How to fix two-factor authentication problems with apps that don’t use iCloud
If you’re new to 2FA, remember you can still use non-Apple services for contacts and calendars, and for email.
I’ve heard some confusion and frustation from people who use calendar, contact, and email software that isn’t set up through iCloud, and they turned on Apple’s two-factor authentication (2FA). There’s an easy solution, but it requires a little planning and fuss to put it in place.
The more modern 2FA system Apple explicitly labels “two-factor authentication” replaces its previous “two-step verification,” which was a stop-gap put in place two years ago. The new 2FA is deeply integrated into iOS and macOS, and was introduced on a slow rollout to users about one year ago with iOS 9 and El Capitan.
Many people have apparently turned 2FA on for the first time with macOS Sierra or iOS 10 possibly because it’s required to use the watchOS 3 feature that lets you unlock your Mac with your Watch.
The point of friction, however, is with software that Apple hasn’t tied into iCloud. So that includes BusyCal and Fantastical, third-party email clients, and contacts apps other than Apple’s Contacts. Those can’t yet (or maybe will never be able to) use Apple’s 2FA to let you validate a login. With Apple’s system, whenever you log in using an Apple ID protected by 2FA, all of your associated iOS and macOS devices pop up a tiny map of the rough location and a pair of buttons to allow or reject the login. Tap or click Allow, and the device on which you’ve done so displays a six-digit code you have to enter to complete the login.
For services and software that isn’t tied in that way, you need to generate an app-specific password, which was also the case with the older two-step method. If you turned off two-step and turned on two-factor, all your previous app-specific passwords were wiped out! This is a shame, but you’re starting with a clean slate, so apps and sites you approved long ago and no longer use are no longer a potential threat, too.
To create an app-specific password, follow these steps:
- Log in to your account at appleid.apple.com, which will include the map popup and a six-digit code.
- In the Security section under App-Specific Passwords, click Generate Password.
- Label the password so you can remember it later if you need to disable it, and click Create.
- In the next screen, copy and paste or refer to the password and enter it in the app or service with which you need to use it. The password can never be viewed again, but it’s stored.
- Click Done.
You can manage the passwords you’ve created in order to revoke them, too. Click the Edit button next to the Security section, and then you can click View History under App-Specific Passwords. The list shows the creation date of each password, and you can click the x box to the far right to revoke any of them. You can also click Revoke All and wipe out all your app-specific passwords if you’re concerned about any of your software or Web-based services being hacked. This doesn’t affect your 2FA login at all.
I’ll note that Apple only shows the creation date of these passwords, while Google more helpfully in its 2FA Web support shows the last time each was used! Much more useful, and I wish Apple would move to that approach.
Ask Mac 911
We’ve compiled a list of the most commonly asked questions we get, and the answers to them: read our super FAQ to see if you’re covered. If not, we’re always looking for new problems to solve! Email yours to firstname.lastname@example.org including screen captures as appropriate. Mac 911 cannot reply to email with troubleshooting advice nor can we publish answers to every question.