In its ongoing efforts to ensure strong security for customers, Apple will require the use of app-specific passwords from June 15th. This affects you if you use a third-party app that logs in with an iCloud email and password (Outlook, Thunderbird, etc) to access contacts, calendar and mail messages.
If you don’t migrate to app-specific passwords by the June 15 deadline, then those apps will stop working. Luckily, it’s easy to fix: read on for step-by-step instructions on how to make app-specific passwords for your Apple ID.
Apple announced the policy change in an email sent to iCloud users today. If you do not use third-party mail, contacts or calendar apps with your iCloud account, then you are not affected at all and can simply ignore the steps. Apps from the App Store that integrate with iCloud via Apple APIs also do not need app-specific passwords to be created as you never type a password into them directly.
App-specific passwords hide your real account credentials from the third-party service, increasing security by only giving out scrambled random passwords to non-Apple servers. These individual passwords can be revoked at any time and are independent of your primary iCloud login details.
To use app-specific passwords, you must first enable two-factor authentication for your Apple ID if you haven’t already. With iOS 10.3 and later, two-factor authentication is set up by default for new Apple ID accounts so new users should have this done. (iOS 10.3 also prominently prompts existing user accounts to upgrade.)
With two factor authentication enabled, you can now make an app-specific password:
- Log in to the Apple ID page with your usual iCloud email address and password.
- Scroll down to the ‘Security’ area and click ‘Generate Password’ beneath the App-Specific Password heading.
- Give the password a name in the label popup (so you know what service you used it with later).
- The password will now be shown; it will be a string of 16 random characters. Copy this down.
- Open your third-party app and log out with your existing iCloud details. Then, log in again using the same email and the new app-specific password you copied from the previous step.
That’s it. You can repeat the process for each app that you have connected to iCloud, creating a new app-specific password for each third-party app. If you change your primary Apple ID password, all app-specific passwords will be revoked automatically and the apps will obviously stop working. Create new app-specific passwords (via the same five steps above) if you want to log in to a third-party service again after changing your primary Apple ID iCloud password.
Apple lets you have up to 25 app-specific passwords at once. At any time, you can go back into the Apple ID Security panel, click ‘Edit’ and then ‘View History’ to manage your app-specific passwords. You can revoke a specific password (identified by the label you picked when you created them) or remove them all and start over.
Once again, if you only use Apple apps to access iCloud data, this doesn’t affect you. It only applies to people using third-party apps to read iCloud mail, calendar events and contacts — like Microsoft Outlook. These changes offer additional safeguards to make your Apple account even more secure.