Apple and the new App Specific Passwords
![[Deleted User]](https://w8.vanillicon.com/v2/8da7beabcec2d9b93461196354c5f184.svg)
OK, our friends at Apple have now decided that iMessage and FaceTime require an app specific password. Until Agile supports this on both the Mac and iOS, what is your suggestion? Thanks
Comments
-
Hi @Steve_H,
I assume this is if you enable Apple's 2FA. Now I'm not a FaceTime user myself but I do use the Messages app and I haven't been bothered at all.
Now is your query regarding the storage of these passwords or supporting entering them directly into the application in question? As it hasn't crept up yet on my own system I'm wondering if they are required after their initial use?
0 -
Yes, I do use Apple two step verification. I ran into this just today. I usually have iMessage and FaceTime turned off. I restarted both of them in preparation to the installing the Public Beta of 10.10.3. I had to let Apple create the App Specific password for both of those before I could turn them back on. My question is regarding supporting entering them directly into the application in question. Here is a link to the Apple Support Web page regarding this. https://support.apple.com/en-us/HT6186. My wife has not yet run into this but, I am sure she will at some point.
0 -
Hi @Steve_H,
Thanks for the clarification. App-specific passwords can be stored in 1Password just like any other password, although you won't be able to auto-save them via the 1Password web browser extension, since the passwords will be entered in a separate app instead of a website. From the main 1Password app, go to File > New Item, and choose the type of item you want to use to store your app-specific password (Login and Password items are both good choices here).
Now as far as filling passwords into those apps, it's not the same as filling a login form on a website. 1Password can fill forms on websites by using the 1Password extension in the web browser. But other Mac apps don't have extensions like web browsers do, so there's no direct link between those apps and 1Password. So you would need to copy & paste your info from 1Password into the app.
To make it a bit easier, you can use 1Password mini. It still won't fill your password the same way as the browser extension, but it may be easier for you than switching back & forth with the main 1Password app.
I hope this helps to answer your questions, but please let us know if you need anything else.
0 -
Thanks Drew. Yes it does answer my questions. At this rate, we will have an Apple ID and password plus an app specific password generated by Apple for each and every app that Apple produces. :)
0 -
I'm not sure if it's actually necessary to store app-specific passwords in 1Password. Certainly 1Password doesn't need to do anything different to "support" them in any way.
I thought the whole point of app-specific passwords is that you generate one on an app/device that does support 2-step authentication, and then paste it in ONCE into an app that doesn't. Once this is done, the app with the app-specific password should stay logged in and not prompt you again.
If for some reason the app with the app-specific password becomes logged out, then you would just go through the same process again and regenerate a new app-specific password.
The role of 1Password in all this should be to store the primary account details including a very strong password that you are using to log in to the primary app/web site that does support 2-step authentication (your main password for that app/site).
I suppose you could store the app-specific password as well in 1Password if you really wanted to, but I don't think that's how they are designed to be used.
I thought app-specific passwords are designed for regular people (who don't use a password manager!) as a way of making sure they use a reasonably strong, randomized, and non-memorable password in situations where only single-factor authentication is available. Otherwise, such people would probably re-use a super-weak password that someone else could easily guess.
Therefore they are designed to be un-memorable throw-away passwords that you only need to handle once — hence you don't need to store your own copy of them in 1Password because they can just be regenerated at any time.
Maybe someone from AgileBits could confirm whether this is correct?
0 -
This is as much as I know about Using app-specific passwords (yup, it's an Apple KB). You can generate and revoke but not reacquire an app-specific password. As I haven't used one before I can't say if there's any merit in storing them. I suppose it can't do any harm to store it in your Apple Login item if you want.
Sorry I can't personally be of more help here, I haven't ever come across the need to use it yet or even know of an app that requires it. When I log into the likes of https://appleid.apple.com/signin I have to enter a two-step authorisation code which is sent to a device of my choice but app-specific passwords are unknown territory.
0 -
I stand corrected: it may be beneficial to store your Apple app-specific password in 1Password so that you can re-use it across multiple devices/login prompts.
As the linked post says, it's not all that clear how they're meant to work in that regard.
0 -
I feel sorry for that poor person @semblance, it's a very reasonable post but I don't believe Apple monitor the forums. A shame really as I think Apple could benefit from reading it.
0 -
@littlebobbytables That poor person was me :) No need to feel sorry, it's all part of the normal way of things. Not even the mighty Apple can get usability right all the time...
BTW, I posted a brief description with a link to that thread to https://www.apple.com/feedback/. According to Apple when you submit feedback there "We read all feedback carefully, but please note that we cannot respond to the comments you submit."
0 -
You're quite right @semblance, nobody gets everything right 100% of the time, not even Apple when Steve Jobs was at the helm (although he did an amazing job). Glad to hear you reported it to Apple too and I hope they do read what you've written.
I have to say, if the point of all of this is to make the users more secure they've missed the mark if they're teaching the user to paste in a variety of passwords until they stumble upon the correct one like you describe in relation to mystery iCloud prompts.
0 -
One important benefit of Application Specific Passwords is that they can be revoked by the user. If you decide a third party should no longer have access to your Apple ID account, you can dump him without having to change your main Apple ID password and re-authorize all the other apps.
@Tangible: Indeed! They can be a bit of a nuisance to manage through the website (I do this with Google too), but having a little extra security never hurts.
However, it's still risky to give these passwords to 3rd parties. There's nothing to prevent them from using their password to access data you didn't intend for them to see or use, or pretend to be you in apps like iMessage.
I agree with you in principle, but any time you give out login information you're implicitly trusting that party, so I don't see how this is less secure than the current status quo. And more importantly, the app-specific passwords don't grant access to the account in full; so while there is certainly damage that can be done by a bad actor, you won't lose access to your account -- which makes a bad situation a bit more salvageable. :)
0 -
@Tangible: Sorry for not being clearer.
App-Specific passwords exist for apps that do not support two-step verification. Apple does support two step verification, so in order to access an iCloud account with two-step enabled, you'll have to, well...do the two-step. And therefore a bad guy with your app-specific password won't be able to authenticate to access your iCloud account to, say, change your account password or email.
A bit confusing, but clever and useful nonetheless. :)
0 -
Well I finally had an epiphany and disabled Messages. That was the key to why I hadn't come across this as it seems Apple allowed previous access to continue instead of forcing the issue. I'm not entirely sure I know how I feel about that but at least I understand better now.
I am surprised Messages and FaceTime don't support Apple's two-step verification, that does seem like an oversight. Hopefully they'll improve on the system, not just for their own apps which surprisingly don't support two-step verification but also the entire app-specific password process.
As an aside, I actually had to sign out of Messages to be properly informed of the app-specific password requirement. With a currently working account I couldn't access the details as all I was told was my Apple ID password was incorrect. 1Password stores that so I knew that wasn't right :wink:
0
