ICloud Password prompt

Question

On my Yosemite OSX machine I often get an ICloud prompt after awaking from sleep or after a reboot like this

what program is causing this? Is it a valid Apple one or one trying to get my password?

I have not knowingly set an app-specific password.

and in normal use ie not just after awake I got the box again but a more interesting log

24/03/2016 11:51:12.488 identityservicesd[8431]: [Warning] Registration failed for Registration info (0x7ff8e1435230): [Registered: NO] [Type: AppleID] [Device Name: (null)] [Service Type: com.apple.private.alloy.maps] [Env: (null)] [Main ID: [email protected]] [Phone Number: [email protected]] [AppleID: [email protected]] [UserID: E: [email protected]] [C2K: NO] [Push Token: <f72dd563 26eccf96 f9e058ca b26ff2b7 fa67c0e9 e7b8e17e a9c86f31 c8d5f217>] [Region ID: R:GB] [Base Number: +440000000000] [URIs: ()] [Candidates: ([email protected], [email protected], [email protected])] [Auth Cert: 0x0] [Reg Cert: 0x0] [Profile ID: D:53092237] [Auth User ID: (null)] [Heartbeat Date: (null)]   (Error: 0)

From that list of contacts it does look message related but still what proof is that this is from Apple and note my Message does not work even if I provide a password(see other question)

Answer 1

You can try logging out your iCloud in Settings and logging in back again. I've had the same issue before when I changed some account settings on another device.

It's a legit prompt from OS X but I think it's a sync operation bug.

Answer 2

I've seen this issue (well, a whole host of them actually, with several different root culprits), and its very hard to distinguish one from another.

It could be as easy as:

1. If you're using your Apple ID password as your user password, decouple these (switch to using a separate login password). That one is pretty painless, and it could simply be an issue where it's trying to authenticate with Apple's servers before your network is fully up and connected.

2. For some reason, using an @icloud.com email as your login often has far more issues than a third-party email. Go to http://appleid.apple.com and add another email there (if you don't have one there already), then log in the iCloud preference pane (etc.) using that email instead.

Otherwise in order of most-likely-to-fix-the-issue-but-also-most-drastic-/-biggest-pain-in-the-ass:

3. Disable keychain syncing in your current user account. Create a new user account on your computer. Don't immediately associate it an Apple ID. Once you're logged in as this new user, sign in with the iCloud preference pane. Do not enable keychain syncing yet. Migrate over only what you need from your old user account (files, preferences, and individual keychain items). When you think you've got everything, go back to the preference pane, and enable keychain syncing. When asked to enter your iCloud Security Code, click Forgot Code. Click Reset Keychain to replace your iCloud Keychain in the cloud with the iCloud Keychain items on your Mac.

If you can't bear to part with your current user account, you can try:

3. a. Sign out if iCloud.

   b. Delete in your ~/Library/Preferences folder any/all plists that begin:

   com.apple.cloudd* com.apple.cloudpaird* com.apple.cmfsyncagent* com.apple.security* com.apple.imessage* com.apple.imservice* com.apple.ids* com.apple.identityservicesd* com.apple.sms*

   (I'm not sure that's all of them, but they're likely candidates. This is why creating a new user account is best...)

   c. Open Keychain Access, delete all the iCloud entries (just type iCloud in the search box... there should be maybe 8-12 of them). You don't need to delete any of the ones that say "Web form password".

   d. Perform the same iCloud Keychain reset maneuver as above.

Hope that helps!

Answer 3

The process displaying the iCloud Password window on OS X Yosemite is:

/System/Library/CoreServices/UserNotificationCenter.app/Contents/MacOS/UserNotificationCenter

---

The way to confirm: navigate to and read the contents of the answers under this question on SuperUser:

• The first one contains a link to a blog post describing a way to debug the very same problem (iCloud Password window). Author suggests running the following script and moving the window in question with a mouse/trackpad. The script discovers position change and prints the details of a window that was moved.

  #!/usr/bin/env python
  
  import time
  from Quartz import CGWindowListCopyWindowInfo, kCGWindowListExcludeDesktopElements, kCGNullWindowID
  from Foundation import NSSet, NSMutableSet
  
  wl1 = CGWindowListCopyWindowInfo(kCGWindowListExcludeDesktopElements, kCGNullWindowID)
  print 'Move target window'
  time.sleep(5)
  wl2 = CGWindowListCopyWindowInfo(kCGWindowListExcludeDesktopElements, kCGNullWindowID)
  
  w = NSMutableSet.setWithArray_(wl1)
  w.minusSet_(NSSet.setWithArray_(wl2))
  print '\nList of windows that moved:'
  print w
  print '\n'
  

• The other answer points to a github project mac_list_windows_pids with a Python script that lists currently active windows and their processes. You can run it twice with the iCloud Password window active and after closing, save the results to text files and diff them.

Both scripts in my case pointed to UserNotificationCenter process, which after ps -ef revealed the following executable:

/System/Library/CoreServices/UserNotificationCenter.app/Contents/MacOS/UserNotificationCenter

For ultimate confirmation you can check if the window would disappear after:

$ pkill UserNotificationCenter

Next you can check the validity of the app's signature using the following command:

$ codesign --verify --no-strict -vvvv /System/Library/CoreServices/UserNotificationCenter.app
/System/Library/CoreServices/UserNotificationCenter.app: valid on disk
/System/Library/CoreServices/UserNotificationCenter.app: satisfies its Designated Requirement

And check the signature with (with results from my OS X 10.10.5 (14F1605) for reference):

$ codesign -dvvv /System/Library/CoreServices/UserNotificationCenter.app
Executable=/System/Library/CoreServices/UserNotificationCenter.app/Contents/MacOS/UserNotificationCenter
Identifier=com.apple.UserNotificationCenter
Format=bundle with Mach-O universal (i386 x86_64)
CodeDirectory v=20100 size=501 flags=0x0(none) hashes=18+3 location=embedded
Hash type=sha1 size=20
CDHash=0598cd2dae69538404bc861d92dc9baece3cf56c
Signature size=4097
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Info.plist entries=19
TeamIdentifier=not set
Sealed Resources version=2 rules=14 files=4
Internal requirements count=1 size=80

Also for reference SHA of the executable is 301e4caa71c9e0add012705c2e61be97d801717c.

Of course everyone should test for themselves to make sure no other program impersonates this window.

While not related, there is a report that a phishing method mimicking the iCloud password prompt has been used on iOS, so it is a valid concern.

---

As for the problem itself it seems to be commonly reported. Disabling the UserNotificationCenter with the following command prevented the window from appearing:

$ sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.UserNotificationCenter.plist

Answer 4

Possible duplicate.
If you're using 2-factor authentication you might need to generate app-specific passwords for iMessage and FaceTime. Apart from that check your keychain file permissions and relogin to iCloud using iCloud preference pane.

Answer 5

I finally found the following fix on a reddit forum and it solved my issue:

Are two iCloud password prompts popping up after every reboot on Yosemite? If you set an application-specific password for iMessage and FaceTime, that's what the prompt is looking for you to provide. The dialog box asks for your iCloud password, but in reality it wants that app-specific password. Put it in twice (once for iMessage, once for FaceTime) and the prompts should go away.