Security Key MFA Support

[steilerDev]

I'm in a similar position with advanced data protection and a yubikey on my Apple ID. With this combination of security settings, the sign in prompts I receive on other devices don't have MFA codes, but rather just "ok" or "that wasn't me". 

Originally posted by @krubenok in #202 (comment)

[steilerDev]

I currently don't have an account setup using a Security Key (neither do I plan to do so).

In order to investigate this use case, I need support from someone with this setup.

I need an HAR file filtered to Fetch/XHR from the authentication against the iCloud WebUI - based on that I might be able to understand what needs to change in order to support this (Full disclosure: Keep in mind that this HAR file might contain sensitive data - unless you know how to purge it, you need to trust me that I won't abuse this - Please note: since the MFA trust token is location/IP specific I probably won't be able to use the data from those requests anyway)

[krubenok]

I'll take a more careful look at the contents of a HAR file this weekend and determine if I'm ok sending that over. I have a few other ideas if that turns out to be a no.

[steilerDev]

Could you maybe check if there is some sort of pulling happening while the WebUI waits for you to confirm the request?

[steilerDev]

Side note: I documented the sign in flow and all the important data

So that's probably the data you want to purge - most important your password and the X-Apple-TwoSV-TrustToken header. This is the token that allows bypassing 2FA.

[steilerDev]

Closing due unclear path of feasibility (e.g. how to read security key from the cli tool that most likely will run on a separated machine)

Please re-open in case there are no insights available.