We talk about the importance of keeping your data secure often on the Mac Security Blog. There are a number of ways to do this, some involving encryption, others involving ensuring that only you have access to your accounts. Some of your most important data is in Apple’s iCloud, and on other services. Data security in the cloud is especially important, because of its distributed nature; after all, anyone who has your credentials can log into your account no matter where they are.
Apple has offer enhanced security for iCloud accounts for some time now: first two-step verification, then more robust two-factor authentication. Apple is now planning to tighten up this security, requiring that third-party apps that access your iCloud data need special authorization from June 15. Read on to find out what you need to do to keep using third-party apps with iCloud.
Who is affected?
Apple recently sent emails to iCloud users who do not have either two-step verificationor two-factor authentication on their iCloud accounts. Apple’s email said:
Beginning on June 15, app-specific passwords will be required to access your iCloud data using third‑party apps such as Microsoft Outlook, Mozilla Thunderbird, or other mail, contacts, and calendar services not provided by Apple.
If you simply use Apple’s apps — Mail, Calendar, or Contacts — then you won’t have to change anything. And if you already use Apple’s two-step verification or two-factor authentication, then nothing will change. But if not, you may need to initiate a complex process to continue accessing your iCloud data from your apps.
To start with, two-factor authentication (2FA) is a powerful way of enhancing the security on your account. We discussed how this works for a number of services, and why you should use it in this article.
Apple’s version of 2FA is a bit different from that of other companies. While many forms of 2FA rely on codes sent by text message or SMS, Apple uses a system that is built into macOS and iOS. You receive codes on trusted devices as alerts, rather than as more portable text messages. This has pros and cons. It is more secure than SMS, but if you don’t have access to any trusted devices, then you may not be able to log into your iCloud account. (Read this article to learn how to set up Apple’s 2FA.)
What should I do?
If you want to continue using third-party apps, and don’t yet have 2FA activated on your iCloud account, you will have to turn this on. Apple’s Two-factor authentication for Apple ID support document explains the process.
When you have activated 2FA, you’ll find that your third-party apps will no longer be able to access your data. Most will tell you that your user name or password is incorrect. You’ll need to create app-specific passwords for each of these apps. These are passwords that the Apple ID website creates that only allow authentication for the apps for which they are created. Apple explains that process here.
What’s the risk?
You’ll have enhanced security with 2FA, but — and this is a big but — you may not be able to go back and turn it off. In the past, this was possible, but Apple now says:
You can’t turn off two-factor authentication for some accounts created in iOS 10.3 or macOS Sierra 10.12.4 and later. If you created your Apple ID in an earlier version of iOS or macOS, you can turn off two-factor authentication.
It’s not clear what this means. This suggests that if you created your Apple ID years ago, under MobileMe or .Mac, then you may be able to revert your account. However, back then, you may not have created your Apple ID “in a version of iOS or MacOS,” but simply on Apple’s website.
If you lose access to your trusted devices, then you could have problems. If you get locked out of your account, Apple says:
If you can’t sign in, reset your password, or receive verification codes, you can request account recovery to regain access to your account. Account recovery is an automatic process designed to get you back in to your account as quickly as possible while denying access to anyone who might be pretending to be you. It might take a few days — or longer — depending on what specific account information you can provide to verify your identity.
“A few days — or longer” seems a bit worrisome. If you’re traveling and lose your iPhone, and need to, say, log into iCloud.com to access email, you may not be able to do so. Make sure you add a trusted phone number for a friend, spouse, or other family member; so, if you need access in such a case, you can contact them. (Of course, you may need to write down their phone numbers. I don’t know about you, but I don’t know any phone numbers by heart expect my own; I just tap my contacts in my iPhone to make calls…)
What are my other options?
You could stop using third-party applications to access your iCloud data. Again, this change seems to only affect email, calendar, reminder, and contacts. Apps that access photos in your iCloud Photo Library on an iPhone or iPad access the photos directly on the device, from the Photos app; they don’t connect to iCloud. The same is the case for music you may have in iCloud Music Library; third-party apps play back music using a database stored on your iOS device, rather than connecting to iCloud to access the music.
It’s possible that this is the first step toward Apple requiring 2FA for all iCloud accounts. This would be cumbersome and problematic for many users. It does provide extra security, but it can be complicated to manage.
In the meantime, if you do use any third party email, calendar, or contact apps, you should turn on 2FA before June 15, so you have time to understand how the system works before the change takes effect.