Security is being enhanced for the Apple iCloud this month where non-Apple software will need an application level password for access.  Their 2 factor authentication (2FA) process is device specific rather than an SMS text process which offers improved security (but there are ramifications if the device is lost).  This is described below:

https://www.intego.com/mac-security-blog/apples-new-icloud-security-requirements-what-to-expect/

Apple has offered enhanced security for iCloud accounts for some time now: first two-step verification, then more robust two-factor authentication. Apple is now planning to tighten up this security, requiring that third-party apps that access your iCloud data need special authorization from June 15.   Beginning on June 15, app-specific passwords will be required to access your iCloud data using third‑party apps such as Microsoft Outlook, Mozilla Thunderbird, and other services not provided by Apple.

Apple’s version of 2FA is different from that of other companies. While many forms of 2FA rely on codes sent by text message or SMS, Apple uses a system that is built into macOS and iOS. You receive codes on trusted devices as alerts, rather than as more portable text messages. This has pros and cons. It is more secure than SMS, but if you don’t have access to any trusted devices, then you may not be able to log into your iCloud account

If you can’t sign in, reset your password, or receive verification codes, you can request account recovery to regain access to your account. Account recovery is an automatic process designed to get you back in to your account as quickly as possible while denying access to anyone who might be pretending to be you. It might take a few days — or longer — depending on what specific account information you can provide to verify your identity.