FindMy.py icon indicating copy to clipboard operation
FindMy.py copied to clipboard
verified publisher icon malmeloo

Yubikey + other 2FA methods support

Open parawanderer opened this issue 4 months ago • 4 comments

Hi @malmeloo , forwarding this request from @milenovic in https://github.com/parawanderer/OpenTagViewer/issues/18

At my work a large percentage of people also use Yubikeys and more advanced auth setups for their Macbooks. So it would be nice if auth via these could be supported.

These are probably not just another variant of the 6-digit code entry as the Yubikey auth code is a rather large (~32-48 chars maybe?) base64 looking string. I also use one for my work laptop (recently switched to a mac due to switching teams, lol) but I can't tell how it's integrated into the apple ecosystem (if at all) in my case. I think the setup is more corporate network than apple ecosystem for me.

parawanderer avatar Aug 06 '25 20:08 parawanderer

Wait so how does this work exactly? Do you need to enter that string manually to sign in or is it just a passkey implementation?

Either way the other 2FA options should still work, right? If so this will probably go somewhere to the bottom of my priority list, as you'd only have to do it once anyway if the session is managed properly. It's a good suggestion though!

malmeloo avatar Aug 06 '25 21:08 malmeloo

Once yubikey 2FA is enabled on the account, all other 2FA options are not available for use in any way. They require two keys to be assigned in case one is lost, but no other factors. More details here: https://support.apple.com/en-us/102637

milenovic avatar Aug 06 '25 21:08 milenovic

Ugh, that's annoying. I'll look into how it works exactly, can't promise I'll have much time in the foreseeable future though. I'm not very familiar with how these keys work exactly, so it might take a little while.

malmeloo avatar Aug 06 '25 21:08 malmeloo

Ugh, that's annoying. I'll look into how it works exactly, can't promise I'll have much time in the foreseeable future though. I'm not very familiar with how these keys work exactly, so it might take a little while.

It's based on Webauthn on the networking side and CTAP on the client side to communicate with the token (e.g. yubikey or other FIDO2 device). Passkeys use the same technology under the hood but store the credentials differently.

As milenovic said, activating yubikeys disables other 2FA methods, so FindMy.py can't be used by those accounts. There are also other aspects. If sim-cards are lost or pre-paid expired when not topped-up, it's very hard to gain access to the apple account since it relies on trusted device and SMS for 2FA. Having 2 (or more) yubikeys enables continued access.

In the case of several burner accounts on a single phone, it also makes logins easier than swapping sims, logging into icloud, and from there authorize findmy access. Just authorize with the key. So it would be nice with support in FindMy.py

As for implementation, I assume much of the support is available as libraries, and the challenge is the 2FA exchange that now asks for trusted device or sms.

A starting point would be to see how Apple requests 2FA when logging into a yubikey locked account.

alfs avatar Aug 29 '25 07:08 alfs