Hi @Hawkeye, @rkrisi and all contributors to the iCloud binding,
Apple provides the capability for anyone to generate app-specific passwords (https://appleid.apple.com/account/manage) specifically for cases like ours. i.e.: not expose the main credentials in clear text.
Would it sound reasonable to try integrating such feature to the “iCloud Account” thing?
Thanks a lot for all the great work done by you guys
-Baobao
Yes I know that. However I think this API which is used by the binding doesn’t allow app-specific passwords.
I will try to look into this later.
I suspect it can be done, but I read something about required 2FA, and I wonder how this would be passed to the interface. Could it be as simple as simply passing in the appspecific pw instead of your account pw? Worth trying I guess, no harm done?
I’ve tried before posting here 
You get greeted with an authentication error in the logs, nothing peculiar, the same behavior as a good old “wrong password” thingy.
Clearly, the authentication API does not accept these passes as alternative passwords, at least, not in the way we’re using it with the Binding.
I tried to find some technical documentation on this, but can’t find anything as of yet. I think the quickest way to figuring out if this is possible is by inspecting network traffic on an app that uses this type of authentication to see how it connects? It would be really cool to implement, as I agree that it feels wrong to put your Apple password in your thing file in plain text.
I also didn’t feel comfortable using my main account. So I’ve created another Apple-ID specifically for the iCloud binding and gave permission to access the location of the devices I’m interested in via family sharing.