MacRumors’s Tim Hardwick reports that Apple has sent out an email indicating that third-party apps that access your iCloud account and don’t support two-factor verification codes will require app-specific passwords, starting June 15:
Beginning on 15 June, app-specific passwords will be required to access your iCloud data using third-party apps such as Microsoft Outlook, Mozilla Thunderbird, or other mail, contacts and calendar services not provided by Apple.
The change applies only to iCloud accounts that have two-factor authentication enabled. (As all of them should: here’s a guide for turning it on.)
App-specific passwords are just what they sound like: a password that can be used by an app to log in to your iCloud account. It’s essentially a loophole that allows apps to access your iCloud account without having to go through the two-factor authentication process. The benefit over using your standard iCloud password is if a single app or service is compromised, you can easily revoke its app-specific password, instead of having to change your standard iCloud password everywhere. And since Apple generates the app-specific passwords for you, it can ensure that they’re as strong as possible.
There’s more info on using app-specific passwords on Apple’s support site.