Two-factor authentication (2FA) not implemented #102
Comments
|
Instead of basing ourselves by the |
|
@Bart274 did you find any solution to achieve 2FA? |
|
No not yet :(
|
|
we can't implement it? is there any way? |
|
I have been able to get this code to work for my Apple ID (on which two-factor authentication has been enabled): What is the issue you're experiencing? Maybe I can help by reproducing in my code, or help isolate the difference you might have between your code and mine? |
|
Hello Mike, While implementing it. It returns unauthorized response |
|
Thanks but I don't know how to reproduce the outcome either of you are experiencing without much greater detail (and it's likely that the project participants wouldn't be able to either). To have a fair chance at reproducing your situations, I recommend you supply your issue report with the following:
|
Two-step authentication is an older security method used for accounts without an Apple device, or who are unable to upgrade to iOS 9 or OS X El Capitan. https://support.apple.com/en-us/HT204152 If the account has two-factor authentication enabled, we can still fall back to the end-points for two-step authentication, as we do not support 2FA yet. Issue picklepete#102
|
When will you support 2 factor authentication? |
|
With the current code, if 2FA is enabled, we will fall back to the 2SA code-path, requesting a validation code from a trusted device, e.g. via SMS, and once you are fully authorised the cookie will be saved for future authorisations, so you shouldn't see the popup every time. |
|
@f0nt4 also, please keep home-assistant issues to the relevant bug tracker. |
|
Are you really sure 2FA works?
I developed the icloud component for home-assistant and it only works when people have 2step authentication enabled. For 2FA, the list of trusted devices is empty and it always sends a code when you try to authenticate even when the cookie is saved...
|
|
@Bart274: I switched my account over from 2SA to 2FA, and I have a single trusted device presented when going through the 2SA code path, which is the SMS option. Perhaps you don't have a mobile number associated with your account? With 2FA enabled I remember logging in to icloud.com and clicking "Did not get a verification code? ", and then choosing the SMS option, that might have added SMS as a trusted option? Can you try that? |
|
@Bart274 I'm using your icloud component in HA currently and have iCloud 2FA (NOT 2Step) working, but only for a few hours. If I take the code provided by the 2FA prompt from my MBP or iPhone, append it to the end of my iCloud password in the configuration.yaml file it will authenticate for the first time using the
If I remove the 6 digit code I appended to the end of my password, and re-save the configuration.yaml file, the error will go away, authentication will complete successfully:
and the credentials are stored for what seems to be 6 hours without any new codes being pushed to my devices. After about 6 hours, I have to go through the auth process described all over again. So, it appears 2FA is working with |
|
Would using a app-specific password work? As I don't believe you can use 2FA with a non Apple product... |
|
Unfortunately the app specific password does not work. What we are doing is logging in to iCloud.com, so we are not really an app, we are a "custom web browser" for the iCloud.com website.
- Tor Arne
… On 8 Aug 2017, at 16:07, Bram Kragten ***@***.***> wrote:
Would using a (app-specific password)[https://support.apple.com/en-us/HT204397] work? As I don't believe you can use 2FA with a non Apple product...
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
I'm having an issue where I'm slightly unfamiliar with the difference between 2FA and 2SA. Is my scenario part of this issue, or is it some separate bug? |
Two-step authentication is an older security method used for accounts without an Apple device, or who are unable to upgrade to iOS 9 or OS X El Capitan. https://support.apple.com/en-us/HT204152 If the account has two-factor authentication enabled, we can still fall back to the end-points for two-step authentication, as we do not support 2FA yet. Issue #102
torarnv
changed the title
|
I've clarified the situation in 69af919 Patches to support 2FA welcome! |
|
@torarnv because this is acting as a custom web browser, can we just save the authentication cookies for 2fa? With any other browser when you log in you can check the box to save the browser and not require a code the next time. Can we do something similar? |
In the meantime, is it possible to support 2SA on an iOS11 device? Apple docs seem to indicate that iOS9+ support 2FA only, so I guess I'd need a really old device to use this, right? |
|
The documentation currently states:
But after multiple attempts, using the 2FA with that code example, it always returns |
|
Could anyone help me? I cannot disable "Two-Factor Authentification" in my settings. Looks like if you changed it to 2FA once, there is no way back(If you know how to do it, please tell me). The two step thing worked for me just one time. The second time I try to rerun the code I get "pyicloud.exceptions.PyiCloudAPIResponseError: Missing X-APPLE-WEBAUTH-HSA-LOGIN cookie". Is this a known issue? Thanks |
|
Same here as @mariusciziunas I have 2FA and was able to log in the first time using this code: from pyicloud import PyiCloudService
api = PyiCloudService(icloud_email, icloud_password)
devices = api.trusted_devices
for i, device in enumerate(devices):
print('%s: %s' % (i, device.get('deviceName', "SMS to %s" % device.get('phoneNumber'))))
api.send_verification_code(devices[0])Followed by: But the second time I tried it, I got: I tried uninstalling and reinstalling pyicloud, but that didn't help. I also tried logging in via the browser from the same machine that I was running the code, in the case that the cookies were being shared with the browser somehow. |
|
Any updates on this issue? |
|
Yes I have successfully done it.
|
|
Since recently 2FA can no longer be disabled, so implementation is highly needed. Can we use https://github.com/ndbroadbent/icloud_photos_downloader implementation? It doesn't require extra coding except accepting auth request on Iphone. |
|
@kylemcdonald and @mariusciziunas were you able to solve your |
|
With apple currently disabling the option to turn off 2FA, is there a way to use this code without 2FA? I had a similar issue using robinhood's API but I was able to use the backup secret key to skip 2FA. Does apple have a similar option? (something like a secret key which can run without 2FA) |
2SA it's working for you ? Working on my side. |
|
I've been using 2FA with my script for a long time now. I lifted the logic from cmdline.py which checks api.requires_2sa and if necessary (and running interactively) does the verification dance. In practice when run from cron this triggers about every two months. When that happens I run the script interactively and then it's good for another two months. cmdline.py also has some nice code for storing the pw in a keyring. |
It works only after entering the authentication code which apple sends to me. I'm curious about storing pw in a keyring. I will try the implementation steps in |
|
The keyring code I referred to is in cmdline.py |
|
@leres I found it later that day, it seem to work. However I'm curious on how it stores the 2fa. Without cmdline.py the 2fa was asked every 24 hours. |
|
You can login to icloud.com and get location of your devices without any prompt on your devices. So I think maybe at least find my iPhone service does not need 2FA? |
|
FindMyIphone does not require 2FA for an obvious reason: you use it when you've lost your phone and don't have access to that second factor. |
|
So can we get location without 2FA (2FA enabled) ? |
@zeeqy I think you mean without the pin that apple generates every time, if so yes you can.. both status and location of a phone can be retrieved without the need of the pin sent to your phone.. |
Thanks, but how do we do it through pyicloud? do you have a code snippet? |
@zeeqy This script tracks the location of the phone and triggers an email if out of desired location from AWS SES but basically lines 50-59 has what you're looking for. If you want anything other than status and location you might want to uncomment lines 29-47 https://github.com/thevickypedia/iPhone_Locator/blob/master/locator.py |
Thank you! You save my little project hah |
|
I would like to trigger the iPhone find my phone functionality programmatically so my phone will beeping so it can be found. Last I tried this, I was dealing with some cookie issues. Has someone figured out a way to get it to work? |
I don't quite get what you mean by cookie issues. All you need is the play_sound() function. Elaborate your issue if you're looking for something further. |
|
Hi just been playing with this library - works great. Is the issue with 2FA likely to be resolved? It works but times-out after a few hours. |
|
I just set this up and while it appears to be working - things like battery graphs are updated properly. But every half hour I get: 2020-12-08 08:23:49 INFO (SyncWorker_2) [pyicloud.base] Authenticating as user@gmail.com When this happens I get the notification on my phone that a device is attempting to log in and allow or deny it, and it prompts with the pass code if I allow it, but even if I deny it, which I have been doing for a day now, everything still updates properly. Any ideas? |
|
@ajjack50n @B3DTech Apple made the 2FA mandatory in new devices so as far as my knowledge there is no way around it. You can try the keychain option but still you need an initial authentication to kick start any script using this lib, it works without needing a 2FA for ~12 hours after which it will prompt for the auth code. As of now Apple hasn't launched any authenticator (like Duo or Okta) to do this. If they do launch one, then it might be easy to authenticate using a secret bypassing the annoying 2FA by Apple. |
|
I am not certain I fully understand. Do not apple use, themselves, the same services to enable their own devices to subscribe to iCloud? Why is it that I do not have to keep authenticating my phone for instance? Is it not not possible to exploit the same integration patterns? |
You can do nothing about it. I ping my iPhone location every 4 hours. Location service is designed for lost and found, so 2FA is not required since you might not have your device to allow it. But that is a login attempt, it will pop up the notification on your device. As far as I know, there is no way to avoid that annoying allow or deny prompt. |
In layman's terms, it is because your phone has other security measures and it is verified by Apple so it is possible to launch iCloud on your phone without the need of a 2FA, when you use the pyicloud api Apple recognizes the source isn't what your device is so it is natural to kick off a 2FA. |
|
Quick update: Some work has to be done to merge one other fix and update the documentation, but we are close to closure on this issue. |
|
We will be able to close this with #321 |
|
Fantastic news this guys! |
|
@nzapponi - Just saw it pass review on HA/core/dev branch. Congratulations - it's getting closer! |
and others
Hi,
I use pyicloud in the device_tracker entity in Home Assistant.
My users have noticed 2factor authentication isn't working, it works for 2steps authentication?
The text was updated successfully, but these errors were encountered: