Apple’s new iCloud security requirements: How it affects you and the software you use – Macworld

If you use iCloud for email, calendar events, or contacts with any apps other than those made by Apple, and you haven’t upgraded the security on your account to use two-factor authentication (2FA), syncing and other interaction will fail starting June 15. That’s when Apple imposes a new security requirement that requires unique passwords for all third-party software that works with iCloud accounts. That includes apps like BusyContacts, Fantastical, and Thunderbird, to name a few of hundreds, as well as online services that sync with iCloud or retrieve email.

I mentioned this in an article last week. Apple’s two-factor authentication is problematic, and as Glenn Fleishman points out at Macworld, it’s not that secure. In fact, it’s probably less secure, at least as far as third-party apps are considered.

Glenn mentions that John Chaffee of BusyMac, developer of BusyCal and BusyContacts, “has been trying to get attention for this problem for some time.” Chaffee says, “”My guess is that 99 percent of users have no clue about app-specific passwords and Apple does very little to help them figure it out. The vast majority of our tech support requests are from users who are unable to connect to iCloud and have no idea why.”

Indeed. Users of third-party apps will be flummoxed, and many will blindly go turn on two-factor authentication and encounter problems that will lock them out of their iCloud accounts, if they do anything slightly wrong. But beyond that, I think that many people will stop using third-party apps; I’m thinking of doing so. Even though I think that Apple’s Calendar is inferior to the many third-party calendar apps for macOS and iOS, I’m not prepared to again enter the two-factor labyrinth, that was such a disaster the first time I tried it.

And Apple points out that, this time, if you turn on two-factor authentication, you cannot turn it off. I think this is going to be a disaster for many users, and for developers of third-party apps that need access to iCloud data.

Source: Apple’s new iCloud security requirements: How it affects you and the software you use | Macworld

36 thoughts on “Apple’s new iCloud security requirements: How it affects you and the software you use – Macworld

  1. Due to bleeding data and the overwhelming cybercrime element, I don’t use the cloud, any cloud, no matter who they are. Two of the cloud services have already been compromised — why would you want to make it so easy for the cybercrime industry by giving them all the data in one place? How many users are using the cloud? It’s a criminal’s dream come true. Read “Future Crimes”

    So no cloud for me. Period.
    Y’all have fun.

  2. Due to bleeding data and the overwhelming cybercrime element, I don’t use the cloud, any cloud, no matter who they are. Two of the cloud services have already been compromised — why would you want to make it so easy for the cybercrime industry by giving them all the data in one place? How many users are using the cloud? It’s a criminal’s dream come true. Read “Future Crimes”

    So no cloud for me. Period.
    Y’all have fun.

  3. Unless I’m misunderstanding something, won’t many 3rd-party calendar apps on iOS continue to work? I use Calvetica, and I’ve never entered my iCloud username/password. It simply accesses the system calendars (which in the background are syncing with iCloud, but via my iCloud login in Settings). So presumably apps accessing all calendars and contacts set up on the system should be fine?

    • No, you will need to turn on two-factor authentication and get app-specific passwords for those apps to continue to work. I find this surprising, since your iOS device authenticates you with Apple, so I don’t see any advantage to having an extra password for third-party apps. This is different on the Mac, where apps can connect to anything

      • I think jzw95 is referring to the access of system data through the iOS Calendar and reminders

        For that access, IOS asks for an approval and then provides access to all related data that is already syncing to the iOS calendars and reminders apps, including both Exchange and iCloud accounts.

        I don’t think that mechanism (or the similar mechanism for Contacts, Photos, and Health data) will be changing.

        • You will need 2FA and app-specific passwords for any third-party apps that access iCloud data of this kind (though it’s not clear whether this will affect apps that store data in iCloud Drive). jzw95 specifically mentions a third party calendar app, and that will soon require 2FA and an app-specific password.

          As I said in my article of last week, this doesn’t make sense, since iOS has already authenticated you for your iCloud account (unlike on macOS, where you can access something in iCloud from a third-party account without being authenticated at the system level).

          • I don’t buy it.

            Do you have a link to Apple’s documentation about this?

            Also, how about the reminders and calendars information that resides locally on the device?

            Right now there is (essentially) no differentiation when using the EventiKit Framework.

            Are you saying that the EventKit Framework will cease to exist, or it will only return local information, or that ithe prompt for approval will now require the user enter an app-specific password?

            Will that also be the case for photos,
            Contacts, and Heath data and the respective frameworks for accessing those?

            • Apple doesn’t seem to have documentation about this change yet, but you can see the text of the email they sent in this article:

              http://www.kirkville.com/apple-makes-step-toward-requiring-two-factor-authentication-for-icloud/

              This suggests that local information won’t require an app-specific password; only access to iCloud data. Photos aren’t accessed directly from iCloud (I don’t think); they’re accessed from the Photos app. Same for health data.

              When I turned on 2FA (and had a massive fail), my third-party apps told me that they couldn’t log in; they said nothing about app-specific passwords. Since those dialogs come from the apps, I assume that users won’t know exactly why they can’t log in.

  4. Unless I’m misunderstanding something, won’t many 3rd-party calendar apps on iOS continue to work? I use Calvetica, and I’ve never entered my iCloud username/password. It simply accesses the system calendars (which in the background are syncing with iCloud, but via my iCloud login in Settings). So presumably apps accessing all calendars and contacts set up on the system should be fine?

    • No, you will need to turn on two-factor authentication and get app-specific passwords for those apps to continue to work. I find this surprising, since your iOS device authenticates you with Apple, so I don’t see any advantage to having an extra password for third-party apps. This is different on the Mac, where apps can connect to anything

      • I think jzw95 is referring to the access of system data through the iOS Calendar and reminders

        For that access, IOS asks for an approval and then provides access to all related data that is already syncing to the iOS calendars and reminders apps, including both Exchange and iCloud accounts.

        I don’t think that mechanism (or the similar mechanism for Contacts, Photos, and Health data) will be changing.

        • You will need 2FA and app-specific passwords for any third-party apps that access iCloud data of this kind (though it’s not clear whether this will affect apps that store data in iCloud Drive). jzw95 specifically mentions a third party calendar app, and that will soon require 2FA and an app-specific password.

          As I said in my article of last week, this doesn’t make sense, since iOS has already authenticated you for your iCloud account (unlike on macOS, where you can access something in iCloud from a third-party account without being authenticated at the system level).

          • I don’t buy it.

            Do you have a link to Apple’s documentation about this?

            Also, how about the reminders and calendars information that resides locally on the device?

            Right now there is (essentially) no differentiation when using the EventiKit Framework.

            Are you saying that the EventKit Framework will cease to exist, or it will only return local information, or that ithe prompt for approval will now require the user enter an app-specific password?

            Will that also be the case for photos,
            Contacts, and Heath data and the respective frameworks for accessing those?

            • Apple doesn’t seem to have documentation about this change yet, but you can see the text of the email they sent in this article:

              http://www.kirkville.com/apple-makes-step-toward-requiring-two-factor-authentication-for-icloud/

              This suggests that local information won’t require an app-specific password; only access to iCloud data. Photos aren’t accessed directly from iCloud (I don’t think); they’re accessed from the Photos app. Same for health data.

              When I turned on 2FA (and had a massive fail), my third-party apps told me that they couldn’t log in; they said nothing about app-specific passwords. Since those dialogs come from the apps, I assume that users won’t know exactly why they can’t log in.

  5. I agree 2FA and the use of app-specific passwords will confuse a lot of Apple users. As you point out, Apple’s design of this feature is less than optimal. IMHO there are a couple ancillary issues as well. First, the iCloud nomenclature itself is confusing. Re 2FA, is iCloud Photo Library part of iCloud? Is iCloud Drive part of iCloud? Apple’s use of the iCloud name for various services is confusing. Second, compared to Dropbox and other cloud services, I find iCloud non-inuitive. I know that iCloud is an architecturally different product than its Dropbox-esque competitors. but Apple’s strategy of hiding all complexity from the user sometimes creates a “black box” environment that no one fully understands.

    • All iCloud services work with the same 2FA system. But some of them – iCloud Photo Library, iCloud Drive, etc. – are authenticated when you sign into a device. You’ll only need the app-specific passwords for third-party apps.

  6. I agree 2FA and the use of app-specific passwords will confuse a lot of Apple users. As you point out, Apple’s design of this feature is less than optimal. IMHO there are a couple ancillary issues as well. First, the iCloud nomenclature itself is confusing. Re 2FA, is iCloud Photo Library part of iCloud? Is iCloud Drive part of iCloud? Apple’s use of the iCloud name for various services is confusing. Second, compared to Dropbox and other cloud services, I find iCloud non-inuitive. I know that iCloud is an architecturally different product than its Dropbox-esque competitors. but Apple’s strategy of hiding all complexity from the user sometimes creates a “black box” environment that no one fully understands.

    • All iCloud services work with the same 2FA system. But some of them – iCloud Photo Library, iCloud Drive, etc. – are authenticated when you sign into a device. You’ll only need the app-specific passwords for third-party apps.

  7. For my part, I was able to alleviate virtually all support requests by including information and a link to Apple’s app-specific password information page in the error message when the user’s login to their iCloud email account fails.

    I have no idea what the abandonment rate is at that point, but I don’t this will be a huge burden on developers (especially since we’re already dealing with it)

    That said, the entire thing doesn’t make much sense, since the user has *already* provided the app with their password by the time they are informed about the app-specific password.

    It would be nice if Apple provided developers with an API for the 2fa code instead of this app-specific password stuff.

    In either case, though, and as Google found out 2 weeks ago, once you’ve provided an app with access to your emails and other data, it doesn’t really matter if they have your password.

    What Apple *should* do to protect users, is a better job of vetting apps. If that means the review process takes a lot longer, then so be it.

    • No, the user doesn’t give the app a password. The app uses the iOS account info, or, on macOS, the accounts set up in System Preferences. (For iCloud accounts; not for other accounts.) But that’s even dumber: if the user is authenticated on iOS for their iCloud account, I don’t understand what adding an app-specific password does to protect security. It just adds another layer of complication.

      I said in another article that this is different for macOS, but looking at the way my calendar app works, it’s not that different. You still need to authenticate your iCloud account with the OS; the app gets the authentication from that. I think the main difference is the level of protection of the OS itself. It’s a lot harder to break into an iPhone than it is to change the admin password of a Mac.

      In any case, I think this is just the first step toward imposing 2FA for all iCloud accounts.

      • For email apps, the user supplies the user name and password to their icloud email account.

        AFAIK, there is no other way to access iCloud emails, regardless of whether you’ve already entered the account into iOS.

        As you point out in our other thread, health data and photos are accessed through the local apps and not directly.

        Reminders and Calendars, however, offer both options. The app jwz95 uses uses the eventkit framework and won’t be affected by this new policy.

        Other apps (especially macOS apps) access calendar and reminders data directly, and those apps will be affected.

        • Okay, looks like you’re right about email. I just downloaded an email client, and it did ask for a password. I don’t recall that in the past.

          However, I know that calendars don’t ask for that. And according to what Apple said, you will still need an app-specific password for calendar apps like that. When I tried 2FA last year, I immediately got password requests for Fantastical on both my iPhone and Mac.

          • Hmmm.

            I use Fantastical and 2fa, but I I realized that I’ve had iCloud Calendars and Reminders disabled.

            I’ve enabled them on my Device, but I am still unable to reproduce this issue as you describe it.

            I even deleted and reinstalled Fantastical. At first startup it asks for permissions for my contacts, Calendars, Reminders, … After I gave it permission I can see all of my iCloud Calendars. I never entered a password or a access code. It is using the mechanism I had previously described where it goes through the iOS apps.

            I then tried with BusyCal. It asks for permissions for contacts and locations but not for Calendars and Reminders.

            I then tapped add-account and chose iCloud. I then typed my password into the BusyCal screens (I think) After submitting that information it popped up some Apple screens (I think) where I needed to enter the information again. This failed because I did not setup an app-specific password. I think they are using the CloudKit mechanism for directly connecting to iCloud, which, as I previously noted will be affected by 2fa.

            BTW, you might pass onto them a suggestion that they use a more descriptive error message if they want to reduce their support requests on this.

            You can download (for free) my email app for an example:

            https://appstore.com/preside

  8. For my part, I was able to alleviate virtually all support requests by including information and a link to Apple’s app-specific password information page in the error message when the user’s login to their iCloud email account fails.

    I have no idea what the abandonment rate is at that point, but I don’t this will be a huge burden on developers (especially since we’re already dealing with it)

    That said, the entire thing doesn’t make much sense, since the user has *already* provided the app with their password by the time they are informed about the app-specific password.

    It would be nice if Apple provided developers with an API for the 2fa code instead of this app-specific password stuff.

    In either case, though, and as Google found out 2 weeks ago, once you’ve provided an app with access to your emails and other data, it doesn’t really matter if they have your password.

    What Apple *should* do to protect users, is a better job of vetting apps. If that means the review process takes a lot longer, then so be it.

    • No, the user doesn’t give the app a password. The app uses the iOS account info, or, on macOS, the accounts set up in System Preferences. (For iCloud accounts; not for other accounts.) But that’s even dumber: if the user is authenticated on iOS for their iCloud account, I don’t understand what adding an app-specific password does to protect security. It just adds another layer of complication.

      I said in another article that this is different for macOS, but looking at the way my calendar app works, it’s not that different. You still need to authenticate your iCloud account with the OS; the app gets the authentication from that. I think the main difference is the level of protection of the OS itself. It’s a lot harder to break into an iPhone than it is to change the admin password of a Mac.

      In any case, I think this is just the first step toward imposing 2FA for all iCloud accounts.

      • For email apps, the user supplies the user name and password to their icloud email account.

        AFAIK, there is no other way to access iCloud emails, regardless of whether you’ve already entered the account into iOS.

        As you point out in our other thread, health data and photos are accessed through the local apps and not directly.

        Reminders and Calendars, however, offer both options. The app jwz95 uses uses the eventkit framework and won’t be affected by this new policy.

        Other apps (especially macOS apps) access calendar and reminders data directly, and those apps will be affected.

        • Okay, looks like you’re right about email. I just downloaded an email client, and it did ask for a password. I don’t recall that in the past.

          However, I know that calendars don’t ask for that. And according to what Apple said, you will still need an app-specific password for calendar apps like that. When I tried 2FA last year, I immediately got password requests for Fantastical on both my iPhone and Mac.

          • Hmmm.

            I use Fantastical and 2fa, but I I realized that I’ve had iCloud Calendars and Reminders disabled.

            I’ve enabled them on my Device, but I am still unable to reproduce this issue as you describe it.

            I even deleted and reinstalled Fantastical. At first startup it asks for permissions for my contacts, Calendars, Reminders, … After I gave it permission I can see all of my iCloud Calendars. I never entered a password or a access code. It is using the mechanism I had previously described where it goes through the iOS apps.

            I then tried with BusyCal. It asks for permissions for contacts and locations but not for Calendars and Reminders.

            I then tapped add-account and chose iCloud. I then typed my password into the BusyCal screens (I think) After submitting that information it popped up some Apple screens (I think) where I needed to enter the information again. This failed because I did not setup an app-specific password. I think they are using the CloudKit mechanism for directly connecting to iCloud, which, as I previously noted will be affected by 2fa.

            BTW, you might pass onto them a suggestion that they use a more descriptive error message if they want to reduce their support requests on this.

            You can download (for free) my email app for an example:

            https://appstore.com/preside

  9. Comments only thread to 5 comments, so starting a new thread.

    When I tried out 2FA last October, I was using Fantastical on iOS, and BusyCal on my Mac. Both gave me password prompts after 2FA was enabled, and I had to generate app-specific passwords for both of them.

    It’s interesting that you can see your calendars with Fantastical, because according to what Apple says, you already need an app-specific password if you’re using 2FA.

    I certainly agree about the error message. But can an app know that it’s not just a bad user name and password combination? Or should the error message give info about both possibilities (simple error and 2FA)?

  10. Comments only thread to 5 comments, so starting a new thread.

    When I tried out 2FA last October, I was using Fantastical on iOS, and BusyCal on my Mac. Both gave me password prompts after 2FA was enabled, and I had to generate app-specific passwords for both of them.

    It’s interesting that you can see your calendars with Fantastical, because according to what Apple says, you already need an app-specific password if you’re using 2FA.

    I certainly agree about the error message. But can an app know that it’s not just a bad user name and password combination? Or should the error message give info about both possibilities (simple error and 2FA)?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.