I'll try to split and expand some simpler "answerable" questions that were basically part of another SE post (Apple's new 2FA developer for Apple IDs) that was put on hold because it was too complicated and unwieldy. Here's a:
How is Apple's 2FA "tokens" implemented? If this is spelled out in Apple's documents, I haven't found it yet.
Here's why I want to know. I do not use SMS, period. Mostly for privacy and security reasons. Apple's 2FA requires to give Apple a phone # to start the process of activating it. They are good enough for you to use a fixed line # as well, so good for them, but I don't maintain any phone # anymore, so this has been a show stopper for me to even get started, hence the relentless set of questions in previous posts.
If I knew for a fact that a single SMS at the beginning was the only text message that would ever be sent, I could just bug someone else to help me out once and that would be the end of it . From that point on, I could use my offline iDevice to generate verification codes (right?). However, if other actions I take will trigger add-on SMS authentication codes, it would not work.
Therefore, you need to know how a device or browser is understood to be "trusted" and / or how it may lose that trust.
I can already generate a "Verification Code" on my iDevice which I now have associated with dev appleID, even completely offline, so it works well. I have some degree of confidence that the device will continue to be "trusted" as long as I do not change the associated appleID.
But I have no idea how this works with a laptop that never wants an iCloud account (or even touch iCloud servers), but instead it's just an Xcode dev machine. The Dev machine is not normally connected to the Internet, and when it is, it is protected by a very tight firewall. Once a week, it is allowed to connect (via proxy, VPN, or various physical loctaions) to Apple's Provisional Certificate Servers to update certificates. It's hard to know how or if I can set up this laptop to be a "trusted machine" and maintain that trust. Firstly, it will have a different IP address almost every time Apple sees it, but also, when 2FA is enabled for that AppleID, there are various actions I can take that can change that trust, such as updating Xcode, for example. .
In very rare cases, like in maybe 3 or 4 times ever, I have logged on via the browser of its appleID account to set up things and remove a device once. But cakes are immediately dried, and I never allow "local storage" (from any server), so I find it hard to understand if I ever want what happens in a continuous way as a "trusted browser" in Apple's eyes. . And if it gets insecure, when can it trigger an SMS authentication, as opposed to just generating a verification code on my offline iDevice?
I found this SE answer, which addresses part of my question above.
How does apple control my list of trusted devices and browsers?
If a browser is only trusted based on a cookie, it is terrible ephemeral. Many, if not most, often remove cookies.
Still wondering what can affect "trust" of the machine / machine itself.