ICloud Password prompt

macos icloud sleep-wake

On my Yosemite OSX machine I often get an ICloud prompt after awaking from sleep or after a reboot like this

enter image description here

what program is causing this? Is it a valid Apple one or one trying to get my password?

I have not knowingly set an app-specific password.

and in normal use ie not just after awake I got the box again but a more interesting log

24/03/2016 11:51:12.488 identityservicesd[8431]: [Warning] Registration failed for Registration info (0x7ff8e1435230): [Registered: NO] [Type: AppleID] [Device Name: (null)] [Service Type: com.apple.private.alloy.maps] [Env: (null)] [Main ID: [email protected]] [Phone Number: [email protected]] [AppleID: [email protected]] [UserID: E: [email protected]] [C2K: NO] [Push Token: <f72dd563 26eccf96 f9e058ca b26ff2b7 fa67c0e9 e7b8e17e a9c86f31 c8d5f217>] [Region ID: R:GB] [Base Number: +440000000000] [URIs: ()] [Candidates: ([email protected], [email protected], [email protected])] [Auth Cert: 0x0] [Reg Cert: 0x0] [Profile ID: D:53092237] [Auth User ID: (null)] [Heartbeat Date: (null)]   (Error: 0)

From that list of contacts it does look message related but still what proof is that this is from Apple and note my Message does not work even if I provide a password(see other question)


The process displaying the iCloud Password window on OS X Yosemite is: 

/System/Library/CoreServices/UserNotificationCenter.app/Contents/MacOS/UserNotificationCenter

The way to confirm: navigate to and read the contents of the answers under this question on SuperUser:

  • The first one contains a link to a blog post describing a way to debug the very same problem (iCloud Password window). Author suggests running the following script and moving the window in question with a mouse/trackpad. The script discovers position change and prints the details of a window that was moved.

    #!/usr/bin/env python

import time
from Quartz import CGWindowListCopyWindowInfo, kCGWindowListExcludeDesktopElements, kCGNullWindowID
from Foundation import NSSet, NSMutableSet

wl1 = CGWindowListCopyWindowInfo(kCGWindowListExcludeDesktopElements, kCGNullWindowID)
print 'Move target window'
time.sleep(5)
wl2 = CGWindowListCopyWindowInfo(kCGWindowListExcludeDesktopElements, kCGNullWindowID)

w = NSMutableSet.setWithArray_(wl1)
w.minusSet_(NSSet.setWithArray_(wl2))
print '\nList of windows that moved:'
print w
print '\n'

  • The other answer points to a github project mac_list_windows_pids with a Python script that lists currently active windows and their processes. You can run it twice with the iCloud Password window active and after closing, save the results to text files and diff them.

Both scripts in my case pointed to UserNotificationCenter process, which after ps -ef revealed the following executable: 

/System/Library/CoreServices/UserNotificationCenter.app/Contents/MacOS/UserNotificationCenter

For ultimate confirmation you can check if the window would disappear after:

$ pkill UserNotificationCenter

Next you can check the validity of the app's signature using the following command:

$ codesign --verify --no-strict -vvvv /System/Library/CoreServices/UserNotificationCenter.app
/System/Library/CoreServices/UserNotificationCenter.app: valid on disk
/System/Library/CoreServices/UserNotificationCenter.app: satisfies its Designated Requirement

And check the signature with (with results from my OS X 10.10.5 (14F1605) for reference):

$ codesign -dvvv /System/Library/CoreServices/UserNotificationCenter.app
Executable=/System/Library/CoreServices/UserNotificationCenter.app/Contents/MacOS/UserNotificationCenter
Identifier=com.apple.UserNotificationCenter
Format=bundle with Mach-O universal (i386 x86_64)
CodeDirectory v=20100 size=501 flags=0x0(none) hashes=18+3 location=embedded
Hash type=sha1 size=20
CDHash=0598cd2dae69538404bc861d92dc9baece3cf56c
Signature size=4097
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Info.plist entries=19
TeamIdentifier=not set
Sealed Resources version=2 rules=14 files=4
Internal requirements count=1 size=80

Also for reference SHA of the executable is 301e4caa71c9e0add012705c2e61be97d801717c.

Of course everyone should test for themselves to make sure no other program impersonates this window.

While not related, there is a report that a phishing method mimicking the iCloud password prompt has been used on iOS, so it is a valid concern.

As for the problem itself it seems to be commonly reported. Disabling the UserNotificationCenter with the following command prevented the window from appearing:

$ sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.UserNotificationCenter.plist

You can try logging out your iCloud in Settings and logging in back again. I've had the same issue before when I changed some account settings on another device.

It's a legit prompt from OS X but I think it's a sync operation bug.


I've seen this issue (well, a whole host of them actually, with several different root culprits), and its very hard to distinguish one from another.

It could be as easy as:

  1. If you're using your Apple ID password as your user password, decouple these (switch to using a separate login password). That one is pretty painless, and it could simply be an issue where it's trying to authenticate with Apple's servers before your network is fully up and connected.

  2. For some reason, using an @icloud.com email as your login often has far more issues than a third-party email. Go to http://appleid.apple.com and add another email there (if you don't have one there already), then log in the iCloud preference pane (etc.) using that email instead.

Otherwise in order of most-likely-to-fix-the-issue-but-also-most-drastic-/-biggest-pain-in-the-ass:

  1. Disable keychain syncing in your current user account. Create a new user account on your computer. Don't immediately associate it an Apple ID. Once you're logged in as this new user, sign in with the iCloud preference pane. Do not enable keychain syncing yet. Migrate over only what you need from your old user account (files, preferences, and individual keychain items). When you think you've got everything, go back to the preference pane, and enable keychain syncing. When asked to enter your iCloud Security Code, click Forgot Code. Click Reset Keychain to replace your iCloud Keychain in the cloud with the iCloud Keychain items on your Mac.

If you can't bear to part with your current user account, you can try:

  1. a. Sign out if iCloud.

    b. Delete in your ~/Library/Preferences folder any/all plists that begin:

    com.apple.cloudd* com.apple.cloudpaird* com.apple.cmfsyncagent* com.apple.security* com.apple.imessage* com.apple.imservice* com.apple.ids* com.apple.identityservicesd* com.apple.sms*

    (I'm not sure that's all of them, but they're likely candidates. This is why creating a new user account is best...)

    c. Open Keychain Access, delete all the iCloud entries (just type iCloud in the search box... there should be maybe 8-12 of them). You don't need to delete any of the ones that say "Web form password".

    d. Perform the same iCloud Keychain reset maneuver as above.

Hope that helps!

Related

Disabling the trackpad from the command line
MacBook Pro refuses to boot/recover, hangs at "white screen"
How do I delete unlinked folders from iCloud.com
Macbook Air 2013 rotate screen?
How to save sent messages in same folder as message being replied to?
How can I play Blu Ray discs with my MacBook?
Improve GPS accuracy by disabling cellular data
iPhone dock connector problems, with and without accessories
AppleScript Help: Wait for Safari Page to load
How does Apple AppStore rank search results?
Why might more memory be wired in safe mode than in normal mode?
How to change the "Recovery HD" partition to type "Apple_Boot"?