[FIDO] 2FA doesn't work when FIDO Security Key is enabled #583
Comments
maxromanovsky
changed the title
|
I've been able to replicate this issue as well in my docker running on my NAS |
|
@maxromanovsky @ChiefGyk3D can you try entering code generated by Security Key Device at the "Please enter two-factor authentication code" prompt, please? |
|
@AndreyNikiforov What code do you mean? Are you thinking of a TOTP code, such as that generated by an app like Google Authenticator? That’s not how FIDO keys work; the application communicates directly with the security key (over USB or Bluetooth or NFC) and there is no code exposed to the user. |
My experience is limited to Yubi Leave-in key (not linked to iCloud). If I have an entry field in focus and touch the key, it spits characters (as if it is a keyboard). If the same behavior is true for other keys that are used (no matter of communication technology), then it should be trivial to test if that stream of generated characters from the device registered with iCloud works out of the box. That was the test I asked for, sorry for confusion. |
|
Ah, I see – you're talking about Yubico OTP, in which the Yubikey appears to the computer as a keyboard. That's different to the FIDO standard used by iCloud, which has its own protocol defining the communication between device and security key, and in which the key does not appear to the computer as a keyboard. |
|
(Unlike Yubico OTP, FIDO requires two-way communication between the computer and security key, which means that the fix for this will be more involved than simply getting some input from the user.) |
There is no "code" to enter when it comes to the FIDO standard. That's what makes it more secure, it has to communicate with our USB keys in a two way fashion. FIDO is becoming standardized across the industry Apple, Microsoft, and many other companies are using it. There are libraries to pass it through in Linux and more. I am even using a FIDO login to get into this GitHub for years. https://fidoalliance.org/how-fido-works/ |
|
It does seem that Yubico provides a Python Library |
|
I am having the same issue, has there been any development into resolving this? If not, is there a way to use SMS to authenticate? It appears that option 0(SMS code) always errors out when you have configured FIDO security keys. |
Can you use SMS for web login to icloud.com? |
|
Yeah, it does block SMS, or any other kind of 2FA, for web access. Apple's security key implementation is also pretty half-baked, and will complain if you're using anything other than Safari or Chrome. |
|
FIDO is not supported. changing |
AndreyNikiforov
changed the title
Overview
2FA doesn't work when Security Key is enabled
Steps to Reproduce
icloudpd --recent=1 -u example@gmail.com -d tmpExpected Behavior
2FA works with the FIDO key or there is an error message that FIDO is unsupported
Actual Behavior
SMS = Error:
TOTP = hangs forever:
Context
The text was updated successfully, but these errors were encountered: