We received the email pictured below from Apple today (16th May 2017):
Basically, on 15th June 2017 app-specific passwords will be required for third party software products accessing iCloud data e.g. if you use Microsoft Outlook to access your iCloud email. Ultimately, in the first instance, there's nothing wrong with this because more security is good, right? There are two scenarios here that are worth considering…
The first, is that to continue using third party applications with iCloud you are now forced to switch two-factor authentication on whether you like it or not. Two-factor authentication sounds great but we've seen many situations where this has led to monumentally deep rabbit-hole support problems - something that once you are stuck in, it can get very messy and the only way out is via Apple Support and that's depending on whether they will help you or not (they are very security conscious around Apple ID related matters - Apple Support can answer your questions about the account recovery process, but can't verify your identity or expedite the process in any way). And so, in a worse case scenario people could end up being locked out of their computers, iPhones and/or iPads.
The second, and far more concerning, is the possibility that future versions of macOS and iOS will make two-factor authentication a requirement/mandatory to even be able to install/use them. Even now, some accounts created in iOS 10.3 or macOS Sierra 10.12.4 and later already don't have the possibility of turning off two-factor authentication! Apple has been heavily pushing two-factor authentication with the last couple of versions of macOS and iOS (a recent macOS system update requested you to turn on two-factor authentication and iOS 10 makes it really easy to turn on without you even realising what you are doing), so it's not hard to believe they will go this route and make two-factor authentication mandatory. Also, note that the date that this all starts is 15th June 2017 - this will be just after Apple's WWDC has finished and thus probably when the first previews of macOS 10.13 and iOS 11 will be made available to developers.
So what do we recommend? In preparation for two-factor authentication we recommend the following (all of which are worth doing as best security practices anyway!):