Apple's 2FA and the notion of "trusted device" and "trusted browser"
I’m going to try to split off and expand some more readily “answerable” questions that were initially part of a different SE post (Apple's new 2FA requirement for developer Apple IDs) that was put on hold because it got too complex and unwieldly. Here’s one:
How are Apple’s 2FA “tokens” implemented? If this has been spelled out in Apple’s docs I haven’t found it yet.
Here’s why I want to know. I do not use SMS, period. Mostly for privacy and security reasons. Apple’s 2FA requires giving Apple a phone# to even begin the process of enabling it. They’re good enough to allow you to use a landline # as well, so good for them, but I don’t actually maintain any phone# anymore, so this has been a showstopper for me to even get started, hence the unwieldy set of questions in the previous post.
If I knew for a fact that a single SMS in the beginning was the only SMS that would ever be sent, then I could just bug someone else to help me out once and that would be the end of it. From that point on I could use my offline iDevice to generate Verification Codes (right?). But if other actions I take will trigger add’l SMS authentication codes, that wouldn’t work.
Hence the need to know how a device or browser is understood to be “trusted” and/or how it might lose that trust.
I can already generate a “Verification Code” on my iDevice that I’ve now associated with the dev appleID, even fully offline, so that seems great. I have some level of confidence that device will continue to be “trusted” as long as I don’t change the associated appleID.
But I have no idea how this works with a laptop that will never have an iCloud account (or even touch iCloud servers), but instead is just an Xcode dev machine. The dev machine isn’t normally connected to the internet, and when it is, it’s protected by a very tight firewall. Once every week or so, it’s allowed to connect (via proxy, VPN, or different physical loctaions) to Apple’s provisioning certificate servers to update certificates. It’s hard to know how or if I can set up this laptop to be a “trusted machine” and maintain that trust. First, it will have a different IP address nearly every time Apple sees it, but also, once 2FA is enabled for that appleID, are there different actions I might take that might change that trust, like updating Xcode, for example.
On very rare occasions, as in maybe 3 or 4 times ever, I’ve signed in via browser to the associated appleID account to set things up and remove a device once. But cookies are immediately wiped, and I never allow any “local storage” (from any server), so I’m having a hard time understanding whether I would ever have what passes in an ongoing way as a “trusted browser” in Apple’s eyes. And if it becomes untrusted, when might that trigger an SMS authentication, as opposed to simply generating a Verification Code on my offline iDevice?
[update]
I found this SE answer, which addresses part of my question above.
How does apple verify my list of trusted devices and browsers?
If a browser is only trusted based on a cookie, that's awfully ephemeral. Many people, if not most, clear cookies on a regular basis.
Still wondering about what might affect "trust" of the machine(s) themselves.
Solution 1:
A device is trusted if it holds the token string given out by Apple. For browsers this means that the browser has a cookie stored with the string. You're asked when logging in whether or not you want to trust that browser, and that will trigger storing the cookie.
If you clear the cookies, then obviously the browser will not be trusted anymore. Just because you have an habit of clearing your cookies on a regular basis, that does not make Apple's choice "awful" in any way. Technically cookies are probably the most secure way of storing this possible with standards compliant browsers. At least it is a very strong choice.
In order to avoid the browser loosing the trust, simply stop clearing that one specific cookie. There's no point in religiously removing every cooking, if you do not have a purpose for doing that - and especially not if it directly works against you.
In regards to SMS messages: You do not need to receive an SMS message in order to add a new trusted device. You can simply use the 2FA code from one trusted device to add a new trusted device. This is handled automatically by the system.
Regarding the many other questions you have put into your quite broad question: No, updating Xcode won't invalidate the trust. No, having changing IP address won't invalidate the trust.