Apple sued because two-factor authentication… oh, I give up

Graham Cluley

Apple sued because two-factor authentication.. oh, I give up

Apple sued because two-factor authentication.. oh, I give up

There are plenty of things worth getting really upset about.

Racism. Climate Change. Brexit (regardless of whether you’re pro-Brexit or anti-Brexit, you’re almost certainly feeling very unhappy about how things are going.)

What you shouldn’t be getting upset about is the security that companies like Apple put in place to help prevent your accounts being hacked.

And yet, a man called Jay Brodsky is bringing a class action against Apple in California, complaining that two-factor authentication (2FA) on an iPhone or Mac takes too much time.

In his class action suit, Brodsky alleges:

  • Apple enabled 2FA on his account without his explicit consent. Which seems very odd, as my experience has been that Apple only offers 2FA on an opt-in basis.
  • 2FA is too inconvenient to actually set up – requiring several steps on several devices.
  • 2FA is just too darn inconvenient to use… because it requires to both remember a password *and* have access to a trusted device. <Umm, isn’t this exactly how 2FA is supposed to work? Helping to stop hackers simply needing your password to break into your accounts.
  • Apple doesn’t let you disable 2FA after it has been enabled for two weeks straight. This appears to be true. It looks like Apple gives you 14 days’ grace to deactivate 2FA if you wish, but after that… you’re 2FA-secured. Of course, this could be argued to be a good thing security-wise.
  • 2FA is required every time an Apple device is turned on. Really? Can’t say I’ve noticed.
  • 2FA takes between two to five minutes to complete. Hmm. When AppleInsider got its stopwatch out, it reckoned the 2FA process took them in total about 22 seconds to complete.

Brodsky goes on to claim that “millions” of Apple users are suffering “harm” and “economic losses” because of the large amount of time that 2FA eats up.

Will someone please buy this guy an Android? Or maybe offer him some free technical support so he can log into his account a wee bit faster?

Hear more discussion on this case in the latest edition of the “Smashing Security” podcast:

Smashing Security #115: 'Love, Nests, and is 2FA destroying the world?'

Listen on Apple Podcasts | Google Podcasts | Other... | RSS
More episodes...

Further reading: The man suing Apple over two-factor authentication has ‘previous’.

Read more about two-step verification:

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

23 Replies to “Apple sued because two-factor authentication… oh, I give up”

  1. Apple should be sued for this shit. The goal is to force anyone with an Apple device to have a second Apple device in order to use the first one.

    1. I agree. Two factor is an inconvenient drag. I work three to five freelance jobs a day, and use my phone for documentation. My iPad might be in a different building than my phone, but unless they are near each other, I can’t send email or messages. Ridiculous.

  2. Ridiculous. Frankly It never registered that it takes a few seconds. Never noticed it. And if he has such a problem with it why did he enable it in the first place? His own fault. And if he'd rather more insecurity then that's his choice. Let's just hope it doesn't cause other people problems.

    Beyond petty. About as stupid as the woman who spilt hot coffee on herself (what kind of person would put hot coffee between their legs is beyond me) and because she's careless (and stupid?) she decided to sue for it. Funny though… Stupidity is something of a speciality of humans (and a STI though that does not mean everyone has symptoms as such) and it says volumes (of coffee?) that more people don't try and profit from their own stupidity. Whether that's because they're too uncreative to see it I do not know but I'd like to believe it's they're not that pathetic.

    1. I agree the 2FA lawsuit is stupid but the spilled coffee lady turned out to be legit. Everyone got it wrong and dragged her name into it when she was in the right. https://www.vox.com/policy-and-politics/2016/12/16/13971482/mcdonalds-coffee-lawsuit-stella-liebeck

  3. Is this Marissa Mayer in disguise? She was "too busy" to even lock her phone whilst CEO of Yahoo.

    Presumably if Apple disable 2FA and he gets hacked he'll sue them for that too.

  4. Nothing surprises me any more. Just look at the quailty of the jerks people elect to public office…and nowhere on planet Earth is that more evident than in California, where this clown is bringing his lawsuit.

    There is no substitute for personal responsibility. You can’t elect morons to take responsibility for your behavior, or expect the state to come to your rescue when the cost of being.a responsible user is the “inconvenience” of the time it takes to secure your systems.

    It’s especially incongruous that this jerk is suing Apple, of all companies. There’s plenty Apple does that annoys me, but I can’t fault them on their efforts to streamline the process of making my devices and my account more secure. Once it’s set up, it’s actually pretty unintrusive.

    Normally, I’d say that such an idiotic lawsuit is likely to get thrown out. But in California, where the state is aggressively legislating to protect people from even having to take responsibility for their own emotions, this kind of idiocy is business as usual.

  5. No organisation as far as I know sets up 2-factor authentication for you as a default, you have to opt in and set it up yourself. He's probably tried to log into his Apple ID too many times with the wrong password, so he's been locked out.

    This compensation culture has got out of hand. It makes you wonder how many companies have been sued and lost. I personally think some people shouldn't be allowed out!

  6. @coyote Again with the misconceptions. That woman got third-degree burns on her legs and genitals and needed extensive surgery to treat. https://www.vox.com/policy-and-politics/2016/12/16/13971482/mcdonalds-coffee-lawsuit-stella-liebeck

    1. He didn't say the injury wasn't serious, he said who puts a cup of hot coffee between their legs. All it takes is something unexpected to happen, and the person squeezes their legs and coffee everywhere.

  7. This is almost too funny, except that it gives other "smart" people the wrong ideas. I have 2FA turned on anything I can to protect my self. I stress it to my family, who unfortunately thinks the same way this cheese ball thinks. "I don't want to turn that on, it will take an extra 2 seconds Everytime, and I just don't have the time." Till their stuff gets hacked………and then I never hear the end of it…….

  8. SMS not secure, Mobile operator can send a text message if your phone has been switched off and on immediately (throttling).

    https://www.ptsecurity.com/ww-en/analytics/ss7-vulnerability-2018/

  9. Apple should not make the opt-out period limited to 2 weeks. We should have ability to disable 2FA after 2- weeks.

    Apple does not allow you to opt-out of 2FA after 2 week period, which is insane.

  10. Is this guy for real? Why wouldn't you want 2FA. I wouldn't lose any sleep if this moron has his sensitive data stolen.

  11. I predict Apple will do some custom work to manually opt him out as part of a settlement. Then, because of all the press, he will become a target and get hacked, and sue Apple again because they didn't adequately protect him from hackers.

  12. Totally agree with the lawsuit. I'm sick and tired of finger print scanning that's a joke, constant entering of pass codes, 2-factor requiring a second device, Apple ID re-entry's, constant updates, constant maintenance.

    If people want a stupid electronic device to control a good part of their life (uh, the above seems like a good proxy of the people I'm referring to), so be it. But I'm drawing myself away from all this nonsense. Gradually but by the time I'm done I'll be back to a flip phone. A luddite for sure.

    Oh, jee, a few days ago yet another email from yet another service I use, letting me know their servers got hacked, and all my personal information got stolen. A few years ago talked to my bank's security department as my credit card had unauthorized use 6 times. Each time the card was replaced with a different number. Only 3 companies had my credit card on file. Apple was one of them. The bank fingered them as having recently been hacked. Oh, and I need to put up with Apple nonsense to make sure no one can access all my important information.

    You folks are so far beyond understanding the problem you probably shouldn't be working in tech.

    Yes, I came out of Tech.

  13. No guys, this 2FA thing is causing a lot of trouble, especially for developers around the world who have multiple accounts that are decoupled from their personal icloud account.
    Apple recently forced developers to use 2FA and has caused a lot of developers locked out of their accounts already. Take a look at the developer forums on reddit and macrumors.

  14. I misplaced my IPhone one evening, and went to my PC to use find my Iphone, but couldn't log in to do it, because it was sending the 2FA code to my phone, which I was trying to find. This can be a problem

  15. It is a major issue, I had an iPhone.. lost it.. but cannot afford a new one… I cant change the device nor can I change where the auth code goes. I have called apple and because I cannot provide all of the minute data they are requesting, access is denied EVEN THOUGH I HAVE THE GOD DAMMED PASSWORD. If on an iMac I still cannot het the damned code. they have effectively locked me out of my email. this is a major problem and BTW I worked at apple for 6 years, YES THEY PUT YOUR ACCOUNT ON TWO STEP AUTH WITH OUT CONSENT. this writer is an idiot… the complaint is a little frivolous but this is a real problem and a lawsuit needs to be started regarding hijacked information and apples security standards and denying users there data.

  16. Wow! Once again, the sheeple have spoken. Personally, I hope he wins. I believe in security and I have 2FA enabled on everything that needs two-factor and my Apple ID is NOT one of them. Having 2FA on my personal account should be a choice, not a requirement. Apple forcing 2FA on us is their way of subsidizing to the end user their refusal to put proper security in place. At a bare minimum, I should be able to receive a code through my email which I can access from anywhere on any device and not be forced to use an Apple or SMS device which, quite often, is the same device and may not be in my possession at the time when I really need it. I've been burned by that more than once. Forget your phone? Need to log in to iCloud? Nope. Ain't happening.

    I've seen a company have their entire development access locked out and scrapped because Apple forced an ex-employee to enable 2FA and when they went to recover the account there was no way to do it as the device tied to it was long gone. Apple refused to give them access even when they produced evidence that they were the rightful owner of the account. It was a stupid, useless protection that ultimately costed the company heartache and money to recover.

  17. When my wife and I did an IOS update on our phones, my wife unknowingly activated 2FA (since it comes up as a default that you have to basically opt out of after an upgrade). I could not use our other two phones or our several computers without access to HER phone. Since we had just activated it, I managed to opt out, but doing so required changing the password on the account. This seemed sort of counter-intuitive, since the whole 2FA thing is to prevent someone from using your devices with just your password, but apparently saying you forgot your password and creating a new one just circumvents the whole 2FA thing and lets you create a new password without 2FA. This workaround seems insecure, but I did not mind since I got my password-only access back.
    I still get alerts on all my devices to complete the 2FA process, so I hope it really has gone away.

    2FA should be an option and it should be reversible at ANY TIME, if the user is willing to give up whatever services Apple ties to it.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.




Stay informed!

Join thousands of others by signing-up for the free “GCHQ” newsletter, containing the latest news and tips from security expert Graham Cluley.

Name:

Email:

Yes, I would like to subscribe to email updates from Graham Cluley. I know it’s easy to unsubscribe if I ever change my mind.