Codes did not migrate after restoring iCloud backup

[klaaspieter]

I migrated to a new phone from an iCloud backup and Tofu is empty on the new phone. According to #14 Tofu should be able to migrate over to new devices if backups are encrypted. I'm assuming that is the case for iCloud backups, but perhaps they're special?

I'm at a loss as to how to debug this further.

[klaaspieter]

On the Apple forums the Eskimo suggests using kSecAttrSynchronizable. I'm pretty certain we need to add kSecAttrSynchronizable: kCFBooleanTrue here.

I'm fine with making the change, but I wouldn't be comfortable PRing it without extensive testing.

[calleluks]

Hey @klaaspieter, thanks for reporting this. I’m really sorry it didn’t work as intended and that you lost your codes!

As far as I understand, whether or not an item migrates to a new device is decided by the item's accessibility attribute. Since e40e25b we're using the kSecAttrAccessibleWhenUnlocked accessibility attribute for which the documentation states that "Items with this attribute migrate to a new device when using encrypted backups". According to Apple's page on iOS backups using iCloud backups, "Always encrypts your backups".

Therefore, I really think your codes should have migrated to your new device.

Could it be that you added the accounts way back before Tofu was released and you helped beta test it? Back then we were using kSecAttrAccessibleWhenUnlockedThisDeviceOnly for which the documentation explicitly states that "Items with this attribute do not migrate to a new device".

My understanding of kSecAttrSynchronizable is that it controls whether or not items are synchronized using the iCloud Keychain. Since this would undermine your phone being the second factor by making your codes available to any device signed into your iCloud account, I'm hesitant of using it.

[calleluks]

I kept on reading the forum thread you linked to and eventually read a later reply by eskimo where it seems like the accessibility attribute only affects encrypted iTunes backups.

Sadly, it seems like keychain items won't be included in iCloud backups regardless of accessibility attributes and I'm not quite sure what we should do to resolve this.

[klaaspieter]

I also tried restoring an iTunes backup to no avail. Like you said, it's probably because I beta tested the app.

Perhaps the 'easiest' way to migrate would be to have a screen with a QR code that can be scanned from a new phone? The QR code would basically contain all the accounts tracked by Tofu. I honestly don't know if a QR code would be able to encode that much information, but it seems like the best way without involving a server or other 3rd parties.

I have all my 2FA secrets backed up in pass, so it's not a huge deal they didn't migrate, but in general I feel people trust the app to keep their accounts safe. Having to re-enable 2FA for a bunch of services when migrating to a new phone would suck.

[calleluks]

Perhaps the 'easiest' way to migrate would be to have a screen with a QR code that can be scanned from a new phone?

That’s an interesting idea! I’ll give it some thought and might try building something out.

I can’t find any documented reason to why Apple doesn’t include keychain items in iCloud backups. I really hope they will start including them in the future.

[klaaspieter]

Just verified with a test account on a test phone that accounts are backed up to and restored from an iCloud backup.

In other words my issue was probably caused by having been part of the beta. I'm going to close this, but a QR code backup could still be nice in case others run into similar issue 😛.

[calleluks]

Huh! That's counter to eskimo’s findings but very good!

Thanks so much for taking the time to testing this for real, @klaaspieter!

Yes, I will continue to think about custom backup options.

[danbee]

I recently migrated to a new phone and my 2FA codes did not restore, which was a bummer because I'd already wiped my old phone. They didn't the last time I upgraded either.

[calleluks]

I'm really sorry about that, @danbee 😕

Were you using iCloud backups or encrypted iTunes backups?

Do you know roughly when you added the accounts to Tofu? Could it be that you, like Klaas Pieter, added the accounts back when we were still using kSecAttrAccessibleWhenUnlocked in e40e25b?

[danbee]

The last time I added accounts to Tofu would have been early last year, so way after the kSecAttrAccessibleWhenUnlocked change.

[danbee]

Oh, and I was using iCloud backup only.

[calleluks]

Sorry again @danbee, re-adding accounts really sucks.

I wish I knew how to debug this further. When I have some more time, I'll try to reproduce Klaas Pieter's experiment with restoring a phone from an iCloud backup.

[brianpierce]

I'm not sure if this is a problem in user instructions or the code but when I recently set up a new iPad using an encrypted back up of an iOS 13 iPhone to move settings, apps and passwords to the new device, Tofu was installed on the iPad but with none of my many 2FA accounts.

The FAQ isn't clear on how to ensure accounts are backed up. What settings are required for backup? Any way to confirm this works (besides wiping and restoring my iPhone)?

If iCloud backup doesn't work, then Authy would be preferable for my uses despite it's closed source code as it is backed up to a server so I don't lose my 2FA secrets nor have to track printed backup codes for each 2FA account.

[calleluks]

Hi @brianpierce, thanks for reporting this. I'm sorry your codes weren't restored from the backup.

The FAQ isn't clear on how to ensure accounts are backed up. What settings are required for backup?

I agree that the FAQ should be updated with information about backups.

If you are taking encrypted iOS backups using iTunes or have iCloud backups enabled, your Tofu accounts should be part of these. At least according to Apple's documentation.

Any way to confirm this works (besides wiping and restoring my iPhone)?

The only thing I can think of (and what I plan to do when I have an extra device) is to restore a second iPhone from my main iPhone's backup. Unfortunately, I'm not sure how to tell whether the problem lies within the iCloud backups system or within Tofu.

I recently set up a new iPad using an encrypted back up of an iOS 13 iPhone to move settings, apps and passwords to the new device

I have never set up a new iPad using an iCloud backup of an iPhone. Is there any information during the setup process about whether it does a full restore of the backup or if it picks out just your settings, apps, and passwords?

If iCloud backup doesn't work, then Authy would be preferable for my uses despite it's closed source code as it is backed up to a server so I don't lose my 2FA secrets nor have to track printed backup codes for each 2FA account.

I totally understand that. Regardless of which 2FA-app you're using, I highly recommend storing recovery/backup-codes somewhere safe.

[danbee]

@calleerlandsson I have a spare iPhone 6S that I could do some testing with if you like?

[calleluks]

Thanks for offering @danbee, I would really appreciate it!

What do you think of the following steps?

1. Verify that iCloud backups are enabled on the main phone and that a backup has been made recently
2. Reset the spare phone's settings and content and set it up by restoring the most recent backup of the main phone
3. After the backup has finished restoring, open Tofu on the spare phone and verify that the accounts from the main phone are all present.

[danbee]

That sounds like a very good place to start. I'll add that to my list for this week.

[xijio]

It seems like a better solution would be generic backup and restore. I agree restoring with icloud and itunes encrypted backups totally makes sense, but I wish there was a way I could manually backup and restore all of the settings. Backing up using the files apis from ios would be great, then you could backup whenever changes are made to any of your logins. So for example, I could set it so that tofu writes a backup to my dropbox or to my selhosted nextcloud instance or any other protocol that you can access through the icloud files apis. It would definitely give me piece of mind to 'trust' that I'm not going to lose data. It does reduce security, but I think that's fine as long as the risk is explained. I feel very confident about the security of my backups using selfhosted nextcloud via vpn assuming the data is stored encrypted at rest with a password.

[danbee]

It took me a week to get to this but I restored my spare phone from an iCloud backup over the weekend and none of my codes made it:

[calleluks]

Ah, that's bad news! 😞 Thanks for testing, @danbee. I've found an old device and will try to replicate the issue on it. I hope that will make it possible to debug.

@xijio, using the files API to create an encrypted backup is an interesting idea. If you would like to work on that, I'd be happy to review a PR! If not, I might work on it when I have the time. Regardless, let's track that in #30.

[calleluks]

Apparently my other device doesn’t run iOS 13 so my backup is no good 🙄 I’ll try to get my hands on a device that does run iOS 13.

[danbee]

Ach! Would you like me to perform any other tests? Backup and restore via iTunes or direct copy between phones?

[calleluks]

Comparing with an encrypted iTunes backup would be great!

The documentation for kSecAttrAccessibleWhenUnlocked explicitly says "Items with this attribute migrate to a new device when using encrypted backups." so if an encrypted iTunes backup doesn't restore the accounts, we will have to look elsewhere for a potential bug.

[EdisonJwa]

I think if there are some other ways such as export(just example) or something else to backup or restore it would be much more interesting

[calleluks]

@danbee, do you by any chance know if you had installed Tofu from TestFlight or from the AppStore on the device that created the backup?

@EdisonJwa, could something like #30 of use for you?

[ThinkChaos]

I just went through the restore process from a local encrypted backup (I use iMazing, not iTunes) and it went perfectly 😃

EDIT: I have the AppStore version.

[danbee]

@calleerlandsson I have the Testflight version installed at the moment and often do so it's probably likely. The version that was restored is the app store version. Could that be something to do with it?

[calleluks]

@ThinkChaos, that's great news! Thanks for testing!

@danbee I thought that might be the case until this morning when I re-read the iOS Security guide and came across the following paragraph:

While the user’s Keychain database is backed up to iCloud, it remains protected by a UID-tangled key. This allows the Keychain to be restored only to the same device from which it originated, and it means no one else, including Apple, can read the user’s Keychain items.

This is also in line with eskimo’s findings mentioned earlier.

To conclude: according to Apple's documentation, iCloud backups should include accounts from Tofu but will only restore them on the same device that made the backup. Encrypted iTunes backups should also include accounts from Tofu and will restore them even on new devices.

iCloud backups can therefor not be used to migrate Tofu accounts to a new device while encrypted iTunes backups can.

Reviewing the findings from different tests in this thread, they all seem to be in line with this given that the test @klaaspieter performed restored an iCloud backup on the same device that created it.

[nakp]

My understanding of kSecAttrSynchronizable is that it controls whether or not items are synchronized using the iCloud Keychain. Since this would undermine your phone being the second factor by making your codes available to any device signed into your iCloud account, I'm hesitant of using it.

@calleerlandsson would you at least consider making it optional? there is this request #45 (to make it work like authy I suppose) and it seems like #30 is not happening any time soon(?)

I understand it kinda beats the purpose of 2FA but in order for that to happen, the user must be able to:

1. install the app in the device
2. and/or be able to unlock a device with the app installed

[papalii]

Ciao guys, and thanks to the developer for this app. I just wanted an update since the last post about it was more than a year ago, about the possibility to restore the 2fa keys when restoring the backup from ICloud and not from Itunes, is it still as before? the keys are restored only from encrypted Itunes backup? Thanks in advance.

[ocelik94]

Hi, any update here?

I really need a a way to transfer all my keys to a new phone at work. I am really struggling now because getting a new key would mean a big workload for me.

edit: New Phone is a android smartphone and I cant change it.

[danbee]

@Andrioshe I'm pretty sure codes are transferred if you do a backup to your computer and restore from there.

[calleluks]

New Phone is a android smartphone and I cant change it.

Sorry, there's currently no way to transfer keys stored in Tofu to an Android app.

[benwhalley]

I came here after having the same issue. I do think there should be a prominent warning that iCloud backup currently does not work reliably, and that the devs aren't clear on exactly why. Restoring codes without a backup is a real pain (> 1h of work for a reasonable number of accounts, and more if you don't back backup codes).