Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Key MFA Support #207

Closed
steilerDev opened this issue Mar 10, 2023 · 5 comments
Closed

Security Key MFA Support #207

steilerDev opened this issue Mar 10, 2023 · 5 comments
Labels
class(known issue) A known issue that might not be easy to fix or needs additional input. status(wontfix) This will not be worked on

Comments

@steilerDev
Copy link
Owner

steilerDev commented Mar 10, 2023
edited
Loading 

I'm in a similar position with advanced data protection and a yubikey on my Apple ID. With this combination of security settings, the sign in prompts I receive on other devices don't have MFA codes, but rather just "ok" or "that wasn't me".

Originally posted by @krubenok in #202 (comment)
@steilerDev steilerDev added status(help needed) Help from other people is necessary to resolve this issue class(known issue) A known issue that might not be easy to fix or needs additional input. labels Mar 10, 2023
@steilerDev
Copy link
Owner Author

steilerDev commented Mar 10, 2023
edited
Loading

I currently don't have an account setup using a Security Key (neither do I plan to do so).

In order to investigate this use case, I need support from someone with this setup.

I need an HAR file filtered to Fetch/XHR from the authentication against the iCloud WebUI - based on that I might be able to understand what needs to change in order to support this (Full disclosure: Keep in mind that this HAR file might contain sensitive data - unless you know how to purge it, you need to trust me that I won't abuse this - Please note: since the MFA trust token is location/IP specific I probably won't be able to use the data from those requests anyway)

@steilerDev steilerDev changed the title YubiKey MFA Support Security Key MFA Support Mar 10, 2023
@steilerDev steilerDev mentioned this issue Mar 10, 2023
Open
@krubenok
Copy link

I'll take a more careful look at the contents of a HAR file this weekend and determine if I'm ok sending that over. I have a few other ideas if that turns out to be a no.

@steilerDev
Copy link
Owner Author

Could you maybe check if there is some sort of pulling happening while the WebUI waits for you to confirm the request?

@steilerDev
Copy link
Owner Author

Side note: I documented the sign in flow and all the important data

So that's probably the data you want to purge - most important your password and the X-Apple-TwoSV-TrustToken header. This is the token that allows bypassing 2FA.

@steilerDev steilerDev added class(feature) Indicates work related to a new feature status(backlog) This item is considered for future development and removed status(backlog) This item is considered for future development class(feature) Indicates work related to a new feature labels Jul 5, 2023
@steilerDev steilerDev added status(wontfix) This will not be worked on and removed status(help needed) Help from other people is necessary to resolve this issue labels Oct 15, 2023
@steilerDev
Copy link
Owner Author

Closing due unclear path of feasibility (e.g. how to read security key from the cli tool that most likely will run on a separated machine)

Please re-open in case there are no insights available.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
class(known issue) A known issue that might not be easy to fix or needs additional input. status(wontfix) This will not be worked on
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@krubenok @steilerDev