Apple enforcing 2FA for *all* accounts - CI servers

[levibostian]

Got an email from Apple.

Starting February 2021, additional authentication will be required for all users to sign in to App Store Connect. This extra layer of security for your Apple ID helps ensure that you’re the only person who can access your account. You can enable two-step verification or two-factor authentication now in the Security section of your Apple ID account or in the Apple ID section of Settings on your device.

Currently, fastlane recommends creating a new apple account without 2FA enabled to provide an easy way to integrate fastlane with your CI server.

With this new change, what is recommended? At a minimum, this probably requires a change to the docs to give a new recommendation for how to authenticate with CI servers. But it might require something else to make life easier for us using fastlane with a ci server?

What should we do to handle this new requirement?

[peterlauri]

Use the https://docs.fastlane.tools/actions/upload_to_testflight/#use-an-application-specific-password-to-upload together with upload_to_testflight. Just be careful. The apple_id is not the username, it is the Apps Apple Id, like "1234567890".

[levibostian]

Thanks for the suggestion. However, I am pretty sure that the app specific password only impacts uploading artifacts to TestFlight. All other operations through spaceship does not use this app specific password?

[max-ott]

Application specific password only works for a very small fraction of CI interactions. The App Store Connect API looks much better, it should support most of the CI interactions, but also has some limits.

[dinsen]

As mentioned by @levibostian and @max-ott, it's not possible to use the app specific password to a lot of the functions available in Spaceship.

We are managing 150+ developer accounts on our CI and we still use:
Spaceship::Portal.fetch_program_license_agreement_messages
Spaceship::Tunes::Application.in_app_purchases
Spaceship::Tunes::Application.in_app_purchases.get_shared_secret
Spaceship::Tunes::AppAnalytics.app_crashes

And in Q1 of 2021 we will extend the use of Spaceship::Tunes::Application.in_app_purchases to also create non consumable.

Most of our accounts don't have 2fa enabled yet and the few we have, I manually run spaceauth once in awhile.

So there is still a lot of use cases where we rely on the username/password login.

[dinsen]

I can't recommend enough that when ever it’s possible, you should use the API key!
We have seen an incredible improvement in performance when using it.

I think I run spaceauth once a month for the accounts that have 2fa enabled.

[tguidon]

@dinsen how did you go about setting up API keys for 150+ apps you manage? Was there a way to automate this? It seemed like at the very least some manual clicking around had to happen on App Store Connect.

[dinsen]

@tguidon it's an ongoing process since we need the account holder to request access to the Connect API 👎
And afterwords depending on the role our customer gave us, we or the customer needs to create the key manually.

Currently we are only at 40 of 150+ accounts 😥

[tguidon]

@dinsen 😅 that was the answer I was hoping to not hear, but expected! Luckily we are admins on all client accounts so we could make this for them, but that is a lot to wrangle.

[rogerluan]

Sounds like it'd be super helpful to have an automated way to create the api key, but.. don't think that will be possible using official APIs for obvious reasons 😂 not sure if it can be automated using the old methods 🙃 😅

[rogerluan]

Hey @levibostian 👋

Based on internal statistics with a small sample, only about ~50% of users got that email. I'm an admin in 2 teams and didn't receive the email in any of them 😅
That leads me to think that they're a/b testing the adoption of 2FA based on the emails they sent out. Probably, if the adoption is large, they might actually enforce those changes at the given date, or close to that. But I strongly believe that, just like Fabric's sunset and other large changes made by big tech, they gauge users' needs and postpone deadlines when developers need them to.
That doesn't answer your questions though, it's just a side comment 😇 Now to your questions…

I second @dinsen and, whenever you can use the API key, please do it. Note that the API key is very limited when compared to the old APIs, but new APIs are added regularly, so it's a process. One of the biggest limitations as of today is not supporting enterprise accounts, and key endpoints such as downloading dsyms.

The next best option is creating a session and attributing it to the FASTLANE_SESSION env var. I strongly recommend creating that session by ssh'ing into your CI machine so that it's created in the same geolocation (and IP) as the machine that is going to consume the session - otherwise, if the place where the session is generated VS consumed varies wildy (e.g. changes timezone, ip), then the session might instantly expire upon usage (there have been reports of this happening).

FWIW I'm personally avoiding adopting to 2FA until I can't delay it anymore, because it's a major hassle, and because I'm privileged to have an account without 2FA enabled. 😬 If that's an option for you, it makes things much easier.

I agree docs should be updated, at the very least. I'm not sure there will be a better solution other than these, for the time being, since we're blocked by Apple releasing more APIs for us. I believe that if we can have them delay that deadline, that'd be better for us (since we can't make them release more APIs faster 🤓 )

_{these opinions are my own 😇}

[rogerluan]

By the way there's a relevant thread about this subject, I suggest checking its resources :) #17059

[dinsen]

I think Apple will go hard on the date for enabling 2FA in February.
If you manage a lot of accounts like I do. I really fear this and I don't want to make: fastlane spaceauth -u for 150+ accounts once a month 👎

Even if Apple will add more endpoints to the App Store Connect API, they will never add all the features Fastlane have with the session based login.
So I really think we should have something like this PR: #17487
At least for a year or two.

[rogerluan]

I totally feel your pain! I'm very in favor of adding something like what that PR proposes 😊 it will certainly help a lot.

[ChristopherDrum]

Well, I just got my email for this less than a week ago. Thanks for the advanced warning, Apple 😑

[Cpilgaard]

Hi all,

Since we are close to entering February, I am just wondering if there are any news/suggestions on what should be done in order to apply to the new changes e.g. a guide on what to do?

[max-ott]

That's not correct. Starting February 2021 all Apple IDs linked to an App Store Connect account will require 2 Factor / Step Authentication enabled. Currently this only applies to the Account Holder. Unfortunately this will change soon.

[Cpilgaard]

Mhm.. But this link: https://developer.apple.com/support/authentication/ says:

Who is required to enable it?
Only developers with the Account Holder role (formerly the “Team Agent”) in the Apple Developer Program, Apple Developer Enterprise Program, or iOS Developer University Program need to enable two-factor authentication. Developers who are registered for a free account or who have other team roles are not required to enable two-factor authentication.

[max-ott]

Please check the huge text below the title on the same page:

Starting February 2021, two-factor authentication or two-step verification will be required for all users to sign in to App Store Connect.

[timsutton]

These two statements really seem to me to be contradicting one another. (i.e. is it all users or just the users with the Account Holder role?)

[timsutton]

I should have read the statement at the top of https://developer.apple.com/support/authentication/ more thoroughly, though. They do have:

In an effort to keep your account more secure, two-factor authentication is required for Account Holders of a developer program to sign in to their Apple Developer account and Certificates, Identifiers & Profiles. Starting February 2021, two-factor authentication or two-step verification will be required for all users to sign in to App Store Connect.

..the previous sentence containing "is required for Account Holders of a developer program," and with the capitalization meaning the role, and not just the plain english of 'account holder of an account'.

[absimas]

API keys cannot be linked to specific apps and the Account Holder (if you're not him) might be hesitant to provide you with one.
What are the alternatives to using an API key?

[dinsen]

Only the Account Holder needs to request access to the API. Then Admin roles can generate the API key.
In case you don't have Admin role, then ask one to generate an API key for you.
Alternative is you need to enter the 2FA code manually.

[m-ruhl]

Apple send a reminder email yesterday:

Starting February 2021, additional authentication will be required to sign in to the Users and Access section of your Apple Developer account in an effort to ensure security.

Can we interpret that it only applies to the user management and not other parts?

[dinsen]

I will expect it's for all parts of App Store Connect.
Received this in an email from Apple yesterday:

Starting February 2021, additional authentication will be required for all users to sign in to App Store Connect. This extra layer of security for your Apple ID helps ensure that you’re the only person who can access your account.

[m-ruhl]

Ah, I received two kinds of mails from Apple..
I think the "Users and Access" probably refers to the Enterprise-Account and the other to AppStore ones..

[ReinierWieringa]

I'm receiving 2FA email reminders on my developer (non 2FA) account that I use to build apps on a CLI environment. So from February this will be a problem.

Most Fastlane tools support Apple's Connect API, see https://docs.fastlane.tools/app-store-connect-api, like uploading screenshots, meta data and building for review or testflight. This seems to be the way, but unfortunately I'm missing a possibility to register new app bundle id's (for unexisting apps).

Fastlane 'produce' can do this, but doesn't support the Connect API. But the Connect API supports registration of new bundle id's and update bundle capabilities. See: https://developer.apple.com/documentation/appstoreconnectapi/register_a_new_bundle_id

Any possibility that an existing (Produce) or new tool will cover this generation and updating of app bundle id's in Fastlane?

[ReinierWieringa]

Thanks @max-ott ! I didn't know that.

Which fastlane tool can I use with the Connect API to register new app bundle IDs and update app capabilities (only on ADC)?

[dinsen]

I actually don't think the creation of bundle id's with the App Store Connect API is made yet.
I can only find the get part:
https://github.com/fastlane/fastlane/blob/master/spaceship/lib/spaceship/connect_api/provisioning/provisioning.rb#L16-L28

[ReinierWieringa]

Thank you @dinsen !

I'm afraid so.. So it seems for now that new app bundle IDs and capabilities have to be created / updated manually in ADC from February.

[febaisi]

Hm. The day has come. I was using 'Produce' to create and ensure that apps exist in AppStore Connect but as we know 'Produce' doesn't talk to AppStoreConnect API. Maybe we should raise a flag about it.
I am no longer able to use produce in my pipelines.

Let me know if you have any solution or workaround.

[max-ott]

Use Apple ID for authentication. Feel free to open a radar with Apple. I don’t think they read the discussions/issues here.

[Mustafa-Ezzat]

Hey guys, does API store connect support download_dsyms action?

[dinsen]

No 😞

[Mustafa-Ezzat]

so the only way to download_dsyms after apple enforce 2FA is FASTLANE_SESSION?

[dinsen]

Yes, have a look here: #17485

[Mustafa-Ezzat]

awesome, thanks for your support!

[mway-niels]

We were able to implement a semi-automatic way using a Node.js script and custom SMS Gateway API. However, we are still running into issues because we are asked (by fastlane) to also specify an application specific password via the FASTLANE_APPLE_APPLICATION_SPECIFIC_PASSWORD variable (this is per Apple ID, we're managing around 20 at the moment). While this approach does seem to work, we can't imagine this is the setup Apple intended when they announced to enforce 2FA for all Apple IDs.

We understand the alternative (or solution) is to use the AppStore Connect API. Unfortunately, as per our research, this isn't an option since this API doesn't support enterprise accounts.

Do you have different experiences or further information on how you handle this change in your company?

[dinsen]

There is a PR #17487 that introduce FASTLANE_2FA_CODE .

But since the creator have not signed the CLA, it will not be released.

[mway-niels]

This seems like more of a workaround instead of a long term solution?

[dinsen]

Well in the long term there will hopefully not be any cases where we need to interact with 2FA.
It all depends on Apple, when they extends the App Store Connect API. Both with new endpoints and support for Enterprise accounts.

[mway-niels]

Very disappointing of Apple to enforce this change without a finished solution that covers all use cases (IMHO).

[rap-morgan]

There is a PR #17487 that introduce FASTLANE_2FA_CODE .

But since the creator have not signed the CLA, it will not be released.

Seems like they are having trouble getting the signing to work.

[wow-such-amazing]

My assumption is that these new 2FA restrictions should become live today. However I was still able to upload an app using an account without 2FA. I had a prompt though, when logging in in browser, to enable 2FA, but I was able to skip it. Does it mean that restrictions were not fully launched yet? Or maybe old accounts without 2FA will continue to work?

[mway-niels]

Maybe your old session was still valid?

[anh1979]

Same with our setup - yesterday it worked fine, today there is this message.
In the browser I am able to 'work' my way around activating it - and I can enter the App Store without having it activated. But in our workflow the CI gets an error. It's logging:

trying Spaceshop login with user xxx@yyy.com
Available session is not valid any more. Continuing with normal login.

then:
<Spaceship::AppleIDAndPrivacyAcknowledgementNeeded: Need to acknowledge to Apple's Apple ID and Privacy statement. Please manually log into https://appleid.apple.com (or https://appstoreconnect.apple.com) to acknowledge the statement.>

I need to find a way to automate this a.s.a.p. :-/

[budioktaviyan]

Although, error message on ci server doesn't seems related to the issue #lmao

Need to acknowledge to Apple's Apple ID and Privacy statement. Please manually log into https://appleid.apple.com (or https://appstoreconnect.apple.com) to acknowledge the statement.

[dinsen]

@anh1979
The easiest way will be to use the API Key, since this will be the future for Fastlane.
Is it not possible for you to generate one?

[anh1979]

@dinsen: Sorry, got your question late - we generated the API Key for nearly all of our teams now (there are several), but we also have to use the spaceauth / fastlane_session for our automated jobs which are using PEM and PRODUCE or update app privacy settings for example.
Kind of semi-automatic solution now, but at least it works.

Thank you.