use application password to prevent 2FA on (subsequent) executions

[OWL16]

iCloud allows for generating an application-specific password. Intended to prevent 2FA for applications like mail clients, such an application password works fine with icloudpd as well.

[OWL16]

CORRECTION: seems to work, but I'm not sure it will stay working though...

[w-gitops]

I couldn't get it to work for me. did you use the same email as the primary icloud account?

[liteowl]

Is this still working for you? I got my sync running fine, using password and 2FA. I would like to switch to an app specific password. How do I get it to delete my original password from the Keyring?

[liteowl]

Ah, that's too bad. Doing 2FA every month is going to kill me, even if it's just for one account. Thanks for letting me know.

[boredazfcuk]

Application passwords only work on iDevices. It's not possible to use them to log into the iCloud website.

Also, renewal is only needed every 90 days.

I have 2-way comms working in my container, so I can force a sync from my phone. If it was possible to feed in the MFA code to icloudpd via text file, then I could do remote renewal too.

Just not really had the time, or motivation to look into it further really.

[liteowl]

Thanks for the info. I was asked to renew 2FA after 30 days. Will it go to 90 days after the 2nd time?
(I cannot use Docker on my NAS so I'm not able to work in a container; that doesn't seem like it should affect the 2FA renewal timing though?)

[boredazfcuk]

30 days expiry is not normal. It should last 90 days every time.

Occasionally I get forced to renew in a smaller timeframe, but I am unsure as to the reason. I think it's basically whatever reason Apple wants.

Sometimes all four of my containers will stop syncing at the same time. I'm assuming a change at Apple's end has force-expired everyone's cookies.

Other times, I will get an email notification about my account being locked and I have to unlock it, then re-auth. I put this down to brute force attempts using an old leaked password.

Other times, when I'm testing the container and performing lots of syncs in a short timeframe, it will force a re-auth. That's probably just Apple policy.

I just sync twice a day now and it usually lasts the full 90.

[liteowl]

Good to know. Hoping this time will last 90 days! That would be a big improvement :-)