Sophos Cloud Optix
“Dear ( ), thanks for turning on two-step verification (2SV) to protect your Apple ID and the data you store with iCloud, and please don’t freak out tomorrow when all your apps keel over”, Apple reminded everybody on Thursday.
Yes, starting today, your third-party calendar, mail and contacts apps that don’t support Apple’s new two-factor authentication system are going to turn 10 toes up on your iThings.
Do Not Panic. You just need to apply some app-specific passwords to get them breathing again.
App-specific passwords work as a pre-approved security bypass to let apps – including Microsoft Outlook and Mozilla Thunderbird, among others – to get at your iCloud data.
They’re kind of clunky, but at least they keep crooks from bypassing 2SV.
Apple was actually supposed to require them as of 1 October. It didn’t explain why there’s been a lag between the deadline and Thursday’s reminder.
Here’s the letter Apple sent to people who’ve turned on 2SV:
Thank you for using two-step verification to protect your Apple ID and the data you store with iCloud.
This is a reminder that starting tomorrow, app-specific passwords will be required to access your iCloud data using third party apps such as Microsoft Outlook, Mozilla Thunderbird, or other mail, contacts and calendar apps.
If you are currently signed in to a third party app using your primary Apple ID password, you will be signed out automatically when this change takes effect. You will need to generate an app-specific password and sign in again.
In addition to the email reminders, Apple last week also published this new support document educating users on how to use app-specific passwords.
Apple’s introduction of 2SV for iCloud in September was a silver lining to the scummy cloud of nude photos released when somebody launched a serial release of stolen images starting at the beginning of September and continuing into this week.
Many of those images were weaseled out of celebrities’ iCloud accounts via phishing or brute-force guessing of weak passwords.
There’s no good reason to have weak passwords, but they’re like cockroaches: neither security professionals’ admonishments nor nuclear winter has much chance of stamping them out of existence.
2SV should really, really help.
The security procedure augments your password with a one-time login code sent via SMS so that even if a crook figures out your Apple ID cockroach password, he wouldn’t have enough to get into your account and restore your iCloud data onto his own computer.
Mind you, though, Apple’s implementation of 2SV ain’t perfect – as Naked Security’s Paul Ducklin noted when Apple rolled it out, you can’t turn Apple’s 2SV on for every online purchase you make (why not?), nor can it be turned on for your actual data interactions with iCloud, such as kicking off a restore (why not?).
But at least it’s one more impediment to stop you losing your data to thieves.
Image of padlock courtesy of Shutterstock.
Does this, perchance, apply to only Apple devices and OS X? I run Thunderbird on Linux Mint 17 against a 10-year-old Apple email account (and several GMail accounts) and have seen nothing from Apple regarding 2SV.
Apparently, last week’s reminder only went out to people who’ve already signed up for 2SV for iCloud.