🔑 All Things Related to Apple ID 2FA 🔑

[rogerluan]

Introduction

Greetings!

In this Discussion I'd like to centralize everything that is known so far about the recent 2FA changes that Apple has been making us go through.

Let's discuss below workarounds that you're using in your project, solutions you tried and didn't work, what we can expect moving forward, and post official Apple updates on this topic 🙏

Context

In the past, Apple IDs didn't have 2FA at all.
Then, when Apple introduced 2FA, it was optional and opt-in.
Later, if you opted in to use 2FA with your Apple ID, it became impossible to turn it off.
Now, 2FA is opt-in for existing Apple IDs, but mandatory for new Apple IDs (and mandatory to Account Holders). And it's still impossible to disable this feature.

The problem here is that Apple's 2FA pretty much can't be authenticated via CLI without human interaction*

This means that the only 100% automatable and fully capable Apple IDs are old Apple IDs that haven't enabled 2FA yet. So I recommend to NOT add 2FA to your Apple ID that you use within your fastlane flow.

Apple 2FA State Of The Union

Pretty much everything about the current state of Apple's 2FA VS Automation can be found in this article https://drobinin.com/posts/keep-using-fastlane-with-apples-2fa-changes/ (shout out to https://twitter.com/Valzevul for the great article!), including:

• App-specific password
• Providing fastlane with an authenticated session in different geographic locations
• Session expiration time
• and more

Linked Issues

2 step verification session times out too fast #17027

Documentation: CI / Seperate Apple-ID for CI isn't correct anymore #16956

Spaceship login failed, when running Fastlane match #16812

2FA code still required for pilot even with FASTLANE_APPLE_APPLICATION_SPECIFIC_PASSWORD set? #16935

Run spaceauth and get FASTLANE_SESSION on CI without UI.interactive #17012

Run spaceauth and get FASTLANE_SESSION on CI without UI.interactive #17011

Other 2FA issues

[rogerluan]

Would this be the solution of all our problems? 😁 https://developer.apple.com/documentation/appstoreconnectapi/creating_api_keys_for_app_store_connect_api

@joshdholtz can you attest? Is that API Key the expected parameters e.g. here? →

[MetaImi]

Hi. I'm trying to upload mac build to AppStore Connect with a 2FA account. I added FASTLANE_APPLE_APPLICATION_SPECIFIC_PASSWORD in the .env file, but deliver still requires password. I'm using CLI so it is not interactive environment. For upload_to_testflight it works, but it says no ipa file found (becuase it is not an ipa, becuase it is mac app). I know that I have to add apple_id and other flags for testflight to make app specific pwd working, but for deliver I could not find any. Tried to dig the source code, but still no luck :(

In the doc it says, it should work with it (If you want to upload builds to App Store Connect (actions upload_to_app_store and deliver) or TestFlight (actions upload_to_testflight, pilot or testflight) from your CI machine, you need to generate an application specific password...) but I can not make it working.

Can you help me with it?

[rogerluan]

@MetaImi I personally don't have experience with that since I've never needed to use the application-specific password, but at this point, I'd just wait till the Apple API Token is deployed in the next release, which should probably happen later this week. This is the PR in question: #17238 and the official docs: https://developer.apple.com/documentation/appstoreconnectapi/creating_api_keys_for_app_store_connect_api

[evgeniisage]

I'm running app resigning and upload to App Store on a MAC agent hosted by Azure DevOps. The session token is added to an environment variable and service connection settings. Yesterday I updated the session token as it was due to expire and performed an upload of an app and it worked like a charm. Today when I tried to upload another app, I got the error message about the token being invalid. After I updated the environment variable and service connection settings with the same exact session token, I got the following output:

[17:30:56]: Login to App Store Connect (***)
Session loaded from environment variable is not valid. Continuing with normal login.
[17:30:58]: Login successful
[17:31:01]: Ready to upload new build to TestFlight (App: 1456359260)...
[17:31:01]: Fetching password for transporter from environment variable named `FASTLANE_APPLE_APPLICATION_SPECIFIC_PASSWORD`
[17:32:16]: iTunes Transporter successfully finished its job
[17:32:16]: Fetching password for transporter from environment variable named `FASTLANE_APPLE_APPLICATION_SPECIFIC_PASSWORD`
[17:32:16]: Going to upload updated app to App Store Connect
[17:32:16]: This might take a few minutes. Please don't interrupt the script.
[17:32:50]: iTunes Transporter successfully finished its job
[17:32:50]: --------------------------------------------------------------------
[17:32:50]: Successfully uploaded package to App Store Connect. It might take a few minutes until it's visible online.

So, I don't believe the session ACTUALLY expires after 6-8 hours as Valzevul stated but rather your pipeline needs a "refresh" of the environment variable with a session token. All things considered, how come the session is invalid but login still completes successfully? What can be done for the pipeline not to start failing the day after updating the session token? This is quite annoying.

Any ideas, @rogerluan?

[rogerluan]

What "token" are you referring to, @evgeniisage ? Is it the new App Store Connect API token?

If not, see my post below 🙏

[rogerluan]

Heads up guys, this issue has been resolved since the App Store Connect API and fastlane now support JWT auth. This API token replaces the need for user/pass credentials, and thus 2FA hacks and workarounds.

Please use this whenever dealing with deliver, match, or other fastlane tools. Note that fastlane doesn't have API token support in all of its tools yet, but the 2 major ones are already in place 🙌

Let us know if you have any questions, issues using it, or wants to use the token with another tool that is not supported yet 🚀

[rogerluan]

UPDATE: As of v2.163.0, cert, deliver, match, precheck, sigh, and register_devices (and probably other lanes!) already support JWT auth.

[viralsavani]

This solution only works for non-Enterprise teams, right? Was able to test it out with the non-Enterprise team we have and API tokens works fine. But for the enterprise team unfortunately there is no way to create API tokens as of yet.

[rogerluan]

Honestly, I actually didn't know about that limitation @viralsavani 🤔 are you saying there's no UI in App Store Connect's website to create your API key?

[viralsavaniIM]

@rogerluan Yeah, unfortunately, that's the case 😞

Here are a links to some discussions on the issue:

• What is app_store_connect_api_key's 'in_house' option for?
• Enterprise 2FA CI Setup
• API Key for Enterprise account

We kind of went around 2FA for our enterprise builds on our CI setup by using fastlane match --readonly. Which we found, doesn't trigger the Apple auth 2FA workflow (causing the build machine to be stuck on user input) if the machine is already provisioned with all the profiles and certs. There is manual intervention every now and then to install new profiles. But something we can live with until there is a proper fix from Apple's side.

[rogerluan]

Yeah, when it's readonly, it doesn't even need credentials (this is documented somewhere 😄)
Glad you found a working solution for you!

[DieIsCast]

I try to use Twilio (https://www.twilio.com) as a solution to receive SMS code from Apple 2FA, but currently I can not receive any incoming messages.
Here are my steps:

1. Upgrade Twilio project
2. Enable numbers to receive SMS from short code https://stackoverflow.com/questions/63160496/im-unable-to-use-a-twilio-phone-number-for-apple-two-factor-authentication
3. Buy a phone number from United States(+1)
4. Add a trusted number in Apple Id security setting
5. No incoming messages log in Twilio dashboard

Can some help me?
Any suggestion and comment are welcome.

[xalikoutis]

Guys in @telnyx are retarded, they disabled my account

[t0rr3sp3dr0]

Here is a PoC I wrote for authenticating to https://developer.apple.com with the MessageBird setup I described above. I used
Amazon Transcribe instead of MessageBird's own transcribe service because it was 100% accurate on my tests, while MessageBird got the transcription wrong a lot of times. Additionally, I did not use the MessageBird library for Python because it lacks some API calls that I need to use.

import boto3
import functools
import io
import os
import re
import requests
import time


class Olympus:
    def __init__(self, base_url='https://appstoreconnect.apple.com/olympus', session=requests.Session()):
        self.base_url = base_url
        self.session = session

    def get_app_config(self, hostname='itunesconnect.apple.com'):
        r = self.session.get(f'{self.base_url}/v1/app/config?hostname={hostname}')
        r.raise_for_status()

        return r.json()

    def get_session(self):
        r = self.session.get(f'{self.base_url}/v1/session')
        r.raise_for_status()

        return r.json()


class AppleAuth:
    def __init__(self, widget_key, base_url='https://idmsa.apple.com/appleauth', session=requests.Session()):
        self.base_url = base_url
        self.session = session

        self.session.headers.update({
            'Accept': 'application/json',
            'X-Apple-Widget-Key': widget_key,
        })

    def post_auth_signin(self, account_name, password):
        body = {
            'accountName': account_name,
            'password': password,
            'rememberMe': True,
        }

        r = self.session.post(f'{self.base_url}/auth/signin', json=body)
        if r.status_code != 409:
            r.raise_for_status()

        self.session.headers.update({
            'X-Apple-ID-Session-Id': r.headers['X-Apple-ID-Session-Id'],
            'scnt': r.headers['scnt'],
        })

        return r.json()

    def get_auth(self):
        r = self.session.get(f'{self.base_url}/auth')
        r.raise_for_status()

        return r.json()

    def put_auth_verify_phone(self, mode, phone_number_id):
        body = {
            'mode': mode,
            'phoneNumber': {
                'id': phone_number_id,
            },
        }

        r = self.session.put(f'{self.base_url}/auth/verify/phone', json=body)
        r.raise_for_status()

        return r.json()

    def post_auth_verify_phone_securitycode(self, mode, phone_number_id, security_code):
        body = {
            'mode': mode,
            'phoneNumber': {
                'id': phone_number_id,
            },
            'securityCode': {
                'code': security_code,
            },
        }

        r = self.session.post(f'{self.base_url}/auth/verify/phone/securitycode', json=body)
        r.raise_for_status()

        return r.json()

    def get_auth_2sv_trust(self):
        r = self.session.get(f'{self.base_url}/auth/2sv/trust')
        r.raise_for_status()


class QH65B2:
    def __init__(self, base_url='https://developer.apple.com/services-account/QH65B2', session=requests.Session()):
        self.base_url = base_url
        self.session = session

    def post_downloadws_listdownloads(self):
        r = self.session.post(f'{self.base_url}/downloadws/listDownloads.action')
        r.raise_for_status()

        return r.json()


class MessageBird:
    def __init__(self, access_key, base_url='https://voice.messagebird.com', session=requests.Session()):
        self.base_url = base_url
        self.session = session

        self.session.headers.update({
            'Authorization': f'AccessKey {access_key}',
        })

    def get_calls(self):
        r = self.session.get(f'{self.base_url}/calls')
        r.raise_for_status()

        j = r.json()
        return j['data']

    def get_legs(self, call_id):
        r = self.session.get(f'{self.base_url}/calls/{call_id}/legs')
        r.raise_for_status()

        j = r.json()
        return j['data']

    def get_recordings(self, call_id, leg_id):
        r = self.session.get(f'{self.base_url}/calls/{call_id}/legs/{leg_id}/recordings')
        r.raise_for_status()

        j = r.json()
        return j['data']

    def get_audio(self, recording_id, recording_format):
        r = self.session.get(f'{self.base_url}/recordings/{recording_id}.{recording_format}')
        r.raise_for_status()

        return r.content


class AWS:
    def __init__(self):
        self.s3 = boto3.client('s3')
        self.transcribe = boto3.client('transcribe')

    def upload_file(self, bucket, key, content):
        stream = io.BytesIO(content)
        self.s3.upload_fileobj(stream, bucket, key)

    def transcribe_audio(self, bucket, key):
        transcription_job_name = key
        transcription_job_name = transcription_job_name[transcription_job_name.rfind('/') + 1:]
        transcription_job_name = transcription_job_name[:(transcription_job_name.find('.') + 1 or len(transcription_job_name) + 1) - 1]

        self.transcribe.start_transcription_job(
            TranscriptionJobName=transcription_job_name,
            LanguageCode='en-US',
            Media={
                'MediaFileUri': f's3://{bucket}/{key}',
            },
        )

        while True:
            transcription_job = self.transcribe.get_transcription_job(
                TranscriptionJobName=transcription_job_name,
            )
            transcription_job = transcription_job['TranscriptionJob']

            transcription_job_status = transcription_job['TranscriptionJobStatus']
            if transcription_job_status == 'COMPLETED':
                break
            if transcription_job_status == 'FAILED':
                raise Exception(transcription_job['FailureReason'])

            time.sleep(1)

        transcript = transcription_job['Transcript']
        transcript_file_uri = transcript['TranscriptFileUri']

        r = requests.get(transcript_file_uri)
        r.raise_for_status()

        j = r.json()
        results = j['results']
        transcripts = results['transcripts']
        transcript = transcripts[0]['transcript']

        return transcript


def main():
    s = requests.Session()

    olympus = Olympus(session=s)

    app_config = olympus.get_app_config()
    auth_service_url = app_config['authServiceUrl']
    auth_service_key = app_config['authServiceKey']

    appleid_user = os.environ['APPLEID_USER']
    appleid_pass = os.environ['APPLEID_PASS']
    apple_auth = AppleAuth(auth_service_key, base_url=auth_service_url, session=s)

    apple_auth.post_auth_signin(appleid_user, appleid_pass)

    auth = apple_auth.get_auth()
    trusted_phone_numbers = auth['trustedPhoneNumbers']
    trusted_phone_numbers = filter(lambda e: e['pushMode'] == 'voice', trusted_phone_numbers)
    trusted_phone_number = next(trusted_phone_numbers)
    trusted_phone_number_id = trusted_phone_number['id']
    trusted_phone_number_push_mode = trusted_phone_number['pushMode']

    apple_auth.put_auth_verify_phone(trusted_phone_number_push_mode, trusted_phone_number_id)
    time.sleep(15)

    messagebird_accesskey = os.environ['MESSAGEBIRD_ACCESSKEY']
    messagebird_caller = os.environ['MESSAGEBIRD_CALLER']
    messagebird_callee = os.environ['MESSAGEBIRD_CALLEE']
    messagebird = MessageBird(messagebird_accesskey)

    while True:
        calls = messagebird.get_calls()
        calls = filter(lambda e: e['source'] == messagebird_caller and e['destination'] == messagebird_callee, calls)
        call = next(calls)
        call_id = call['id']
        call_status = call['status']

        if call_status != 'ended':
            continue

        legs = messagebird.get_legs(call_id)
        legs = filter(lambda e: e['source'] == messagebird_callee, legs)
        leg = next(legs)
        leg_id = leg['id']

        recordings = messagebird.get_recordings(call_id, leg_id)
        recording = recordings[0]
        recording_id = recording['id']
        recording_format = recording['format']
        recording_status = recording['status']

        if recording_status != 'done':
            continue

        audio = messagebird.get_audio(recording_id, recording_format)
        break

    awss3_objectkey = os.getenv('AWSS3_OBJECTKEY', f'{recording_id}.{recording_format}')
    awss3_bucketname = os.environ['AWSS3_BUCKETNAME']
    aws = AWS()

    aws.upload_file(awss3_bucketname, awss3_objectkey, audio)
    transcript = aws.transcribe_audio(awss3_bucketname, awss3_objectkey)

    code_re = re.compile(r'((?:\d\W*?){6})')
    notd_re = re.compile(r'\D')
    
    security_codes = code_re.findall(transcript)
    security_codes = map(lambda e: notd_re.sub('', e), security_codes)
    security_code = functools.reduce(lambda prev, curr: curr if not prev or prev == curr else None, security_codes)

    apple_auth.post_auth_verify_phone_securitycode(trusted_phone_number_push_mode, trusted_phone_number_id, security_code)
    apple_auth.get_auth_2sv_trust()

    olympus.get_session()

    qh65b2 = QH65B2(session=s)

    downloads = qh65b2.post_downloadws_listdownloads()
    downloads = downloads['downloads']

    print(downloads)


if __name__ == '__main__':
    main()

[rogerluan]

That's a pretty good gem 💎 over here ☝️

[t0rr3sp3dr0]

In case someone is interested, I’m maintaining a more complete version of the script above here: https://github.com/inloco/xcode/tree/master/cookiebaker.

The module creates a cookies.txt file so you can have a session authenticated with your developer account in any application or service that is able to read this file. Depending on the use-case, you might want to export some headers as well.

It has been working pretty well. So far, it only failed when the call was breaking up and the code was completely inaudible. Nothing a retry wouldn’t solve.

[schunlee]

how about this solution?
https://apple.stackexchange.com/questions/336842/get-two-factor-authentication-code-from-terminal

[amirvenus]

My approach has been running the spaceauth command and then using this Apple Script to fetch the code:

#! /usr/bin/env osascript
tell application "System Events"
    if name of every process contains "FollowUpUI" then
        tell window 1 of process "FollowUpUI"
            click button "Allow"
            delay 2
            set code to value of static text 1 of group 1
            log (code)
            click button "Done"
        end tell
    else
        log ("Couldn't find 2FA window")
    end if
end tell
return

This might remove the need of having to using an SMS provider and phone number. I am currently using a self-hosted macOS agent for Azure DevOps pipelines.

[schunlee]

and perhaps Google Voice is a good resolution, to fetch 2fa code via gmail api.