallagher
Christine McKee
Chip Loder
Malcolm Owen
17 Comments
I'm a little unclear on what this implies.... All I care about is can I use Touch ID to skip having to enter the damn thing.
[quote name="pmz" url="/t/182325/apple-to-introduce-app-specific-passwords-for-icloud-connected-titles#post_2600131"]I'm a little unclear on what this implies.... All I care about is can I use Touch ID to skip having to enter the damn thing.[/quote] It's not very clear from reading the article but I would assume if it's used for iCloud features such as Mail & calendar (based on the 3rd party apps listed in the article) that once you have entered the password into the app you won't need to re-enter it every time you open the App. At least I hope that's the case. TouchID would be one way of addressing the issue but I'm not sure I would want to touch the home button every time I open a 3rd party email or calendar app. I'm all for improvements to security but there has to be a balance between security and usability... No point having my calendar so secure that I don't want to go to the effort of using it.
[quote name="pmz" url="/t/182325/apple-to-introduce-app-specific-passwords-for-icloud-connected-titles#post_2600131"]I'm a little unclear on what this implies...[/quote] [quote name="Lolliver" url="/t/182325/apple-to-introduce-app-specific-passwords-for-icloud-connected-titles#post_2600139"]It's not very clear from reading the article....[/quote] What this sounds like is exactly what I've wanting Apple to do with iCloud for awhile now. Google already does this for Gmail. Essentially it works like ?Pay insofar as you don't use your actual password when you let these 3rd-party companies gain access to your iCloud account, but rather use a representational password. This is generated by Apple's iCloud servers and is typically gets used with your actual username/email and the generated password it creates per app and/or per device. Scenario 1 - Part 1: You install SuperDuperMailbox, a 3rd-party app. You hear it's good but you don't know anything about the company. You use iCloud for email but you don't really want to give them access to your iCloud username and password, but you have to if you want to set up mail through their app. This is where the representational password comes into play. This gets associated with the 3rd-party app and/or device so they can only access your iCloud mail for you. Sure, still a security risk, but they won't be able to use that representational password to log into iCloud.com to grab your contacts, calendar, backups, wipe your phone, whatever. Scenario 1 - Part 2: Now I know SuperDuperMailbox is on the up-and-up — well, they are nice guys — but their servers get hacked and they foolishly stored your password and username which the hacker was able to find the encryption key for. With the representational password they can't access anything because it's tied to that app and/or device. That's how I read it, but then again I've been begging for this and have submitted the request to Apple while using Gmail as an example of doing it right so I may be seeing this article through rose coloured glasses.
solipsismx: Congrats! You have it exactly right. Good job explaining it.
Replace passwords with Touch ID. Done. %83 of iPhone 5s owners using Touch ID is not enough. With ?Pay coming Apple needs to be more aggressive on touch ID awareness. 5c owners and older will have to deal with passwords but will feel the need to upgrade even more so.