Two factor authentication - a couple of questions

Posted on
Thu Jul 14, 2016 12:58 pm
Chameleon offline
Posts: 611
Joined: Oct 04, 2014

Two factor authentication - a couple of questions

One of the features that's been requested is the ability to use two factor authentication (2FA)

From what I can understand this was introduced in IOS 9/El Capitan as more secure login technique and I want to check to see if users who want this feature understand and can help me define the use case.

As I understand it:

    2FA is an optional feature that a user can switch on or off

    It depends on creating 'trusted devices' (e.g. personal iPhone or iPad)

    When a user signs into a 'new' device a verification code can be requested which is sent to a 'trusted' device selected by the user

    The user then signs into the 'new' device with a password and the 6 digit verification code

    The login is then authenticated and the verification isn't required again for approximately 2 months

If 2FA is used on an Apple Account then the user will have to 'trust' the browser on the device that the Indigo Server is running on

For me that indicates the following use case:

Part 1 - Initial setup

    If a 2FA requirement is detected then the 'browser' that iFindStuff uses needs to be verified. The plugin would have to recognise that 2FA is turned on and that a user hasn't authorised the plugin to login (e.g. it's not a trusted login). The plugin uses a faux browser which isn't the one that you'd normally use on your system.

    A user needs to be able to select 'trusted' device for the verification code

    The code is sent and then the user enters it to trust the browser for future logins

Once done - the user is only required to use the normal Apple Id and Password for future logins until they fully sign out, their password changes or after a set period from Apple (currently 2 months)

Part 2 - iFindStuff

Once the browser is 'trusted' iFindStuff can log into the Apple Id in the normal way unless there is a requirement to verify again at which point the 'Part 1' process will need to be re run and the plugin disabled until this is competed

From a user perspective that would mean a couple of extra steps to get iFindStuff working. From a development perspective I think that we would need a separate process to manage Part 1 correctly. There would also be a need to advise the user when the verification is required again.

So I'm proposing the following approach:

    On startup iFindStuff will check to see if 2FA is required for each Apple Account Device created

    If required - a separate dialog box will open which will a) show all trusted devices and b) ask the user to enter their Apple Id, Password, c) ask the user to select a device to be used (e.g. sent the 6 digit code)

    When the code and device are entered the plugin will verify the device and the faux browser it uses. It will record the verification approval and the date/time that it was accepted

    In use - iFindStuff will check to ensure that the account access is 'trusted' and then log in in the normal way if it is

    If the 2FA fails iFindStuff will be disabled and the user will be sent an email/advised in the Indigo Log on a daily basis that iFindStuff is non-operational until the verification process is completed again

    If the user changes their login process (e.g. 1FA) then iFindStuff will revert to the current process of using the Apple Id and Password only


My sense check here is that iFindStuff will be automatically disabled for any account that hasn't got a 'trusted' status for iFindStuff. 1FA accounts in the same Indigo set up would carry on working as usual but this is likely to be an unusual scenario and I'd probably give the user the option to disable all accounts in the Indigo set up if 2FA failed for one of them.

Current prototyping

I've looked into how this can be achieved and I'm fairly certain that I can do all of the above. I'll need to test that it works correctly but the actual development doesn't look that complicated (assuming that Apple haven't introduced any curve balls such as on-going security messages).

So far I've tested:

    Identification that an account uses 2FA

    Listing 'trusted devices' on an account

    Sending a verification request and getting a code on my iPhone

    Entering the code into a dialog box and verifying iFindStuff as a trusted app

    On-going iFindStuff access

I can do all of these from a python command line as I've proved today but I've got to test that I can either do it inside a plugin or, as I've done before, create an external programme that the plugin accesses to complete the verification process. That's the piece I've got to work on now.

It would be good if someone could check my understanding of the 2FA process above and confirm that they're happy with the two stage iFindStuff process for users. If users are using the current 1FA login process there will be no change how they see the plugin working.

Thanks

Mike

Posted on
Thu Jul 14, 2016 1:04 pm
TOPS offline
User avatar
Posts: 169
Joined: Jun 17, 2015
Location: London, England

Re: Two factor authentication - a couple of questions

Hi Mike,

Don't really know enough about the 2 step to comment, Im happy how IFS works as it is as long as it works.......

Dave

Posted on
Thu Jul 14, 2016 1:07 pm
rapamatic offline
Posts: 168
Joined: Aug 03, 2015
Location: Glencoe, IL

Re: Two factor authentication - a couple of questions

Mike - I agree with your understanding of the process, but there might be an easier approach. You can generate app specific passwords on the apple ID website. That is currently how many third party apps (like busycal) authenticate with 2FA.

In fact, I should have thought to try this already. I'll see tonight if I can just plug in the app specific password right into the plugin. Might be an easy fix!


Sent from my iPhone using Tapatalk

Posted on
Thu Jul 14, 2016 1:23 pm
Chameleon offline
Posts: 611
Joined: Oct 04, 2014

Re: Two factor authentication - a couple of questions

rapamatic wrote:
Mike - I agree with your understanding of the process, but there might be an easier approach. You can generate app specific passwords on the apple ID website. That is currently how many third party apps (like busycal) authenticate with 2FA.

In fact, I should have thought to try this already. I'll see tonight if I can just plug in the app specific password right into the plugin. Might be an easy fix!

That would be a good fix. It would be interesting to see how that works.

Mike

Sent from my iPhone using Tapatalk

Posted on
Thu Jul 14, 2016 1:37 pm
rapamatic offline
Posts: 168
Joined: Aug 03, 2015
Location: Glencoe, IL

Re: Two factor authentication - a couple of questions

I couldn't wait and tried to enter an app-specific password now, but it failed... maybe your code needs to somehow submit it differently if it's using an app-specific password?

I know this is more from an end-user, vs developer perspective, but here is Apple's info on app-specific passwords:

https://support.apple.com/en-us/HT204397

Posted on
Thu Jul 14, 2016 1:48 pm
Chameleon offline
Posts: 611
Joined: Oct 04, 2014

Re: Two factor authentication - a couple of questions

rapamatic wrote:
I couldn't wait and tried to enter an app-specific password now, but it failed... maybe your code needs to somehow submit it differently if it's using an app-specific password?

I know this is more from an end-user, vs developer perspective, but here is Apple's info on app-specific passwords:

https://support.apple.com/en-us/HT204397


I'll read it through and experiment...

Posted on
Thu Jul 14, 2016 6:58 pm
GlennNZ offline
Posts: 345
Joined: Dec 07, 2014

Re: Two factor authentication - a couple of questions

Hi Mike (thanks for your comments in other email thread - which I have replied to there)

Replying through quite a bit of jet-lag :cry:

Agree with your process for complete full support.

But additionally the Pyicloud site appears to mentions that 2FA may not be required for location data alone ? (I linked in the other post)
https://github.com/picklepete/pyicloud/ ... d901221159

Quote above:
Code: Select all
Add support for two-factor authentication
When 2FA is enabled in iCloud most iCloud services are unavailable
without first going through the 2FA handshake. We now have API to
initiate the 2FA, which can be used by more advanced API clients.

The built in command line 'icloud' application has not been updated,
as listing and managing devices though Find my iPhone is one of the
services that do not require 2FA.

Fixes issue #66.


I had the impression that the logon checks had changed (if 2FA was enabled) - but it is possible that you may not need to do a full 2F- authenicate on your devices just to access location data.

Absolutely untested and clearly this may be old, superseded with 2FA for everything - but probably worth a look first?

Glenn

Posted on
Sun Aug 14, 2016 7:51 am
Londonmark offline
Posts: 301
Joined: Feb 29, 2012

Re: Two factor authentication - a couple of questions

Hi Mike,

Just wondering if you are making any progress on this. Really missing iFindStuff but really don't want to sacrifice 2FA! Realise it's probably quite a tricky problem though. Also aware that I didn't respond to your original request for info. Is there more you need?

Thanks as always

LM

Posted on
Thu Aug 25, 2016 3:18 am
durosity offline
User avatar
Posts: 3491
Joined: May 10, 2012
Location: Newcastle Upon Tyne, Ye Ol' England.

Re: Two factor authentication - a couple of questions

Excited for the travel plugin, but I don't suppose you've had a chance to revisit 2FA for iFindStuff? I'd love to get that all setup too :D

Computer says no.

Posted on
Thu Aug 25, 2016 3:43 am
Chameleon offline
Posts: 611
Joined: Oct 04, 2014

Re: Two factor authentication - a couple of questions

durosity wrote:
Excited for the travel plugin, but I don't suppose you've had a chance to revisit 2FA for iFindStuff? I'd love to get that all setup too :D

Hey

Yep I've got a proof of concept working now but I got distracted with iTravel - typical developer :roll: . Now that's going to be released tomorrow this is next on my priority list. To be honest, it doesn't seem that difficult now I understand the process ( a statement I will probably come to regret). I'll PM you with an update in the next day or so.

Mike

Posted on
Thu Aug 25, 2016 3:47 am
durosity offline
User avatar
Posts: 3491
Joined: May 10, 2012
Location: Newcastle Upon Tyne, Ye Ol' England.

Re: Two factor authentication - a couple of questions

Chameleon wrote:
a statement I will probably come to regret


Yes. Yes you will. mwhahahahAHAHAHAHAHAAAAAAAAAAA.......

Computer says no.

Posted on
Thu Sep 22, 2016 8:27 pm
Sharek326 offline
User avatar
Posts: 310
Joined: Jul 20, 2014
Location: Lansford, PA

Re: Two factor authentication - a couple of questions

Any progress on the 2 step? With the release of the new MacOS one of the coolest features is having your Apple Watch unlock your Mac. But it requires 2 Step to be enabled. So I have to make a choice of having Indigo and IFindStuff working or being able to unlock my Mac by walking up to it.

Posted on
Fri Sep 23, 2016 1:42 am
durosity offline
User avatar
Posts: 3491
Joined: May 10, 2012
Location: Newcastle Upon Tyne, Ye Ol' England.

Re: Two factor authentication - a couple of questions

Another post he made the other day said he was working on it and would be a couple of weeks i think. Looking forward to it. :D

Computer says no.

Posted on
Tue Oct 04, 2016 6:12 am
Londonmark offline
Posts: 301
Joined: Feb 29, 2012

Re: Two factor authentication - a couple of questions

Me too...

Posted on
Wed Oct 12, 2016 7:52 pm
jalves offline
Posts: 463
Joined: Jun 16, 2013

Re: Two factor authentication - a couple of questions

Wishing I had read this thread before I enabled Two Factor Authentication. Looking forward to a work around.

Running Indigo 7.1.1 on a 27" iMac (mid-2017), 8G memory, 1T Fusion Drive, OS X 10.13.6
Jeff

Who is online

Users browsing this forum: No registered users and 1 guest