App-Specific Passwords

[MacInWin]

You were fortunate that at the time Apple still allowed 2FA to be turned off. Implemented now, it can no longer be turned off.

There's actually a lawsuit against Apple because of that.

Small detail, but it is possible to turn off in the first 14 days, as I recall. After that, it's locked in.

 

[pm-r]

That explains it. I don't use iCloud mail for the notifications. Hence, no app-specific passwords.

My CCC works just fine for most of its notifications and no password or iCloud account passwords used. I'm guessing that the iCloud mail and notifications for CCC use are seperate things, or if any iCloud email account might be involved.

All clear as mud, just like Apple's confusing implementation of their TWO-FACTOR AUTHENTICATION and TWO-STEP VERIFICATION.


- Patrick
======

 

[chscag]

Additional info about turning off 2FA: (from Apple)

Can I turn off two-factor authentication after I’ve turned it on?

If you already use two-factor authentication, you can no longer turn it off. Certain features in the latest versions of iOS and macOS require this extra level of security, which is designed to protect your information. If you recently updated your account, you can unenroll for two weeks. Just open your enrollment confirmation email and click the link to return to your previous security settings. Keep in mind, this makes your account less secure and means that you can't use features that require higher security.

Note that it says if you recently updated your account.....

If you decide to turn on 2FA and have not recently updated your account.... I believe you're stuck with it.

 

[IWT]

What I meant was that I turned off 2FA for Oracle's DynDNS service. I still have it enabled for Apple.

But, I can understand why people get frustrated with Apple's implementation of 2FA. It's cumbersome. Every time I log in to Apple I get a notice that I need to enter the six digit verification code because I'm signing in from a new browser or device. Nope. It's Safari and it's on the same machine I've been using for several years. And, every time I say to "Trust this browser". It never does.

Every time. It's stupid.



(Note that I have "Prevent cross-site tracking" and "Block all cookies" disabled.)

Mike, you weren't by any chance using a VPN? Or hadn't recently cleaned out your Browser's caches & Website Data?

Ian

 

[Ratsima]

Mike, you weren't by any chance using a VPN? Or hadn't recently cleaned out your Browser's caches & Website Data?

No to both. I never use a VPN when logging on to an Apple site. I generally only use a VPN to get to blocked or geo-restricted sites.

However, my ISP gives me a new IP address about once a day. The location of that IP is always different and rarely anywhere near where I live.

The one I have today is located where I live (Nakhon Ratchasima). The one I had yesterday is in Surin, about 175K east of here. The one I had day before yesterday is in Ubon Ratchatani, which is 335K east of here. The one I had before that is in Bangkok, about 250K southwest of here.

Those results are from here: IP Address Lookup - Find IP Address Location - WhatIsMyIP.com(R)

But, I'd hate to think Apple would use IP geolocation to determine that I'm signing in from a different browser or device. Surely there must be a better way. After all, Apple Maps seems always know where I am, why doesn't Apple?

And, yes, I do keep track of my IP addresses:

Fri May 3 09:34:06 +07 2019 New IP 188.123.125.141
Fri May 3 10:34:10 +07 2019 New IP 101.51.75.251
Fri May 3 15:34:27 +07 2019 New IP 1.1.182.208
Sat May 4 14:35:40 +07 2019 New IP 1.2.172.4
Sat May 4 17:35:54 +07 2019 New IP 162.254.207.103
Sat May 4 18:35:57 +07 2019 New IP 1.2.172.4
Sun May 5 14:37:02 +07 2019 New IP 101.51.221.49
Mon May 6 04:37:50 +07 2019 New IP 87.98.236.22
Mon May 6 05:37:54 +07 2019 New IP 101.51.221.49
Mon May 6 09:38:08 +07 2019 New IP 51.75.215.63
Mon May 6 10:38:12 +07 2019 New IP 101.51.221.49
Mon May 6 15:38:30 +07 2019 New IP 188.123.125.141
Mon May 6 16:38:34 +07 2019 New IP 101.51.221.49

 

[pm-r]

Note that it says if you recently updated your account.....

If you decide to turn on 2FA and have not recently updated your account.... I believe you're stuck with it.

DEFINITITELY NOT going to even try taking a chanch thanks!!!

PS: will the court case only affect those users in the US if they win their case??? And will the results ever get published for the public to read and find out???


- Patrick
======

 

[chscag]

The lawsuit is in the US but may take years to resolve. Apple will likely tighten security rather than go back to the lesser secure methods that were implemented before.

 

[exgarymac]

Wow, loads of interesting chatter here - most of which I do not understand. My original entry on this thread was because OUTLOOK on my Android telephone says I need to re-enter the password, but I have no idea what caused that, so I just needed clarification in case the request becomes some sort of regular thing. Thanks for all your input everyone.

 

[pm-r]

My original entry on this thread was because OUTLOOK on my Android telephone says I need to re-enter the password, but I have no idea what caused that, so I just needed clarification in case the request becomes some sort of regular thing.

Do you have and use an Apple ID or Apple iCloud email address with your OUTLOOK on your Android telephone??? If so, I guess you need to do what they say, and especially so if Apple is going to be the boss.


- Patrick
======

 

[exgarymac]

Yes. As a switcher I am getting the message that if Apple says something just do it or I shall never win!

 

[Ratsima]

Wow, loads of interesting chatter here - most of which I do not understand. My original entry on this thread was because OUTLOOK on my Android telephone says I need to re-enter the password, but I have no idea what caused that, so I just needed clarification in case the request becomes some sort of regular thing. Thanks for all your input everyone.

Sorry about going so far off topic. But, your OP raises the interesting and important issue about how intrusive and cumbersome security measures offered by vendors and service providers ought to be. We all want to be safe and secure until that security becomes too time consuming and unwieldy.

I've just opened One Password's Watchtower which informs me that I have 303 vulnerable passwords, 326 reused passwords, 277 weak passwords, have not implement two-factor Authentication 28 times and have passwords for 6 compromised websites and 194 insecure websites.

I suppose I should spend the two or three weeks that it would take to fix all that but I'd rather eat sawdust.

 

[IWT]

Well, you could shoot yourself, Mike! Not a joking matter though I mean it so. But you are right. Security becomes a burden, is wearisome and one begins to worry++.

It is probably dealing with the major vulnerabilities first.

Also ask yourself whether you still use some of the sites - do you really need them? That can narrow the list down a bit. 2FA for the major sites is good, for sure.

Judgment rather than panic.

Ian

 

[Ratsima]

You're right. I need to do something. And, certainly, there are probably many sites that I never look at anymore.

If I do get a warning from 1Password when I log into a site, I do fix things. So, I'm probably OK on the stuff that's important.

If only I were retired and had lots of time on my hands.

Oh, wait….