Ygthkb

According to various reports, Apple is imminently going to force developers to use 2FA with their Apple IDs, but it’s not easy to understand exactly how Apple’s implementation will work.

Please don’t waste time criticizing my use case requirements below. I work in and on data security tools and I know my requirements are unusual. Apologies in advance for the length, but I want to spell out everything and see if others can help fill me in on what is possible, or potentially what is impossible. I’d rather give as much info as possible right from the beginning. If more info is needed, please ask.

I have several iOS devices, none of which have “data”. Imagine that they are all iPads or iPod touches. They access the internet via Wi-Fi over VPN. Apple’s support document seems to say that you can manage their 2FA without data, but they seem to assume that you have SMS available or at least an active phone number — and that you’re okay giving it to them.

1. 
   

   I don’t use SMS. At all. Yes, really. It’s not secure in any way, shape or form, it certainly shouldn’t be a part of a security system. In fact, I don’t own a cell phone right now, and I don’t have regular access to a land line anymore, or at least not when I’m working. So when Apple speaks of a “trusted phone”, that’s not applicable to me during most of my development hours.

   
   
   

   If it was purely a one-off SMS verification sent, then one could simply buy a burner SIM, or even ask a friend (bad idea), but if a phone# gets entered into Apple’s 2FA system, I think we can presume that number will be needed on an ongoing basis, even if infrequently. I’m not going to back myself into an unrecoverable corner.

   
   


2. 
   

   I do not (will not) use iCloud. I don’t store any data in the cloud on servers owned by others, not even Apple. If this new 2FA requirement means that one cannot develop iOS apps and install on their own iDevices without having an iCloud account, that’s very troubling. Hopefully someone can confirm or deny this with certainty.

   
   
   

   The article: Get a verification code and sign in with two-factor authentication, seems to imply that one does not need iCloud, and you can get a Verification Code while offline, which I've done on my iDevice, but I have no way to test it, because I don't know how it integrates into Xcode.

   
   



3. It doesn’t look like 2FA options that are actually relatively secure, like Yubikey, are available. Any info on this?




4. Is this new 2FA requirement only for devs with published apps? Or will it affect the ability of those of us who write internal (not enterprise scope) apps to install on our own devices? The Apple ID email associated with this developer account has not received any email about this, the only way I knew is because it’s being discussed on various forums.




5. When does a 2FA request kick in? If it’s triggered based on a new IP address that’s a problem. When my iOS devices connect to the Internet (infrequently) it’s always via VPN, so different public IP addresses all the time. My development laptop is usually fully disconnected from the public Internet, but when it is connected it will have a variety of IP addresses as well, though not necessarily via VPN. If 2FA is triggered based on some attribute of each device, then how is that stored/determined? I never allow my browsers to use local data storage, I don’t allow cookies except momentarily to sign into one of a couple sites, like https://appleid.apple.com/; then they’re deleted immediately.




6. Xcode on my development laptop does get to talk to the Internet, but only to a few of Apple’s developer servers, and only when I need to update the provisioning certificate. If there’s a short lapse I can usually live with that because of the iOS simulator. So less than once/week on average.




7. Like many devs, I use a personal Apple ID for my personal device/apps/music, but a different Apple ID for development. From what I’ve read, this 2FA requirement is going to be a huge PITA for many developers. Is there an easy way to deal with this? I’ve just updated one of our older devices to iOS 12 (didn’t want to, but this 2FA move kind of forced the issue), linked it to my developer AppleID. While this device is fully offline, I can go into Settings → AppleID → Password & Security to generate a “Verification Code”. If that’s all I need for this process, I’ll usually be okay, because I can try to keep that device with me at all times, even if it’s not particularly convenient.

So there are a several questions above that I’m looking for answers, but one more self-contained question is this: With the above constraints, will I be able to continue to use Xcode on my laptop and push apps to our own devices? If Xcode simply chokes when I request an updated provisioning certificate and I can generate an associated Verification Code on my offline mobile device, that’s not a problem. But I don’t see how I can even enable their terrible notion of 2FA on the laptop. Not that I want it anyway, my own security systems are better right now, so it will merely be an inconvenience at best, and if SMS is a hard requirement, then it would be a downgrade. For me anyway.

An aside; you might wonder how one can get any work done with my setup, but it’s not that bad, I only need to connect my dev laptop to the internet about once/week or so to reload provisioning certificates. The iDevices only need to connect to the open internet (via VPN) when Xcode is actually pushing the apps onto them.

Another reference, this post:

Ability to add non-SMS 2-factor auth to an Apple ID?

links to an Apple Support page that says SMS is required, but that’s for 2-step verification, not 2-factor authentication.

There are so many different related questions and articles, but they all seem incomplete and/or in conflict with each other.

The new 2FA requirement is not concerning a new 2FA system - it is the same 2FA system that Apple ID users have had available for a very long time now. You can find tons of guides and information about this on the net.

You seem to be asking many different questions all revolving around the same theme. Therefore I will give you a general answer, but if you want specifics about each sub question then ask it as its own question.

Yes, you can use 2FA without using iCloud Drive, without syncing with iCloud Photos, without using iCloud mail, etc. You need nothing more than the Apple ID you already have.

Yes, you do need a working phone number. It does not have to be SMS, as you can request a voice message instead.

No, you will not need to use this method regularly. It is intended only for when you have forgotten your password or want to do account recovery.

Yes, 2FA devices work perfectly well offline. You are not suddenly requires to be online all the time. If you want to interact with Apples servers for downloading provisioning profiles you’ll need to be online, but that has always been the case.

No, you’re not going to be generating and entering 2FA codes all the time. You do this once per “system” and a token is stored that means you won’t have to do it again on that system until you change your password or otherwise revoke the token. A system could be a browser, Xcode or whatever you use to talk with Apple’s systems.

No, you cannot use Yubikeys or similar. You can use Apple devices such as for example a phone with a Secure Enclave. It is the same principles as the Yubikey using TOTP with a secret stored in the Secure Enclave.

The 2FA request is not initiated when you connect to the internet. It is only when you specifically tries to access something on Apple’s system without having a pre-stored token. Yes, you can use 2FA even though you’re connecting over VPN.

No, it doesn’t matter if you have published apps or not. It is a generic requirements for members of the developer program. You’ll know if you’re affected because Apple send you a direct email about this.

Yes, you can use your developer 2FA on a “private” device without having to remove your private 2FA account from the device.