Sometimes, an app wants your iCloud credentials for legitimate reasons, and Apple has app-specific passwords to keep your data safe — but, there are limits to them that Apple doesn't mention. AppleInsider shows you what they do, plus how and when to use them.
You've got your Apple ID with its username and password which you look after and never tell anyone — except here's an app asking you to hand them over. It'll be an app that uses your iCloud account for synchronization or similar, so that's anything that you'll use to share documents between devices, for instance. Or, it'll be something that accesses your iCloud password like an email app.
Whatever it is, you'll want to give them this access or the apps simply won't work. But, you also don't want to hand over your details to any company that asks.
Fortunately, there are two measures that give us a balance between functionality and security. The first is two-factor authentication which should be set up on your iPhone. If it isn't, do set it up now.
Setting up two-factor authentication
In Settings on iOS, tap on your own name then choose Password & Security. Tap to switch on Two-Factor Authentication. You'll have to then enter a phone number: it can and typically will be the number of the iPhone you're doing all of this on.
Apple sends you a verification code and you enter that. This tells Apple that the person making the request has the device that he or she is making the request on. So as far as can possibly be determined, it's proving that you are you.
You're done. Now whenever you're doing something on your phone that involves your Apple ID, you'll have to schlep through a process where a code is sent to the device. No code, no access.
Why you need app-specific passwords
You can't get a text message every single time your email app wants to check if you've got anything new in your inbox. So instead, once you have two-factor authentication switched on, you grant certain apps a password of their very own.
You don't choose the password, Apple does. Go to the Apple ID account site at appleid.apple.com and sign in. You'll go through the two-factor authentication to confirm that you are you.
That means when you enter your Apple ID username and password you'll get a notification that someone wants to sign in to your account. The notification says where the person who wants to sign in is currently located — and this part is rubbish.
It looks like a typical location-aware notification but the location you're shown will typically be a major city near you. It won't be precisely where you are: in this example the location shown is over 100 miles away from where the iPhone actually is.
This does give people a jolt but forget distance and instead concentrate on time. If you get this when you have just tried to sign in to your Apple ID, it's you. The chance someone else is trying your account from 100 miles away at this precise moment is a bit low.
So tap on Allow and then you'll be asked to enter a six-digit that Apple sends to your devices.
Yes, that means the phone you're signing in on gets the number and it's a pain because you have to remember the code and enter it quickly. Read the number, tap Done, type it in fast.
The same authentication request does go to your other devices so it's easier to type the code off your iPad screen.
However you do it, once it's done, you're into your Apple ID page.
In the Apple ID account page, tap on Security and then look for the section headed App-Specific Passwords.
Tap on Generate Password. You'll be prompted to enter a name or descriptive text. It doesn't matter what you put here but do make it memorable because it'll help later.
Enter whatever it is and then tap on Create.
It can take a few seconds but then you'll be given a brand new app-specific password. What you can't do easily is copy it: there's no Select All. You need to tap on part of it, wait for the selection to appear and then drag that to include the whole password. Then press-and-hold and from the menu that appears, chooseCopy.
Now you paste that into the app that asked for it. So to be clear, that app is asking for your Apple ID and you are giving it the correct username — your email address — but not your real password. You're giving it this new one instead.
Problems and limits
The way you step through this when an app asks you for an app-specific password, it's easy to assume that you have to do it for every app. You don't. If you're adding a new app to both iPhone and iPad, you can use the same app-specific password for both.
There's reason to, as well. While Apple doesn't a limitation until you reach it, there is a limit. You can have a maximum of 25 app-specific passwords.
However, that is "have" and not "create". If you should ever run out of them, you can remove an old one. It's called revoking and once you've revoked a password that app cannot log in again.
To revoke one or all passwords, go back in to the Security section of the Apple ID site. Underneath the App-Specific Password heading and the Generate Password option, there is a small View History.
Choose that and you'll be shown all of your existing app-specific passwords. This is where it's handy to have entered a memorable description: so that you know what each password was for.
Next to each is a grey delete button: tap on one to revoke that single password.
There is also a Revoke All option at the foot of the list.
If you ever change your actual Apple ID password then every app-specific password will be immediately revoked.
This all sounds like a lot of steps to do a simple thing and it is. You would get used to it if you did it a lot but nobody ever will: this is for adding your most important apps and their most important access.