Unable to login with 2FA

[xBiei]

I'm trying to download an ipa like any user I guess..
but the problem is that I can't get past the authentication, my appleid has 2FA
I don't know what's the default approach here, this is the first time I try this.
anyway when I put my appleid and password, it instantly gives me unknown error..
I tried debug log but it made this even more weird.
this is a screenshot of what's happening:

[morpig]

Experiencing the same thing, also tried using --auth-code with code sent through SMS/device

[majd]

Could you try logging in with that account on https://appleid.apple.com and see if you get any unusual behavior?

[morpig]

No unusual behaviour, even tried to disable 2FA from appleid.apple.com. Didn't find any options to do so, do you know if it's possible to disable 2FA?

After executing download command from ipatool, there is 2FA prompt on both my phone & laptop (are you accessing from xx city?, and show 6-digit code). Tried entering 6-digit code with --auth-code, but it triggers the 2FA flow again.

[xBiei]

Could you try logging in with that account on https://appleid.apple.com and see if you get any unusual behavior?

no unusual behavior, logging in sends 2FA code to linked devices and requires you to type the code to continue logging..
tried it with multiple accounts but no luck.
as we know there's no way to disable 2FA so this should be fixed from within the tool

[MrPigglet]

Experiencing the same thing on an M1 mac mini

[majd]

I think I figured out what the issue is. Could you test release v1.0.7 and let me know if it resolves the issue for you?

[JeuFore]

Hello, i have the same error when i try to login. I tried with version 1.0.7, same thing.

[xBiei]

I think I figured out what the issue is. Could you test release v1.0.7 and let me know if it resolves the issue for you?

No luck. It's the exact same issue..
ipatool should await for user to input 2FA code and if that's fulfilled, proceed.
but what's happening now is that it is proceeding without awaiting at all..

[xBiei]

I just saw the commit.
you only changed the user-agent. but I think that's totally irrelevant to the issue here.

[MrPigglet]

Can also confirm that 1.0.7 did not fix the issue.

What xBiei said seems like it would work, but I understand it may be hard to implement.

[xBiei]

I'm debugging the issue right now, I'll see what I can do.

[MrPigglet]

Using an app-specific password does not work either, it does not ping your device to enter 2FA though.

[xBiei]

Using an app-specific password does not work either, it does not ping your device to enter 2FA though.

yeah app-specific passwords doesn't need 2FA to work because you can't make one without authenticating first.
anyway these password can't be used with this tool & probably any tool that needs your apple id auth.
app-specific passwords don't have enough permissions to do the job soooo that's a no no.. :l

[xBiei]

ok so after digging up trying to find the issue,
looks like the 2FA problem is easy to fix by using the tool once then noting the auth code and merging it to your password without spaces (PasswordAuth).
That way there's no 2FA request sent to your devices which means the 2FA problem is gone but needs to be implemented manually by the user for now at least. Reference

This is the error:
MZFinance.BadLogin.Configurator_message
The error is weird but we're not the only ones..
The error is connected to the 2FA somehow even though it's not asking for 2FA anymore..

Also, I noticed that to send the request to apple you need to add guid, which is the MAC address of en0.
That shouldn't be a problem but I don't know about hackintosh users.

That's what I can do today I'm so tired of blowing my mind because I never used swift but willing to...

[majd]

The tool does already wait for 2FA input before proceeding, but it was receiving an error from the authentication endpoint before it reaches that point. It’s the error that @xBiei mentioned: MZFinance.BadLogin.Configurator_message. I assumed that they’re blocking older clients from the API. I’ll have another look soon. Which Mac model and macOS version are you using?

[MrPigglet]

M1 Mac Mini, latest macOS Monterey (12.0.1)

[xBiei]

it was receiving an error from the authentication endpoint before it reaches that point.

yeah, the tool expects one of those guys:

ipatool/Source/Store/StoreResponse.swift

Lines 30 to 40 in f3a5409

	enum Error: Int, Swift.Error {
	case unknownError = 0
	case genericError = 5002
	case codeRequired = 1
	case invalidLicense = 9610
	case invalidCredentials = -5000
	case invalidAccount = 5001
	case invalidItem = -10000
	case lockedAccount = -10001
	}
	}

but it seems like it's getting a different error so it'll just give you unknownError.
The weird thing is that it's not getting an error, it's getting a message..
I tried printing some text if an error has occurred here

ipatool/Source/Store/StoreResponse.swift

Lines 59 to 60 in f3a5409

	} else if let error = error, !error.isEmpty {
	self = .failure(error: Error(rawValue: Int(error) ?? 0) ?? .unknownError)

but it's not printing anything.
instead, it's getting a message which is MZFinance.BadLogin.Configurator_message
I guess it's about something that isn't supported anymore by the API or whatever the response is coming from..

Which Mac model and macOS version are you using?

Hackintosh (Model: MacBookPro15,4) on macOS Monterey (12.0.1)

[iWhacko]

looks like the 2FA problem is easy to fix by using the tool once then noting the auth code and merging it to your password without spaces (PasswordAuth).

that worked for me with version 1.07.

[fylfot]

looks like the 2FA problem is easy to fix by using the tool once then noting the auth code and merging it to your password without spaces (PasswordAuth).

that worked for me with version 1.07.

Confirming, so for example:
ipatool download -e [EMAIL] -p [PASSWORD][CODE] -d iPhone --auth-code [CODE] -b com.ftband.mono
will work after second attempt, when you will get 2FA code

[Mikasa-san]

It doesn't works for me

[acrogenesis]

I got it to work doing

1. ipatool download -e EMAIL -b APP
2. Enter password (gives error)
3. ipatool download -e EMAIL -b APP
4. Enter password but add code at to password

[Mikasa-san]

How to add the code and its keep sending it to me everytime I try to sign in ? . Should I add the old code ?

[xBiei]

How to add the code and its keep sending it to me everytime I try to sign in ? . Should I add the old code ?

as said above, the first time is just to get the auth code to one of your devices..
the second time you'll add the received auth code to your password like this: PasswordAuthcode
if you don't get an auth request notification on your devices the second time, that means you did this right and skipped the 2FA.

Reply

ok so after digging up trying to find the issue,
looks like the 2FA problem is easy to fix by using the tool once then noting the auth code and merging it to your password without spaces (PasswordAuth).
That way there's no 2FA request sent to your devices which means the 2FA problem is gone but needs to be implemented manually by the user for now at least. Reference

[majd]

Have you by any chance tried using the --auth-code CLI option provided in the tool to pass in the two-factor authentication code?

[dlevi309]

@majd I’ve tried with the --auth-code option with no luck :/

[dlevi309]

How to add the code and its keep sending it to me everytime I try to sign in ? . Should I add the old code ?

Once it works the first time, you don't have to input the 2FA again (until the cookies expire, which from what I've seen is a good while)

Update: after dissecting the ipatool binary cookies created after a successful install, I've found the cookies expiration date is exactly 6 months after the successful login

Update (again): I was wrong, the cookies do expire after 6 months, but ipatool hit me with the verification code issue again (24 hours after applying the fix) I guess this fix is really temporary

FINAL UPDATE: I usually keep the IPATOOL_EMAIL & IPATOOL_PASSWORD environment variables set, so this third try I decided to leave the 6 digit auth code appended to my password indefinitely, and after 3 days now I haven’t run into any issues, so it seems this is a really effective workaround for the time being.

[tanishq-malhotra]

looks like the 2FA problem is easy to fix by using the tool once then noting the auth code and merging it to your password without spaces (PasswordAuth).
that worked for me with version 1.07.

Confirming, so for example: ipatool download -e [EMAIL] -p [PASSWORD][CODE] -d iPhone --auth-code [CODE] -b com.ftband.mono will work after second attempt, when you will get 2FA code

This worked for me without -d option but I am getting bellow error:

Your Apple ID does not have a license for this app. Download the app on an iOS device to obtain a license.

How to fix this without iPhone

[dlevi309]

looks like the 2FA problem is easy to fix by using the tool once then noting the auth code and merging it to your password without spaces (PasswordAuth).
that worked for me with version 1.07.

Confirming, so for example: ipatool download -e [EMAIL] -p [PASSWORD][CODE] -d iPhone --auth-code [CODE] -b com.ftband.mono will work after second attempt, when you will get 2FA code

This worked for me without -d option but I am getting bellow error:

Your Apple ID does not have a license for this app. Download the app on an iOS device to obtain a license.

How to fix this without iPhone

this isn't an issue, it's expected. You need to have the app purchased to your account

[majd]

@majd I’ve tried with the --auth-code option with no luck :/

@dlevi309 That’s weird. The —auth-code option should append the 2FA code to the end of the password. However, it uses a different endpoint. I’ll look into incorporating the necessary changes to the tool soon. 🙂

[dlevi309]

@majd thanks for all of your work on this! one of my favorite tools. Once the fix is out, I’ll also apply it to my fork with unofficial iOS support

[andyboyce]

I got it to work doing

1. _ipatool download -e EMAIL -b APP_
2. Enter password (gives error)
3. _ipatool download -e EMAIL -b APP_
4. Enter password but add code at to password

i got error. but it ok by this way in china:
step1: ipatool download -b com.xingin.discover -e xxxx -p xxxx
tips:to get code eg: 283020
step2: ipatool download -b com.xingin.discover -e xxxx -p xxxx283020
tips:add the code end of the password

[qnblackcat]

I got it to work doing

1. _ipatool download -e EMAIL -b APP_
2. Enter password (gives error)
3. _ipatool download -e EMAIL -b APP_
4. Enter password but add code at to password

i got error. but it ok by this way in china: step1: ipatool download -b com.xingin.discover -e xxxx -p xxxx tips:to get code eg: 283020 step2: ipatool download -b com.xingin.discover -e xxxx -p xxxx283020 tips:add the code end of the password

I can confirm it works for me ✅

[palaniraja]

For me it exit before i get a chance to keyin my 2FA codes

➜  ~ ipatool download --bundle-identifier com.xxxx.yyyy.zzz --country DE -e abc@def.com
==> ℹ️	[Info] Querying the iTunes Store for 'com.xxxx.yyyy.zzz' in country 'DE'...
==> ⚠️	[Warning] Enter Apple ID password:
==> ℹ️	[Info] Authenticating with the App Store...
==> ❌	[Error] An unknown error has occurred.

[rrroyal]

yup, same for me, but doing this works:

Confirming, so for example: ipatool download -e [EMAIL] -p [PASSWORD][CODE] -d iPhone --auth-code [CODE] -b com.ftband.mono will work after second attempt, when you will get 2FA code

[xcuYao]

➜ ~ ipatool download -e [Email] -p [Password][code] -d iPhone --auth-code [code] -b [packageName] -c CN
==> ℹ️	[Info] Querying the iTunes Store for 'com.flomoapp' in country 'CN'...
==> ℹ️	[Info] Authenticating with the App Store...
==> ℹ️	[Info] Authenticated as 'xxx'.
==> ℹ️	[Info] Requesting a signed copy of '1552314395' from the App Store...
==> ℹ️	[Info] Downloading app package... [100%]
==> ℹ️	[Info] Saved app package to com.flomoapp_1552314395_v1.6.0_252.ipa.
==> ℹ️	[Info] Applying patches...
==> ℹ️	[Info] Done.

it works for me.
[code] is you 2FA code, Used multiple times.
don't forget password is your password && 2FA code.

[jiangerji]

I got it to work doing

1. ipatool download -e EMAIL -b APP
2. Enter password (gives error)
3. ipatool download -e EMAIL -b APP
4. Enter password but add code at to password

it works for me, thanks