Skip to content

docs: add FIDO2 / security-key MFA implementation plan (#138)#139

Merged
sebsto merged 1 commit into
mainfrom
feature/fido2-mfa
May 18, 2026
Merged

docs: add FIDO2 / security-key MFA implementation plan (#138)#139
sebsto merged 1 commit into
mainfrom
feature/fido2-mfa

Conversation

@sebsto
Copy link
Copy Markdown
Owner

@sebsto sebsto commented May 18, 2026

Summary

  • Documents the analysis and a concrete implementation roadmap for supporting physical FIDO2 security keys (YubiKey) as a second factor on Apple Developer Portal sign-in. Addresses Support alternative 2FA methods (Physical FIDO2) #138.
  • No code changes — docs only. The maintainer doesn't currently own a YubiKey to test against and doesn't have time to develop and validate this end-to-end, so this PR ships the roadmap so a future contributor can pick the work up.
  • Key findings captured in the doc:
    • Apple returns an fsaChallenge payload (essentially WebAuthn PublicKeyCredentialRequestOptions) that xcodeinstall does not currently decode.
    • Fastlane's spaceship does not implement this — full-repo search returns zero hits for fsaChallenge, FIDO, webauthn, etc. — so there is no Ruby reference to port.
    • Apple's AuthenticationServices framework is unsuitable for a CLI binary (needs a GUI presentation anchor and Associated Domains matching apple.com).
    • Two viable client-side approaches kept open: bridging Yubico's libfido2 (~150–300 lines of Swift glue, brew install libfido2 prerequisite) or pure-Swift CTAP2 over IOHIDManager (~800–1200 lines, zero install burden).
    • A hard prerequisite is capturing the verification endpoint Apple's web flow posts to — undocumented publicly.

Test plan

  • docs/fido2-mfa-plan.md renders correctly on GitHub.
  • No code changes, so no functional tests apply. CI build should remain green.

@sebsto
Add FIDO2 / security-key MFA implementation plan (#138)
5fe1cd9 
Document the analysis and roadmap for supporting physical FIDO2
security keys (YubiKey) as a second factor. Includes the captured
fsaChallenge response shape, why fastlane's spaceship offers no
reference to port from, the prerequisite of capturing Apple's
verification endpoint from a browser session, and two viable
client-side approaches (libfido2 bridge vs. pure-Swift CTAP2 over
IOHIDManager) for a future contributor with the hardware to test.
@sebsto sebsto mentioned this pull request May 18, 2026
Open
amazon-q-developer[bot]
amazon-q-developer Bot reviewed May 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@amazon-q-developer amazon-q-developer Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This documentation-only PR provides a comprehensive implementation roadmap for FIDO2/security key MFA support. The document is well-structured, technically accurate, and contains no blocking issues. The implementation plan appropriately documents the technical challenges, provides clear guidance with code examples, and outlines testing strategies. No defects found that would prevent merge.

You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.

@sebsto sebsto merged commit 0dc23e8 into main May 18, 2026
5 checks passed
@sebsto sebsto deleted the feature/fido2-mfa branch May 18, 2026 16:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@amazon-q-developer amazon-q-developer[bot] amazon-q-developer[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sebsto