iCloud continual emails

[jscherry]

The problem

iCloud with 2FA is working again but I receive 2-4 emails per day saying someone has logged into my account through a web browser? Is this normal?

What is version of Home Assistant Core has the issue?

2021.2.2

What was the last working version of Home Assistant Core?

No response

What type of installation are you running?

Home Assistant OS

Integration causing the issue

iCloud

Link to integration documentation on our website

No response

Example YAML snippet

# Put your YAML below this line

Anything in the logs that might be useful for us?

# Put your logs below this line

```nothing in the logs

I’d run iCloud integration before it stopped working properly last year and didn’t receive all the emails about logins? It has done this since reinstalling it 2021.2.1 and 2021.2.2.  I’m using a Blue Odroid N2+

[bcutter]

This known issue honestly blocked me from using this integration at all for a long time. Now stepping into the game and having a look at how many mails are sent (unable to set a mail filter which is not a good idea at all for security reasons), probably kicking this basically fabulous integration soon which would likely "fix" (or work around) this...

Hope to have app-specific passwords working some day soon...

• https://github.com/home-assistant/core/issues/57645
• https://github.com/home-assistant/core/issues/53926

[bcutter]

Is there ANY way to get rid of those e-mails? My mail provider does not allow me to automatically filter mails.

For some days I'm getting nearly hundreds per day. This makes this integration awfully annoying.

Does the custom iCloud3 maybe work around that? Maybe by supporting app-specific passwords?

This "official" integration makes it just so hard to use it looking at those few but heavy issues, being open for two years...

---

Update: kicked this integration after only 4 weeks. Pain > benefits, no-go, as simple as that.

[Andreaux]

if header :contains "Subject" ["Your Apple ID was used to sign in to iCloud"] { discard; stop; }

This defeats the whole purpose of having such notifications and I would strongly discourage that. There has to be a different solution to integrate.

[bcutter]

This defeats the whole purpose of having such notifications and I would strongly discourage that. There has to be a different solution to integrate.

Exactly. Supporting app based logins would be an (existing) solution. This is the way (/Mando).

[Andreaux]

This is the way :)

[bcutter]

This is the way :)

OMG I guarantee I did only notice your avatar right NOW. Hahaaa 😆

OK enough off-topic, sorry for that. This way maybe also GitHub gets an impression of how annoying false positive posts (e-mails) are...

[ifuchs]

I enabled this integration, and I get the same authentication notifications every 30 minutes. Had to disable the integration.

[delphimon]

The pyicloud API has a specific method to request a device be trusted, api.trust_session() . This is something that should be called after the session is successfully created to make sure you have a trusted device session. That would prevent the constant emails. There is an example of how to do this on the project page for pyicloud:

if api.requires_2fa:
    print("Two-factor authentication required.")
    code = input("Enter the code you received of one of your approved devices: ")
    result = api.validate_2fa_code(code)
    print("Code validation result: %s" % result)

    if not result:
        print("Failed to verify security code")
        sys.exit(1)

    if not api.is_trusted_session:
        print("Session is not trusted. Requesting trust...")
        result = api.trust_session()
        print("Session trust result %s" % result)

        if not result:
            print("Failed to request trust. You will likely be prompted for the code again in the coming weeks")

If I get some free time I'll try to take a look at the existing integration code and submit a PR to include that call - however I don't have an HA dev environment set up right now to test out the core integration so it may make some time, perhaps @frenck could do this more quickly. Also, I unfortunately don't see any of the pyicloud debug or log messages in the HA logs or I could do a little better debugging.

[marleyjaffe]

I get the iOS notification that a new device is attempting to be signed in roughly every 30 minutes. Has there been any progress on getting the app specific password or the trusted setting implemented?

[jaymunro]

Sadly it seems not. I have about 8 devices set up in this integration and I need it as not every user (family members) wants to have the iOS app on their phone, but the house security needs some sort of location presence aware method.

I get a number of emails every few days to a week and just delete them. But I would rather not get into the habit of deleting these as some day there may be a genuine intrusion to the account and I wouldn't want to miss that.

Hoping that someone could implement the possible solution that @delphimon mentioned.

[issue-triage-workflows[bot]]

There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates. Please make sure to update to the latest Home Assistant version and check if that solves the issue. Let us know if that works for you by adding a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thank you for your contributions.

[Andreaux]

This issue is still not resolved, right?

On Wed, Dec 20, 2023 at 1:15 AM issue-triage-workflows[bot] < @.***> wrote:

There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates. Please make sure to update to the latest Home Assistant version and check if that solves the issue. Let us know if that works for you by adding a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thank you for your contributions.

— Reply to this email directly, view it on GitHub https://github.com/home-assistant/core/issues/46308#issuecomment-1863646905, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAKS24BSNJAYJJTIR4RXBK3YKIU2PAVCNFSM4XMIUCK2U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOBWGM3DINRZGA2Q . You are receiving this because you commented.Message ID: @.***>

[delphimon]

I don't honestly know, I ended up turning off the integration and never ended up setting up the full HA dev environment since I got distracted with the new company I'm starting lol. Can anyone else confirm if it still happens? If I get some free time I'll look into it but I've never done HA dev before so will take me a bit to figure out the environment.

[jaymunro]

After too long with no sign from the maintainer(s) I gave up and deleted the integration after replacing it with iCloud3 in HACS. It’s a fair bit more fiddly to set up, but that investment in time pays dividends in zero issues with properly authenticating.

Given that the iCloud integration cannot perform a proper authentication, it should be removed from HA core in my opinion.

[jaymunro]

Hey there @Quentame, @nzapponi, mind taking a look at this feedback as it has been labeled with an integration (icloud) you are listed as a code owner for? Thanks!

[hekare]

Hi, the issue of sending multiple loging emails still exists. I receive 2-3 main daily. Running HA OS and latest core.

[CH1PSET1]

After too long with no sign from the maintainer(s) I gave up and deleted the integration after replacing it with iCloud3 in HACS. It’s a fair bit more fiddly to set up, but that investment in time pays dividends in zero issues with properly authenticating.

Given that the iCloud integration cannot perform a proper authentication, it should be removed from HA core in my opinion.

Good afternoon. Tell me, is it possible to go through icloud3 using the iPhone search method? Like ICLOUD.PLAY_SOUND?

[motamedn]

@frenck Is there a way to know if this is still being supported? This issue has been open for 3 years now and people are still facing same issue with this integration. As @jaymunro states above, since this cannot do proper authentication should this integration be removed from HA core?

[joedzado]

I know this is a difficulty issue. Can I suggest a debug log message for when the secure session is requested or renewed? At the very least I can automate the process of verifying I didn’t get hacked.

[ParkerFrame]

Can confirm this issue still persists today on the latest release of HA. Getting 3-4 emails daily despite deleting the integration and trying to delete the iCloud folder from .storage via SSH terminal

[exSnake]

I know this is a difficulty issue. Can I suggest a debug log message for when the secure session is requested or renewed? At the very least I can automate the process of verifying I didn’t get hacked.

Just use a different account with family share so you can access devices without risking your account

[fopina]

Referred by @joedzado, i just saw this issue/thread which I relate to as well!

I’d like to point out some notes I’ve discovered while trying to avoid this:

• login alert is sent about once every 18h (for me at least)
• I don’t want to delete those automatically as I want to know if someone does login (other than HA)
• App-specific passwords are unlikely to be possible in pyicloud because they are meant to be used with specific services (such as mail) and there’s no way to use Find My with them (no public API for it and you cannot use app-specific in the browser, which is what pyicloud emulates)

in my case, as I don’t want to track devices, my solution was https://github.com/home-assistant/core/pull/117984

Just disable polling entirely. If I manually trigger device updates (and session is expired), I get that email, but only then. Triggering play sound (which is my main use of he integration) generates an email of its own, but not the “attempt to login”

hope this helps clarify a bit expectations!

[joshlovell15]

I had the recurring login from your iCloud emails plaguing my inbox until I decided to try investigate. My little knowledge lead me to iCloud website where I created an app specific password and I have not received an email for 17 days with polling settings still set to default/enabled. I hope this helps a few people out!

I will also add all Find My/tracking is working the same as before and I have not noticed a single issue/problem arise since making the change. I haven't seen any limitations/restricted access to iCloud devices/entities since changing the password to the app specific either.

Running latest version of HA on a RPI

[fopina]

@joshlovell15 I tried app specific in the past and it failed to login in HA/pycloud… but maybe I messed something up, thanks for correction and sharing!

Even keeping tracking disabled (for battery), it’s useful for improving security!

[joshlovell15]

@fopina I won't lie I'm still very green with all of this stuff but as far as I can tell it's had no negative impacts on operations and the emails have stopped. Even when I signed in using the app specific password I didn't even get an email regarding the new sign in!

[fopina]

@joshlovell15 and it's also great that it doesn't prompt for the 2FA.

But I just tried and I'm still unable to login with an app specific password.

I get "unknown error occurred" in the UI and "[pyicloud.base] Authentication required for Account. (450)" shows in the logs...

Which version are you using? Are you using email as username? Wondering if something new was introduced...

I don't get the notifications as I don't poll location, but, as suggestion to someone else, if I would want it, I would create a second Apple ID and invite it to family. Then I'd use that one in HA "with family". Email spam would then go to the secondary email and, if was really compromised at some point, only things shared with family would be compromised (not personal photos or drive documents/backups)

[RSDynamics]

Don't know if this helps others. I created a app specific password but couldn't login on the iCloud integration with that. Authentication failure. Than I logged in with my normal password, filled the MFA and that logged me in and created the entities. But that would mean that I would receive the login e-mails again. So I deleted the integration under Integration Items. than I directly clicked Add Item and logged in with my App specific password and now it accepted that password..

[fopina]

@RSDynamics I can test that as well, as I'm unable to login under the existing integration.

When you say "add item" you mean the "setup new integration" screen? I just tried that and it didn't work either

[RSDynamics]

So I don't leave this page and click here to add a new item.

[fopina]

Ah that's what I did initially actually and didn't work :/

[joshlovell15]

I created a new app specific password on iCloud, then went to iCloud integration and began setup, when asked for iCloud password copied from iCloud to HA and it worked straight away. I have deleted the service and tried 3 times, all successfully working. Located in Australia, using latest version of HA & iCloud integration. This does not work for iCloud3 if there has been some confusion on which integration I am using.

[fopina]

Thank you both. I decided to remove integration and restart HA. It worked now, even from initial setup, so I guess it was some caching of previous tokens or similar (as email was the same). This is great!

[RSDynamics]

Unfortunately I received two emails last evening. It seems that there is some cashing of a session or something. Also this afternoon after the component could not login anymore. Auth errors in the log. Removed the integration, restarted HA, Created a new password. The password is unfortunatly not accepted. Also removed the .storage/icloud folder but no luck so far.

[fopina]

Same. Integration not working today with errors of authentication failed.

I'd say it only worked yesterday because it somehow was using the old (non app specific) session, but @joshlovell15 says he's been using it for a few days... (and sessions expire every 18h)

[joshlovell15]

I wish I could provide more help on this but I am truly stumped. I don't want to remove it again incase I run into similar errors as aforementioned. I can confirm my iCloud integration is still functioning without emails. I'm wondering if potentially there is geographical involvement or whether there is differing security settings between iCloud accounts. All I know is I have 2FA enabled within iCloud and that I have not received an email all weekend since we last communicated. I did sign into iCloud just then to ensure I still received emails and can confirm they are still present upon signing into iCloud through browser.

[joshlovell15]

[joshlovell15]

@fopina @RSDynamics Can confirm family sharing and location is definitely pulling from iCloud as my MBP is only connected via iCloud and not listed as a device within HA.

[gcobb321]

I am trying to get app specific passwords working with iCloud3 (I am the iCloud3 developer) and have not been able get it working.

I am also running the HA Apple iCloud integration and it does not work with that either. However, with the Apple iCloud integration, I can log in first using the real p/w and then log in again with the app specific p/w and it will not give me a Username/password error. However, I suspect that it is accepting it because it is not actually using the app specific p/w to do the login in the second time. The session credentials and token are still valid so that is what is being checked. The p/w is only checked if the token has expired.

This indicates the app specific password is not really working with the HA Apple integration and the docs and p/w field description are misleading.

Has anyone really been successful using it? Maybe it's success is location based and it is not accepted in the US.