Apple being sued because two-factor authentication on an iPhone or Mac takes too much time...

Posted:
in iPhone edited February 2019
A class action suit has been filed that accuses Apple's two-factor authentication of being too disruptive to users, taking too much time out of a user's day when it is needed, and abusive since it can't be rolled back to a less safe login method after 14 days.

Two-factor authentication on an iPad and iPhone
Two-factor authentication on an iPad and iPhone


The suit, filed by Jay Brodsky in California alleges that Apple doesn't get user consent to enable two-factor authentication. Furthermore, once enabled, two-factor authentication "imposes an extraneous logging in procedure that requires a user to both remember password; and have access to a trusted device or trusted phone number" when a device is enabled.

Filing paperwork associated with the suit also alleges that harm is being done, and potential class members "have been and continue to suffer harm" including economic losses, based on a waste of personal time for an extended login process that has become a multiple-step process.

The filer alleges that a software update enabled two factor authentication on or around September 2015. However, neither macOS El Capitan nor iOS 9 released in the timeframe put forth by the filer mandated two-factor authentication, nor implemented it without an explicit and multiple-step opt-in procedure requiring the user to consent. It is required to take advantage of some of Apple's services, like Home Sharing and HomeKit Hubs, however.

Brodsky alleges that the email that Apple sends after two-factor authentication is enabled is insufficient to warn the user that the setting is irrevocable. The filing calls a link in an email to a page to reset the configuration "unobtrusive" but does not specify what would have been sufficiently noticeable in a three-paragraph email.

Email sent to user after two-factor authentication is activated
Email sent to user after two-factor authentication is activated on an iCloud account


According to the suit, when two-factor authentication is demanded, the process as follows takes between two and five minutes.
First, Plaintiff has to enter his selected password on the device he is interested in logging in. Second, Plaintiff has to enter password on another trusted device to login. Third, optionally, Plaintiff has to select a Trust or Don't Trust pop-up message response. Fourth, Plaintiff then has to wait to receive a six-digit verification code on that second device that is sent by an Apple Server on the internet. Finally, Plaintiff has to input the received six-digit verification code on the first device he is trying to log into. Each login process takes an additional estimated 2-5 or more minutes with 2FA."
AppleInsider hasn't been randomly presented with any two-factor authentications on Saturday even following OS updates to an iPhone XS Max, an iPhone X, and two sixth-generation iPads, but was able to force the issue on a new device. The process took 22 seconds in total to accomplish.

The filer believes that Apple has interfered with the use of the device with the "extraneous login process through two-factor authentication" that has been "imposed" on the class. The time it takes to execute the extra login data is said to be "continuous, systematic and ongoing" and Apple has "caused injury to Plaintiff and Class Members' rights to choose the level of security for Plaintiff and Class Member owned devices."

The suit is demanding injunctive relief, fines and penalties assessed on Apple in accordance with the Computer Fraud and Abuse Act, and is seeking "all funds, revenues, and benefits" that Apple has "unjustly received" from the action, but what precisely that entails isn't listed in the filing documents. The filer is also asserting that Apple is violating California's Invasion of Privacy act, but how that applies also isn't immediately clear.

fruitstandninjaderekcurriejdiamond
«134567

Comments

  • Reply 1 of 126
    This is so frivolous. If the person who brought forth this case loses they should have to pay any and all Apple legal fees. 
    derekcurrierandominternetpersonPetrolDaverob53paul kjbdragonABiteaDaychasmberndogracerhomie3
  • Reply 2 of 126
    ClarityToSeeClarityToSee Posts: 34unconfirmed, member
    I would agree with the lawsuit. The two factor authentication process is time consuming and inconvenient for the users.  
    Apple should work on another way to strengthen security. What happened to simple and intuitive philosophy of Apple’s? 
    pixelwashcgWerksElCapitangeorgie01irelandkestralmicrobeanantksundaramspacekidjdiamond
  • Reply 3 of 126
    pixelwashpixelwash Posts: 4unconfirmed, member
    A suit is probably going too far, but I consciously realized that two -factor authentication would significantly increase the complexity of configuring my clean installs, and configuring new devices. So I've always avoided it for many of the reasons stated in the suit. I also dislike the nagging Apple does suggesting users enable two-factor authentication in new installs, or when there is a major system change in any of my Apple devices (of which there are many.)
    edited February 2019 microbeanantksundaramjdiamond
  • Reply 4 of 126
    I would agree with the lawsuit. The two factor authentication process is time consuming and inconvenient for the users.  
    Apple should work on another way to strengthen security. What happened to simple and intuitive philosophy of Apple’s? 
    What do you propose is a better safe and secure way to secure your account and prevent someone easily resetting your password and accessing your persons information? What other company does it better while just as secure?
    mwhitederekcurriejbdragonchasmberndogracerhomie3Deelronmagman1979dysamoriaronn
  • Reply 5 of 126
    Mike WuertheleMike Wuerthele Posts: 6,837administrator
    I would agree with the lawsuit. The two factor authentication process is time consuming and inconvenient for the users.  
    Apple should work on another way to strengthen security. What happened to simple and intuitive philosophy of Apple’s? 
    Yeah, I can see where 22 seconds periodically would be a major drag on your day.
    nrg2fh-aceericthehalfbeeGabyderekcurriePetrolDaverob53JWSCpaul kjbdragon
  • Reply 6 of 126
    Can someone explain this to me?  It requires less than a minute of time over the course of a year...
    derekcurrievukasikaJWSCpaul kjbdragonEsquireCatsmagman1979svanstromdysamorian2itivguy
  • Reply 7 of 126
    entropysentropys Posts: 4,148member
    “The first thing we do, let’s kill all the lawyers”
    paul kzeus423DAalsethlkruppmagman1979svanstromrotateleftbytebcodenetmagejaribbs
  • Reply 8 of 126
    I traveled through Beijing a few years back, and maybe coincidentally a few days later I had a two factor authentication request from Guangzhou. They had my password, and fortunately I stopped them with the second factor. I for one find their method to be valuable and the right level of intrusiveness in the workflow.
    edited February 2019 GabyderekcurriePetrolDavedavenstompyvukasikapaul kjbdragoncharlesgresesquared
  • Reply 9 of 126
    cgWerkscgWerks Posts: 2,952member
    pixelwash said:
    A suit is probably going too far, but I consciously realized that two -factor authentication would significantly increase the complexity of configuring my clean installs, and configuring new devices. So I've always avoided it for many of the reasons stated in the suit. I also dislike the nagging Apple does suggesting users enable two-factor authentication in new installs, or when there is a major system change in any of my Apple devices (of which there are many.)
    I don't see how Apple is forcing it, but yeah, they sure are pushing it. I've tried 2FA in a few places, but besides the inconvenience, what happens if I don't have another device with me, or it gets lost/stolen, etc. right around the time Apple (or other entity) decides to make me re-authorize? Better security is a good thing, but I've found 2FA to be a royal pain. (And, the way most people use it isn't really much more secure anyway... more of a false trust. Or, I still get 2FA codes on my cell phone, from a previous user of my phone number... and that poor guy is probably screwed because he can't get back into said services, as I get the code. IMO, it's a mess.)

    fruitstandninja said:
    What do you propose is a better safe and secure way to secure your account and prevent someone easily resetting your password and accessing your persons information? What other company does it better while just as secure?
    For one, they could get rid of the ridiculous in-security questions, which defeat the purpose of any real security they implement. It's hard to take anyone who uses those seriously.

    I suppose a properly implemented 2FA is better than not, in terms of security. But, like many things, it's a tradeoff.
    derekcurriespacekidjdiamond
  • Reply 10 of 126
    I'm going to sue Apple for requiring my password to be too long. It's a major inconvenience on my life that I have to type a longer password than I want, even though I want a password, making it take an infinitesimally longer than it would if I had a smaller password!
    derekcurrievukasikapaul kjbdragonEsquireCatsdedgeckozeus423berndogDeelronmagman1979
  • Reply 11 of 126
    I don’t think this warrants a lawsuit, but let me tell you a story.

    1. I sent my iPhone 6s in for a battery replacement.
    2. One day, I woke up and thought “I’m going to wipe my IPad clean”
         - Background: I actually do this several times a year, usually after a significant OS upgrade.  It also cleans of any games, junk, etc. that I    don’t really need.  I do this with the knowledge that I don’t use backup, but my contacts, calendar, shortcuts, passwords will sync back.  

    I think you can see my problem.  My 6s has been gone 10 days at this point, and it took a full 2 weeks to get my phone back (bad Apple).

    Anyways,  my wiped iPad boots up but I run into 2FA to set up the iPad.  I know everything I need to know (password to AppleID) but what I don’t have is my 6s.  (Apple sends the code to the 6s and there’s no alternative).

    I also don’t know my email password because it’s saved in Keychain.

    At this point, I also don’t know what happened to my phone.  It should be fixed (it was just a freakin battery) and as of the previous day I’d already reached the highest level of support. (There was no update on Apple’s site that they even received it).  The nice support lady, wanted to call me with an update... no phone.  So, we agreed on email... now no email.

    Fortunately, I remembered that I removed the SIM card. So, I went to my T-mobile store and used a display phone to authenticate.  Got my IPad up and running and found my iPhone was found/done and being shipped back.

    Moral of the story is 2FA is great, but I really want it tied to something other than Idevice, like a YubiKey.

    So, the lawsuit isn’t entirely frivolous.  I also didn’t enable 2FA for my AppleID...  I do want 2FA to log into my devices, but that’s not currently an option.  I don’t care as much about my AppleID password it’s really really complex... as in come back in a few 100 million years (cracking it with today’s tech).
    georgie01GeorgeBMacmicrobeanantksundarambeowulfschmidtspacekidjdiamond
  • Reply 12 of 126
    I would agree with the lawsuit. The two factor authentication process is time consuming and inconvenient for the users.  
    Apple should work on another way to strengthen security. What happened to simple and intuitive philosophy of Apple’s? 
    Yeah, I can see where 22 seconds periodically would be a major drag on your day.
    I think something else occurred to spark the lawsuit.  See my other looong post.
  • Reply 13 of 126
    I don’t think this warrants a lawsuit, but let me tell you a story.

    1. I sent my iPhone 6s in for a battery replacement.
    2. One day, I woke up and thought “I’m going to wipe my IPad clean”
         - Background: I actually do this several times a year, usually after a significant OS upgrade.  It also cleans of any games, junk, etc. that I    don’t really need.  I do this with the knowledge that I don’t use backup, but my contacts, calendar, shortcuts, passwords will sync back.  

    I think you can see my problem.  My 6s has been gone 10 days at this point, and it took a full 2 weeks to get my phone back (bad Apple).

    Anyways,  my wiped iPad boots up but I run into 2FA to set up the iPad.  I know everything I need to know (password to AppleID) but what I don’t have is my 6s.  (Apple sends the code to the 6s and there’s no alternative).

    I also don’t know my email password because it’s saved in Keychain.

    At this point, I also don’t know what happened to my phone.  It should be fixed (it was just a freakin battery) and as of the previous day I’d already reached the highest level of support. (There was no update on Apple’s site that they even received it).  The nice support lady, wanted to call me with an update... no phone.  So, we agreed on email... now no email.

    Fortunately, I remembered that I removed the SIM card. So, I went to my T-mobile store and used a display phone to authenticate.  Got my IPad up and running and found my iPhone was found/done and being shipped back.

    Moral of the story is 2FA is great, but I really want it tied to something other than Idevice, like a YubiKey.

    So, the lawsuit isn’t entirely frivolous.  I also didn’t enable 2FA for my AppleID...  I do want 2FA to log into my devices, but that’s not currently an option.  I don’t care as much about my AppleID password it’s really really complex... as in come back in a few 100 million years (cracking it with today’s tech).
    As much as my story says that 2FA on Apple is good, I agree with your points.  You need something that you can control all the time.   Even using email, SMS etc is a good next step, but they can be compromised too.   See a story of recent years about people stealing millions in bitcoin by convincing AT&T that they should transfer his phone number to a new phone.   And in that case I can agree that AT&T didn't want to be signed up to be the second factor.

    So while agreed that we need a better way, this method moves the bar above guessing passwords, and that is a good thing.
    cgWerksderekcurrieanantksundaramwatto_cobrajdiamond
  • Reply 14 of 126
    knowitallknowitall Posts: 1,648member
    He is right, its very cumbersome, bordering on harassment.
    I often have to run stairs up and down to be able to do what I could do with a simple mouse click.
    Its also very inconvenient when using another account.
    I remember a very good Apple commercial which was completely right about PC’s, but now sadly also a Mac reality: 
    https://youtu.be/8CwoluNRSSc
    TomPMRIspacekidjdiamond
  • Reply 15 of 126
    "Furthermore, once enabled, two-factor authentication "imposes an extraneous logging in procedure that requires a user to both remember password; and have access to a trusted device or trusted phone number" when a device is enabled."

    So two-factor 
    authentication is bad because it requires two factors?

    I think I'll sue AI because I have to enter a password to login to my password-protected account to comment on this site.  I demand 100% secure zero-factor authentication!
    derekcurriestompyking editor the grateracerhomie3magman1979DeelronLordeHawkGeorgeBMacradarthekatnetmage
  • Reply 16 of 126
    cgWerkscgWerks Posts: 2,952member
    archieny said:
    I'm going to sue Apple for requiring my password to be too long. It's a major inconvenience on my life that I have to type a longer password than I want, even though I want a password, making it take an infinitesimally longer than it would if I had a smaller password!
    Then I should probably sue them for popping up such a dialog box all the time that actually does waste my time trying to make it go away, or entering it.... because of THEIR incompetence. But, if we start down that road, Apple will be broke and I'll be rich. Hey, that doesn't sound so bad. Where's my phone and who knows a good lawyer? :wink: 


    I think you can see my problem.  My 6s has been gone 10 days at this point, and it took a full 2 weeks to get my phone back (bad Apple).
    ...
    I also don’t know my email password because it’s saved in Keychain.
    ...
    Moral of the story is 2FA is great, but I really want it tied to something other than Idevice, like a YubiKey. ...

     Exactly! It might raise the security a bit, but it also raises the possibility of something going really wrong, a lot.
    Also, another moral of the story is not to use Keychain to manage your passwords!!!
    edited February 2019 microbe
  • Reply 17 of 126
    GabyGaby Posts: 190member
    I would agree with the lawsuit. The two factor authentication process is time consuming and inconvenient for the users.  
    Apple should work on another way to strengthen security. What happened to simple and intuitive philosophy of Apple’s? 
    Yeah, I can see where 22 seconds periodically would be a major drag on your day.
    Personally I’d rather be marginally “inconvenienced” and not have my accounts hacked. I really don’t know what the world is coming to when people are so put out by taking a few moments out of their day. Society is becoming so lazy. To my mind it’s the microwave ready meal types that this affects most. For anyone fully entrenched in the Apple ecosystem, especially those with newer and up to date devices, 2 factor is a very simple and streamlined process, especially considering how infrequently one needs to go through it. But even for those that may only have a couple of devices it still takes little to no time at all. 
    derekcurrievukasikaMacProbonobobLordeHawknetmagewatto_cobrajoedab
  • Reply 18 of 126
    The filer is a whiner and a complete idiot  Can you imagine what he’d do if someone hacked into his iCloud account?
    dreyfus2ABiteaDaymagman1979netmagewatto_cobra
  • Reply 19 of 126
    GabyGaby Posts: 190member
    I don’t think this warrants a lawsuit, but let me tell you a story.

    1. I sent my iPhone 6s in for a battery replacement.
    2. One day, I woke up and thought “I’m going to wipe my IPad clean”
         - Background: I actually do this several times a year, usually after a significant OS upgrade.  It also cleans of any games, junk, etc. that I    don’t really need.  I do this with the knowledge that I don’t use backup, but my contacts, calendar, shortcuts, passwords will sync back.  

    I think you can see my problem.  My 6s has been gone 10 days at this point, and it took a full 2 weeks to get my phone back (bad Apple).

    Anyways,  my wiped iPad boots up but I run into 2FA to set up the iPad.  I know everything I need to know (password to AppleID) but what I don’t have is my 6s.  (Apple sends the code to the 6s and there’s no alternative).

    I also don’t know my email password because it’s saved in Keychain.

    At this point, I also don’t know what happened to my phone.  It should be fixed (it was just a freakin battery) and as of the previous day I’d already reached the highest level of support. (There was no update on Apple’s site that they even received it).  The nice support lady, wanted to call me with an update... no phone.  So, we agreed on email... now no email.

    Fortunately, I remembered that I removed the SIM card. So, I went to my T-mobile store and used a display phone to authenticate.  Got my IPad up and running and found my iPhone was found/done and being shipped back.

    Moral of the story is 2FA is great, but I really want it tied to something other than Idevice, like a YubiKey.

    So, the lawsuit isn’t entirely frivolous.  I also didn’t enable 2FA for my AppleID...  I do want 2FA to log into my devices, but that’s not currently an option.  I don’t care as much about my AppleID password it’s really really complex... as in come back in a few 100 million years (cracking it with today’s tech).
    You can do it from your mac or even have verification code go to your Apple Watch I think. Additionally you can add a second trusted phone number for occasions such as yours when you don’t have your iPhone - even a landline, where you receive an automated call in lieu of a text verification. 
    edited February 2019 davencgWerkstechnomagman1979netmageStrangeDayswatto_cobrajoedab
  • Reply 20 of 126
    mac_128mac_128 Posts: 3,454member
    I don’t think this warrants a lawsuit, but let me tell you a story.

    1. I sent my iPhone 6s in for a battery replacement.
    2. One day, I woke up and thought “I’m going to wipe my IPad clean”
         - Background: I actually do this several times a year, usually after a significant OS upgrade.  It also cleans of any games, junk, etc. that I    don’t really need.  I do this with the knowledge that I don’t use backup, but my contacts, calendar, shortcuts, passwords will sync back.  

    I think you can see my problem.  My 6s has been gone 10 days at this point, and it took a full 2 weeks to get my phone back (bad Apple).

    Anyways,  my wiped iPad boots up but I run into 2FA to set up the iPad.  I know everything I need to know (password to AppleID) but what I don’t have is my 6s.  (Apple sends the code to the 6s and there’s no alternative).

    I also don’t know my email password because it’s saved in Keychain.

    At this point, I also don’t know what happened to my phone.  It should be fixed (it was just a freakin battery) and as of the previous day I’d already reached the highest level of support. (There was no update on Apple’s site that they even received it).  The nice support lady, wanted to call me with an update... no phone.  So, we agreed on email... now no email.

    Fortunately, I remembered that I removed the SIM card. So, I went to my T-mobile store and used a display phone to authenticate.  Got my IPad up and running and found my iPhone was found/done and being shipped back.

    Moral of the story is 2FA is great, but I really want it tied to something other than Idevice, like a YubiKey.

    So, the lawsuit isn’t entirely frivolous.  I also didn’t enable 2FA for my AppleID...  I do want 2FA to log into my devices, but that’s not currently an option.  I don’t care as much about my AppleID password it’s really really complex... as in come back in a few 100 million years (cracking it with today’s tech).
    I have 2FA go to all of my active Apple devices, Mac, iPad, iPhone, and I have an old iPhone and iPad, which are active via WiFi. All of these issues can be ameliorated, with a little planning. Unfortunately most people don’t realize what’s needed until too late, and Apple doesn’t do a lot to educate people when prompting hem to turn it on.

    That said, it was a real problem for a friend in Europe who had his phone stolen, bought a new one, but wasn’t able to activate it without 2FA. He had traveled with his Apple Watch but Apple didn’t allow 2FA to go to it, because it needed the phone to set it up. So he was unable to download his contacts and info. At some point, people need to be able to deal with these kinds of issues without traveling with an electronic arsenal. That’s where a simple dongle would be helpful.
    cgWerksrcfaanantksundaramspacekid
Sign In or Register to comment.