“If you use iCloud for email, calendar events, or contacts with any apps other than those made by Apple, and you haven’t upgraded the security on your account to use two-factor authentication (2FA), syncing and other interaction will fail starting June 15,” Glenn Fleishman explains for Macworld.
“That’s when Apple imposes a new security requirement that requires unique passwords for all third-party software that works with iCloud accounts,” Fleishman writes. “That includes apps like BusyContacts, Fantastical, and Thunderbird, to name a few of hundreds, as well as online services that sync with iCloud or retrieve email.”
“That sounds a lot more secure, but there’s less there than meets the eye. Apple’s method of allowing third-party access has significant flaws in containing abuse if one of these unique passwords gets discovered,” Fleishman writes. “There’s a better way with its own set of problems, but Apple doesn’t appear to be moving in that direction.”
Read more in the full article here.
MacDailyNews Take: Use two-factor verification for Apple ID to keep your personal information as secure as possible. More info here.
Always use unique passwords and use Apple’s Keychain Access and iCloud Keychain to create and manage them. When used properly, it works like a dream.
It is amazing how many people buy a smartphone and then never read a thing about security issues on their devices.
I’ve been ranting to have REAL two-factor authentication on iOS devices for a couple years now. That would mean the user has to use two, not just one, methods in order to get into their device. IOW: Fingerprint isn’t enough. PIN/PW isn’t enough. You gotta use both in sequence. And Apple apparently doesn’t care. 😛 It would cut down convenience, but it would be real two-factor authentication instead of this either/or junk.
Happily, Apple does at least offer the option of 10 strikes and the device gets WIPED. That kills off brute force attacks (unless user PIN/PW is ultra-stupid, like 123456 or 111111).
Thank you for this article Glenn. It’s a dent into the problem.
I personally avoid using OAuth as I don’t like handing out permissions for third parties to access my social anything. When confronted with OAuth, I only use my DISQUS account. It works great for the purpose and exposes nothing I consider private.
https://disqus.com
I moved to individual passwords per app, service, website a decade ago. To keep track of it all and make the accounts accessible I use 1Password (although there are fine alternatives such as LastPass). I also cover-my-back-orifice by keeping a highly encrypted text file of all my IDs and passwords for when 1Password messes up or I don’t want to bother with it. Consider it a backup.
But is Granny every going to going to deal with this level of complexity? Professional corporations don’t deal with this level of complexity, resulting in stolen and/or ransomed data. Therefore, the answer is NO. It’s going to take efforts like Apple’s with baby steps, coddling and hand-holding to get out of our Dark Age of Computing.
Most of us here are lucky to have innate techno talents and excellent acquired techno skills. There’s no point in getting impatient with those-of-other-talents who don’t comprehend. User-friendliness, ease of use and convenience have to somehow find a way to work well with techno-security complexity. Help your fellow humans across the techno bridge to futurist Valhalla.
🌈🌤👶😺