App-specific passwords confusion

A very useful summary enteq. Entered a new password on the iMac, thanks to your explanation. It worked. Then the iPad required the password to be be copied down then entered manually into the iOS device, as it refused to recognise any paste attempt. Password not easily found on keychain! There are 7 password related entries generated around this simple event, some of which are seemingly empty, or have any date inaccessible. Weirdly unfriendly to users.

I completely agree with the whole two step verification and app generating passwords feature being confusing. I also like to add that, because it is confusing and not clear to the user, it becomes an annoying feature. This means that it is not secure anymore. I seriously hope that Apple understands that people are the weakest link in the security chain. So, make it as clear as possible to the user what they need to do and for what. Help the people in making it more secure, not by bothering them with messages that they have to interpet them selfs. That always leeds to errors.

Yes...I have exactly the same issue happening on my 27" iMac on 10.10.4

Folks...go to apple.com/feedback and let them know that this is really bad for the end user.

This is really just commiseration, not a solution - apologies!

Perhaps I am missing something, but what exactly is the point of enabling 2FA and then generating "1FA" passwords to access the services?

The whole point should be that each device gets a device and user specific, cryptographically strong access key when the user first authenticates the service using 2FA and then the device does not require another user authentication, unless the user wants to type in the password + key code each time they use Mail or iMessage or Facetime.

Having "app-specific passwords" is exactly the same as having passwords. All passwords are "app" or rather, service specific, if I choose to set different passwords... This is fundamentally wrong, i.e., the design itself is wrong. It is basically password authentication made a lot harder for the users.

Regards,

Tamas

PS. It was suggested to write to feedback - but that is not public. I have serious doubts that any of my previous feedbacks were ever read or thought about... Of course, being just a user, makes those unimportant, so I know my place! :-) That is why I would rather let the public see.

This is a potential solution:

If OS X is asking for Messages and Facetime passwords and then tells you that you need to create an app-specific password, the following may help:

1. Completely delete the iCloud account from the computer.
   I am not using Photo or iCloud drive and this may have severe implications there, so be careful...
2. Restart
3. Add the iCloud account back to the computer.
   At this time, 2FA is executed and apparently those access keys are also properly generated.

Hope this helps...

Tamas

enteq wrote:

Hoping For a Better Apple wrote:

Perhaps I am missing something, but what exactly is the point of enabling 2FA and then generating "1FA" passwords to access the services?

If I understand correctly, the point is that a user's primary password is chosen by them, and users cannot be trusted to choose strong passwords (very few people use credential manager apps that generate passwords for them), so 2FA mitigates against the weakness of the user's self-chosen password by requiring a second factor.

App-specific passwords are not chosen by users; they are machine-generated hence much stronger, and they don't need to be remembered, stored or written down by the user - so arguably they don't require the same mitigations.

Additionally, app-specific passwords are used in scenarios where they are cached by one piece of software to talk to another piece of software (e.g. an app talking to a back-end service), and they're subsequently used without human interaction, so a second factor could not be supplied anyway without degrading the user experience.

I agree that weak and guessable passwords are one reason why 2FA helps, but there are different and prevalent threats that are also addressed, including keyloggers and losing the devices. As I have always been using strong passwords in the past, I welcomed the 2FA solution, as it would have solved for these two threats as well.

The whole point should be that each device gets a device and user specific, cryptographically strong access key when the user first authenticates the service using 2FA and then the device does not require another user authentication, unless the user wants to type in the password + key code each time they use Mail or iMessage or Facetime.

... yes, but thats kinda what app-specific passwords are anyway, aren't they?

The only difference is that app-specific passwords are used in scenarios where - for whatever reason - the back-end service only works with 1FA. That might be because the app and the service are owned by a different companies (e.g. the iOS Mail app talking to the Google Mail service), or the service uses a protocol that only supports 1FA (e.g. HTTP Basic Auth), or it's a legacy service that was just written like that.

Since the service expects a password, the user needs to perform the one-off step of 2FA authenticating to a service which generates the app-specific password, and then copy-and-paste that into the app in question, which will subsequently cache it. It must be a one-off step because the app-specific password is not human-memorable, and if I understand correctly the user is not meant to write it down, store it, or otherwise handle it again.

I would not agree that app-specific passwords are equivalent to device and service specific ones. In fact, I have tested that app-specific passwords are not app-specfic (Thunderbird, Outlook 2016, multiple machines), they cannot really be, as the servers cannot really test if it is that app which uses them, nor whether it is that machine. In fact, your solution actually confirms that, too.

I agree with you that with a modern app, especially if the app and service are written by the same company (e.g. FaceTime app talking to FaceTime service), it should generate the credential automatically so that it's totally transparent to the user. Nothing should need to be copied-and-pasted. Most apps using iCloud already work like this I think. I guess iMessage and FaceTime will get there one day...?

[...]

This is a potential solution

But I already found a solution - see the end of my first post. I don't see why your solution improves on that.

This thread was really just a rant at how bad the user experience was.

Several points:

Firstly, I was ranting too! :-) In fact, I was and still am agreeing with the frustration!

Secondly, the difference, which I consider significant, is that with my "solution" there are no app-specific passwords. Facetime and iMessage "have already got there" - this whole requirement for app-specific passwords is not a problem with the apps, but the outcome of a botched transition from 1FA to 2FA. Sorry for not highlighting this.

After the removal and re-addition of the complete iCloud account on iPhones and Macs, the apps no longer require an app-specific password.

Whilst I agree that the generated passwords are strong, I don't want those to be stored anywhere, I much prefer the machine specific keys that enable revocation by machine and device, rather than the password that may be used in many places. Also, with the app-specific passwords, if those are lost or successfully stolen, one would only get an e-mail after a new device starts to use it - by which time it is too late, the data would have been copied. With 2FA, an explicit authorisation is required when new devices are added and by avoiding the app-specific passwords altogether, unauthorised access is prevented, not just identified after the fact.

Going back to the first point - the user experience is still terrible... Why is this not explained in the Apple help...? And removing and re-adding accounts on several devices? Seriously... At least once done, they are up to date and good to go until the next botched security model change!

Yes, agreed!

Now I have to go back trying to repair Mail: since the new OS X update, which moved email accounts onto Keychain (without asking), Mail lost all mail and tries to add accounts when started as if there were none - even though the accounts are there in System Preferences > Internet Accounts. Oh dear.

Perhaps I should just switch to Thunderbird... And app-specific passwords... ;-)

The entire thing is a complete B0lls up! I'm a pretty savvy computer user and understand what this is. Simply, because a lot of our Apple based apps use the iCloud password, if this is hacked then the baddies have access to all of those apps that use is iMessage, FaceTime, iCloud on the web etc. So now we've got a separate password to for each of these apps. Then there is the annoying code we have to use every time we log

Problem is that when we finally enable this feature a non descript dialog box pops up and when we've finally figured out that hey it's not our iCloud password but the cryptic password that's been generated for us and enter it, we have to do it on all our bloody devices we think we're done. Then a few months later the dialog boxes start popping up and we have to do it all again !!!

Simple solution for me just turn it off, not ready for prime time at all and I the hack of iCloud that celebs had was nothing to do with iCloud but just the fact they picked **** poor passwords.

Wait for El Capitan. Apple apps that now use app-specific passwords in Yosemite, require getting an SMS code on your iPhone in place of the app-specific password. I am on the 10.11 beta right now

http://www.macrumors.com/2015/07/08/ios-9-el-capitan-two-factor-authentication/

Hoping For a Better Apple wrote:

This is a potential solution:

If OS X is asking for Messages and Facetime passwords and then tells you that you need to create an app-specific password, the following may help:

1. Completely delete the iCloud account from the computer.
   ...
2. Add the iCloud account back to the computer.

Hope this helps...

Tamas

What do you mean by "completely delete the iCloud account" - are we talking about SIGNING OUT/IN?

I changed my email address and did not share the change with Apple. Now I can't seem to get all the devices to correspond to the same ID and password. How do I correct this problem?

doris38