Open Radar

 
Description:

	Attempting a purchase on the iOS App Store fails on an a new device with an Apple ID that has two factor authentication enabled. I.e. 2FA was set up with a prior device, that device was replaced, 2FA fails.

	An opportunity that deserves testing is restoring the original and other devices and attempting transactions. This has not been tested. 

	For the reason of not having tested the above of scenario of multiple restores of various devices I have chosen the “I didn’t try” reproducibility. 

	As for reproducing this exact set of actual results for transactions, that is always reproducible. No attempts have been made for reproducing this by device restoration as originally.

	This has not been tested for OS X App Store purchases.

	The device receives Apple ID 2FA verification code numbers correctly when initiated from the Apple ID website. (Phone number set up for authentication, same as device)

Steps to Reproduce:

	1. Set up 2 Factor Authentication at https://appleid.apple.com
	2. Register a device (in my case iPhone 4S) and phone number that that device uses.
	3. Make purchases on the iOS App Store including in-app purchases.
	4. Replace that device with an iPhone 5S by iTunes restoration and completely move everything over.
	4a. Note: this is the same telephone number/account. Different SIM card as standard.
	5. Reset the old iOS device to factory state.
	5a. Exclusively use the new device.
	6. Initiate a transaction (In-app purchase and also upfront app purchase) on the iOS App Store.
	7. Authenticate w/ Apple ID (password or touch ID)
	8. Confirm purchase


Expected Results:

	1. Authentication succeeds.
	2. The purchase is confirmed
	3. The transaction is completed.

	or 

	1. Authentication fails.
	2. The transaction is cancelled or.
	2a. Retries are offered, yielding expected success and continuing as described above or failure.

Actual Results:

	1. Authentication (touch ID or password) succeeds.
	2. Purchase is confirmed (or denied).
	3. A wild dialog appears. Title: “Security Information Required” Message: “To help ensure the security of your Apple ID we require additional information.” Options: “Cancel”, “Continue”.
	4. Choosing continue: Safari opens to https://appleid.apple.com/?localang=en_us
	4a. This URL has one L shared between local and lang. 
	5. Logging in yields the standard Apple ID website with no options to provide verification or additional information for this transaction. It is exactly the same as in any other session.
	5a. No additional security information is permitted to be entered.
	5b. The transaction cannot be successfully completed. 

	or

	1. Authentication fails.
	2. A retry is offered.
	3. Authentication succeeds and continues as described above (ending in failure) or the transaction is cancelled/abandoned.

Configuration:

	Device initially set up with 2FA: iPhone 4S, iOS 7.1.x at time of replacement. 

	Replacement device that fails authentication: iPhone 5S, 7.1.2 (11D257), Trust Store 2014060300.


iTunes Version/Build & Platform (incl. Version/Build):

	OS X 10.9.3 at time of upgrade.

	iTunes at time of upgrade: unsure exactly, Spring 2014 timeframe, either latest or second latest release.

	iTunes presently (not used to restore this device lately): 11.3 (54) 64-bit.


Additional Notes:

	This error presents an obstacle to widespread adoption of two factor authentication.

Attached: 

	[Non-cropped versions of the following 2 screenshots along with a screenshot of the IAP confirmation dialog.]
	https://twitter.com/jpasqualetti/status/496403101537275904/photo/1
	https://twitter.com/jpasqualetti/status/496397962843783171/photo/1