Cannot get to the 2FA stage, program fails with 'Invalid authentication token (...) Authentication required for Account. (421)'

[jakub-sekula]

Overview

I am trying to run the latest version 1.22.0 on macOS Sonoma using an iCloud account with 2FA enabled. I previously used 1.17.3 successfully, last sync was around a month ago and everything worked fine then. Now neither version 1.17.3 nor 1.22.0 work, I am unable to get to the 2FA prompt at all, the script crashes with error ('Invalid authentication token.', PyiCloudAPIResponseException('Authentication required for Account. (421)').

The 2FA code is never sent and icloudpd doesn't provide a way to enter it, or wait for user input.

Steps to Reproduce

Run the command below, include real username and password.

./icloudpd-1.22.0-macos-amd64 \
 --password xxx \
 --username [email protected] \
 --directory . \
 --until-found 150 \
 --auto-delete \
 --mfa-provider  webui

Expected Behavior

icloudpd waits for 2FA code, I get a 2FA notification and can enter the code to authenticate.

Actual Behavior

Note: I wrapped the command from above into a backup.sh script for conciseness.

jakub@kuba-mbp Phone Photos Backup % source ./backup.sh
2024-07-24 00:15:10 DEBUG    Starting web server...
2024-07-24 00:15:10 DEBUG    Authenticating...
2024-07-24 00:15:10 ERROR    Authentication required for Account. (421)
2024-07-24 00:15:12 ERROR    Authentication required for Account. (421)
Traceback (most recent call last):
  File "pyicloud_ipd/base.py", line 241, in _authenticate_with_token
  File "requests/sessions.py", line 637, in post
  File "pyicloud_ipd/session.py", line 120, in request
  File "pyicloud_ipd/session.py", line 122, in request
  File "pyicloud_ipd/session.py", line 196, in _raise_error
pyicloud_ipd.exceptions.PyiCloudAPIResponseException: Authentication required for Account. (421)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "starters/icloudpd.py", line 6, in <module>
  File "click/core.py", line 1157, in __call__
  File "click/core.py", line 1078, in main
  File "click/core.py", line 1434, in invoke
  File "click/core.py", line 783, in invoke
  File "icloudpd/base.py", line 696, in main
  File "icloudpd/base.py", line 1130, in core
  File "icloudpd/authentication.py", line 53, in authenticate_
  File "pyicloud_ipd/base.py", line 157, in __init__
  File "pyicloud_ipd/base.py", line 221, in authenticate
  File "pyicloud_ipd/base.py", line 247, in _authenticate_with_token
pyicloud_ipd.exceptions.PyiCloudFailedLoginException: ('Invalid authentication token.', PyiCloudAPIResponseException('Authentication required for Account. (421)'))
[36226] Failed to execute script 'icloudpd' due to unhandled exception!

Context

The script worked fine last month on version 1.17.3, but now it doesn't work at all with any version.
If I remove the --password from the input and enter it manually when prompted, I also get the same error (421 authentication required)

[jakub-sekula]

Does anyone have any tips on how to fix this? My entire backup workflow is broken, I'm happy to try anything but I don't know where to start.

[AndreyNikiforov]

Does anyone have any tips on how to fix this? My entire backup workflow is broken, I'm happy to try anything but I don't know where to start.

Possible workaround is to delete ~/.pyicloud folder where all authentication cookies are cached.

[eknirk]

Same happend to me. Deleting ~/.pyicloud did not help, running on a different machine fresh did not help.

Happy to debug, but how can the logging for pyicloud_ipd be enabled? The source code has logging commands, but I cannot figure out how to generate them.

[eknirk]

Have now done some debugging. It turned out that my Apple ID was locked! I needed to unlock it and change my password. My problem went away.

[AndreyNikiforov]

Have now done some debugging. It turned out that my Apple ID was locked! I needed to unlock it and change my password. My problem went away.

Did you notice responses that icloud.com was giving for locked account? icloudpd can be more explicit with the error message then.

[eknirk]

I don't know when my account was locked. I believe that it was locked yesterday or earlier, but I was still able to access icloud.com as I usually used the passkey login. Only while debugging I had the idea to log in to icloud.com with a different browser via the password route and then icloud.com told me that my account is locked and needs to be unlocked.

There was no sprecial error message with icloudpd or icloud, only the typical PyiCloudAPIResponseException('Missing apple_id field (Missing apple_id field)') or Authentication required for Account. (421) error messages in the stack trace appeared.

However, as one of my debugging steps I executed python3.12 starters/icloud.py directly in the dowloaded repo, and that suggested Bad username or password for <...>. Only then I tried the browser login with a different browser.

[AndreyNikiforov]

Another thought: password could have been screwed by shell when using--password parameter. Try using webui for password as well.