Besides the obvious (the lawsuit is BS), I certainly think Apple should generate a list of complex backup codes when setting up 2FA, like other solutions do. This way, when your trusted device is not available, or the SMS / push notification does not work (which happens rarely, but it happens), you at least have an alternative. I do not know if supporting alternative TOTP solutions (like fobs) would help. Most people would likely use an app for that and thus be back to square one.
Since the claimant uses an gmail account, security and privacy are obviously not on his list of priorities. He should sue web sites enforcing https next; encryption steals milliseconds of his useless life dozens of times every day.
I would agree with the lawsuit. The two factor authentication process is time consuming and inconvenient for the users. Apple should work on another way to strengthen security. What happened to simple and intuitive philosophy of Apple’s?
I think its a ridiculous lawsuit. Where does this end? You could sue for anything you deem ineffective. The fact that Apple is clearly not innovating here doesn’t mean you should be able to sue for these things.
Now, Apple’s 2-way-authentication is notoriously bad (it often gives me the authentication code on the same machine that requested it - defeating the purpose, and yes it’s slow), but what options do they really have?
I don’t think this warrants a lawsuit, but let me tell you a story.
1. I sent my iPhone 6s in for a battery replacement. 2. One day, I woke up and thought “I’m going to wipe my IPad clean” - Background: I actually do this several times a year, usually after a significant OS upgrade. It also cleans of any games, junk, etc. that I don’t really need. I do this with the knowledge that I don’t use backup, but my contacts, calendar, shortcuts, passwords will sync back.
I think you can see my problem.
I think we can all see your problem. You perform a completely unnecessary action on your iPad — "several times a year." Therefore you must be well aware of the 2FA procedure, in fact much more so than the average user. Nonetheless you go ahead and do it again when you don't have your iPhone.
Anyone not see where your real problem is? (Hint: it's not at Apple...)
This is why we have laws against frivolous lawsuits and people hate lawyers. I hope Apple wins and gets a judgement against this troll for all legal fees.
Gaby said: Personally I’d rather be marginally “inconvenienced” and not have my accounts hacked.
If you use a strong, unique password (and a good password manager like 1Password or PasswordWallet by Selznick), your chances of being hacked at random are pretty darn slim. If you're the target of a specific attack, then it's more likely the attacker will just social engineer the weak point, which would be Apple's security questions and customer service.
One fundamental of computer security learned on day 1 is the inverse association between Security Vs Convenience. Another fundamental is that Security Is Hard.
Well, some forms of security are both more convenient and less-hard. IMO, 2FA sits in the corner of harder and less convenient. Just use a good password manager, and move on with life. And, I suppose, petition companies to stop using stupid security questions.
derekcurrie said: BTW: I personally experienced the fact that Apple blundered with their initial implementation of two-factor authentication. But I applaud Apple for persisting until they got two-factor authentication right.
Could you elaborate on that a bit? What's different. I hadn't realized there was a specific v1.0 and v2.0. But, I hadn't followed it that much either.
mac_128 said: That said, it was a real problem for a friend in Europe who had his phone stolen, bought a new one, but wasn’t able to activate it without 2FA. He had traveled with his Apple Watch but Apple didn’t allow 2FA to go to it, because it needed the phone to set it up. So he was unable to download his contacts and info. At some point, people need to be able to deal with these kinds of issues without traveling with an electronic arsenal. That’s where a simple dongle would be helpful.
That's the thing... Apple can't even manage to not friggin' prompt me for Apple ID credentials all over the the OS, even while I'm playing a game, etc. How should I trust them with Keychain or to manage my 2FA security? I'm sure it's exactly those kind of situation where it will kick in and keep me locked out of everything. I often just have my phone with me or such.
Besides the obvious (the lawsuit is BS), I certainly think Apple should generate a list of complex backup codes when setting up 2FA, like other solutions do.
Yeah, that's one possible solution. But, I suppose if you're just carrying your phone (ie: one device) and something goes wrong, you'd be out of luck as then were do you store that backup code? I guess I opt more a bit less secure initial access, or at least more convenient and more under my control, and then go higher security in how I store any more secure info (ie: 1Password, The Vault, etc.).
CheeseFreeze said: I think its a ridiculous lawsuit. Where does this end? You could sue for anything you deem ineffective. The fact that Apple is clearly not innovating here doesn’t mean you should be able to sue for these things.
Now, Apple’s 2-way-authentication is notoriously bad (it often gives me the authentication code on the same machine that requested it - defeating the purpose, and yes it’s slow), but what options do they really have?
Well, it's ridiculously bad, in that you can't really sue someone for their product not being as good as you hope/imagine it would be. BUT, if Apple did indeed force 2FA, then there might be some substance to it. That said, I don't like how Apple constantly tries to trick people into doing what they'd like them to do, these days. The old Apple didn't do that, to my recollection.
Wow... didn't know about the sending the code to the machine that requested it... LOL. Typical Apple half-baked implementation. That's something Apple has always been pretty bad about. I've never understood why they seem to refuse to put proper resources into feature-planning, implementation, and testing. At least when they didn't have hundreds of $billions, it might have been chalked up to lack of resources.
Yeah, this person can go fuck themselves, along with the lawsuit. Remember how many lawsuits were thrown at Apple after the iCloud "hack" (which wasn't even a hack).
"First, Plaintiff has to enter his selected password on the device he is interested in logging in. Second, Plaintiff has to enter password on another trusted device to login. Third, optionally, Plaintiff has to select a Trust or Don't Trust pop-up message response. Fourth, Plaintiff then has to wait to receive a six-digit verification code on that second device that is sent by an Apple Server on the internet. Finally, Plaintiff has to input the received six-digit verification code on the first device he is trying to log into. Each login process takes an additional estimated 2-5 or more minutes with 2FA.""
This is such a load of shit as well. 2-5 minutes? Just tried it now and the entire process took less than 10 seconds.
Honestly, these plaintiffs and the lawyers should be punished for such blatant lies in such a grotesquely disgusting attempt to enrich themselves.
And for those of you here shitting on 2FA, I haven't seen a SINGLE reasonable alternative proposed. I guess that would actually require some mental energy. Because, none exists. At least not something that woudl work for most people, under most situations.
I would agree with the lawsuit. The two factor authentication process is time consuming and inconvenient for the users. Apple should work on another way to strengthen security. What happened to simple and intuitive philosophy of Apple’s?
It takes not more than 15 seconds to click Allow and put in the code.
neilm said: I think we can all see your problem. You perform a completely unnecessary action on your iPad — "several times a year." Therefore you must be well aware of the 2FA procedure, in fact much more so than the average user. Nonetheless you go ahead and do it again when you don't have your iPhone.
Hmm, maybe in this particular situation, they should have thought of that, sure. But, I think the point is that there are lots of such situations, and most people don't think of every possibility until it comes back to bite them, often at the most inopportune time.
As was mentioned earlier, there is a tradeoff between security level and convenience. I'd love to see everyone at some base point of security that isn't too impractical, yet secure-enough. IMO, 2FA is more an attempt to patch poor, much less inconvenient, security practices with one that is quite impractical and prone to problems.
And, as I mentioned earlier... if these companies took security seriously in the first place, then I might see them trying to push things further. But, when there are lots of other weak spots, why try to inconvenience people? Maybe Apple would do better by not training users to be phished? Maybe by not using stupid 'security questions'? Maybe by trying to get them to use a good password manager?
I'm fine with having 2FA available, but I don't like how Apple has been pushing it. Most users who aren't technical/comprehensive enough to use a password manager, probably shouldn't be using 2FA either. It is fraught with issues if you don't think them through. (ex: When I ran my web design company, I had instructions in case something happened to me, so someone could transition my clients properly. But, what if I had 2FA enabled for domains, web-services, etc? Would a typical less-technical person even have thought of such things? It raises the complexity considerably, when there are MUCH more simple things that could be done to increase security.)
A suit is probably going too far, but I consciously realized that two -factor authentication would significantly increase the complexity of configuring my clean installs, and configuring new devices.
So I've always avoided it for many of the reasons stated in the suit.
I also dislike the nagging Apple does suggesting users enable two-factor authentication in new installs, or when there is a major system change in any of my Apple devices (of which there are many.)
"...significantly increase the complexity..." Really? It hardly takes more than 15 seconds. Apple "nags" the user for very good reason, to protect the user.
I would agree with the lawsuit. The two factor authentication process is time consuming and inconvenient for the users. Apple should work on another way to strengthen security. What happened to simple and intuitive philosophy of Apple’s?
Yeah, I can see where 22 seconds periodically would be a major drag on your day.
Personally I’d rather be marginally “inconvenienced” and not have my accounts hacked. I really don’t know what the world is coming to when people are so put out by taking a few moments out of their day. Society is becoming so lazy. To my mind it’s the microwave ready meal types that this affects most. For anyone fully entrenched in the Apple ecosystem, especially those with newer and up to date devices, 2 factor is a very simple and streamlined process, especially considering how infrequently one needs to go through it. But even for those that may only have a couple of devices it still takes little to no time at all.
slurpy said: And for those of you here shitting on 2FA, I haven't seen a SINGLE reasonable alternative proposed. I guess that would actually require some mental energy.
Because, none exists. At least not something that woudl work for most people, under most situations.
How about having reasonable security in general, which work under more situations?
A user should be able to completely reverse 2FA at will at any time. There needs to be a fallback that works when other trusted devices are not available.
Bingo! If there is some basis for a lawsuit, this is it. If you can't turn it back off when your situation changes, then that's bad. As mentioned above, you might have turned it on, then thought of a 'gotcha' situation where it would compromise your access or access by loved/trusted ones, should you get into a situation or something happen to you.
I think unlike slurpy's comment above, maybe the problem is that some people HAVE actually put some mental energy into the shortcomings.
techno said: "...significantly increase the complexity..." Really? It hardly takes more than 15 seconds. Apple "nags" the user for very good reason, to protect the user.
It increase the system complexity of things that could go wrong to lock you out of your own data/devices, or access for loved/trusted ones, should something happen to you.
Everybody having to read this whole bullshit should sue the starter of this whole process, because of all the time it took to read the article and eventually even comment it! What a waste of life time.
A user should be able to completely reverse 2FA at will at any time.
Not really.
Such a reversal will need an equally strong security to prevent bad guys from turning off your 2FA at will. That means you'll need your 2FA to turn off your 2FA, which won't help the plaintiff anyway when he's already in trouble. :-)
Sometimes I wonder if these frivolous lawsuits are filed by the crooks to help weaken your security en masses. The bad guys will find ways to downgrade your 2FA accounts to non-2FA ones and then own you. It is better to make 2FA irreversible.
There needs to be a fallback that works when other trusted devices are not available.
There is already a fallback when your trusted devices are unavailable. It's your trusted phone numbers:
You'll receive the code via text or an automated call.
If for some unholy reasons you hate (free !) trusted phone numbers, there is also another way. Buy 1 more small/cheap Apple device for backup 2FA handling. I have 1 iPhone, 1 iPad and 1 Mac. Should be pretty robust where 2FA token is concerned.
Other companies like Microsoft use this awfully silly long code as your last backup code. Everyone has to write or print it for safekeeping. I never remember where I keep that piece of paper. So it's completely useless in this regard.
Using a small hardware token is also asking for more trouble. It's one more thing to lose. And it's the ONLY one. Lose it and you're done for.
I hate all lawsuits. Human beings need to turn the other cheek even in the worst of times. With that said, I couldn't help but shake my head in sympathy when I spotted this article. I hate 2FA about as much as lawsuits. I try to keep that bothersome thing disabled wherever possible, on all my devices. I don't use iCloud Keychain because I prefer 1Password, but I believe it requires 2FA. It really needs to be up to me how much or how little security I think I need or want. I don't want to be forced to use 2FA in order to enable features. I lot of security nuts will laugh and mock at this kind of thinking, but everyone is different and should be allowed to choose the path that best suits them, without being told features will be disabled if 2FA isn't enabled.
Yeah, this person can go fuck themselves, along with the lawsuit. Remember how many lawsuits were thrown at Apple after the iCloud "hack" (which wasn't even a hack).
"First, Plaintiff has to enter his selected password on the device he is interested in logging in. Second, Plaintiff has to enter password on another trusted device to login. Third, optionally, Plaintiff has to select a Trust or Don't Trust pop-up message response. Fourth, Plaintiff then has to wait to receive a six-digit verification code on that second device that is sent by an Apple Server on the internet. Finally, Plaintiff has to input the received six-digit verification code on the first device he is trying to log into. Each login process takes an additional estimated 2-5 or more minutes with 2FA.""
This is such a load of shit as well. 2-5 minutes? Just tried it now and the entire process took less than 10 seconds.
Honestly, these plaintiffs and the lawyers should be punished for such blatant lies in such a grotesquely disgusting attempt to enrich themselves.
And for those of you here shitting on 2FA, I haven't seen a SINGLE reasonable alternative proposed. I guess that would actually require some mental energy. Because, none exists. At least not something that woudl work for most people, under most situati
Hey Slurpy - your usual "11+ on the dial" response I see - but pretty accurate nonetheless.
Good security is hard and takes some time and commitment. There are always better use cases that I think Apple incrementally tries to work towards - I do think Apple is committed to user privacy.
I suspect the lawsuit (and all the usual the whining here) are merely from fools who would just like to open their kimono and enjoy the consequences.
I would agree with the lawsuit. The two factor authentication process is time consuming and inconvenient for the users. Apple should work on another way to strengthen security. What happened to simple and intuitive philosophy of Apple’s?
Yeah, I can see where 22 seconds periodically would be a major drag on your day.
Don't you have to voluntarily opt-in to Two factor?
So can you not use an Apple product without passwords? I use a passcode and finger print scanner on my OnePlus phone, but it's not a requirement. Seems as though it should be optional. But 22 seconds is 22 seconds and isn't that much time if you are authenticating other devices.
It seems to me people are getting dumber in using technology. Rather than try to learn how to make 2 factor authentication easier by using products that support it and make your life easier, they resist and want to make it so they don’t have to do anything, remember anything and not ever worry about the security of their AppleID or iCloud data.
These are the same idiots who don’t back up their devices and think it’s Apple’s fault when they stop working and their data is lost.
If you you want to make it easier to have your ID compromised, then turn off 2 factor for now and don’t ever expect to be able to upgrade your OS. Or even better, get the hell off of Apple’s ecosystem and use android. Then you will really understand the importance of securing your data.
Otherwise, use utilities like Authy and OTP Auth to help make the inconvenience of having to verify your identity much easier and quicker.
2 factor is important now that other countries are working to hack your data to get your info for future manipulation of our elections and our country’s interests, both foreign and domestic.
Comments
Since the claimant uses an gmail account, security and privacy are obviously not on his list of priorities. He should sue web sites enforcing https next; encryption steals milliseconds of his useless life dozens of times every day.
Now, Apple’s 2-way-authentication is notoriously bad (it often gives me the authentication code on the same machine that requested it - defeating the purpose, and yes it’s slow), but what options do they really have?
You might find some of these experiments interesting:
https://www.google.com/amp/s/www.kaspersky.com/blog/multi-factor-authentication/9669/amp/
Anyone not see where your real problem is? (Hint: it's not at Apple...)
Well, some forms of security are both more convenient and less-hard. IMO, 2FA sits in the corner of harder and less convenient. Just use a good password manager, and move on with life. And, I suppose, petition companies to stop using stupid security questions.
Could you elaborate on that a bit? What's different. I hadn't realized there was a specific v1.0 and v2.0. But, I hadn't followed it that much either.
That's the thing... Apple can't even manage to not friggin' prompt me for Apple ID credentials all over the the OS, even while I'm playing a game, etc. How should I trust them with Keychain or to manage my 2FA security? I'm sure it's exactly those kind of situation where it will kick in and keep me locked out of everything. I often just have my phone with me or such.
Yeah, that's one possible solution. But, I suppose if you're just carrying your phone (ie: one device) and something goes wrong, you'd be out of luck as then were do you store that backup code? I guess I opt more a bit less secure initial access, or at least more convenient and more under my control, and then go higher security in how I store any more secure info (ie: 1Password, The Vault, etc.).
Well, it's ridiculously bad, in that you can't really sue someone for their product not being as good as you hope/imagine it would be. BUT, if Apple did indeed force 2FA, then there might be some substance to it. That said, I don't like how Apple constantly tries to trick people into doing what they'd like them to do, these days. The old Apple didn't do that, to my recollection.
Wow... didn't know about the sending the code to the machine that requested it... LOL. Typical Apple half-baked implementation. That's something Apple has always been pretty bad about. I've never understood why they seem to refuse to put proper resources into feature-planning, implementation, and testing. At least when they didn't have hundreds of $billions, it might have been chalked up to lack of resources.
"First, Plaintiff has to enter his selected password on the device he is interested in logging in. Second, Plaintiff has to enter password on another trusted device to login. Third, optionally, Plaintiff has to select a Trust or Don't Trust pop-up message response. Fourth, Plaintiff then has to wait to receive a six-digit verification code on that second device that is sent by an Apple Server on the internet. Finally, Plaintiff has to input the received six-digit verification code on the first device he is trying to log into. Each login process takes an additional estimated 2-5 or more minutes with 2FA.""
This is such a load of shit as well. 2-5 minutes? Just tried it now and the entire process took less than 10 seconds.
Honestly, these plaintiffs and the lawyers should be punished for such blatant lies in such a grotesquely disgusting attempt to enrich themselves.
And for those of you here shitting on 2FA, I haven't seen a SINGLE reasonable alternative proposed. I guess that would actually require some mental energy.
Because, none exists. At least not something that woudl work for most people, under most situations.
There needs to be a fallback that works when other trusted devices are not available.
As was mentioned earlier, there is a tradeoff between security level and convenience. I'd love to see everyone at some base point of security that isn't too impractical, yet secure-enough. IMO, 2FA is more an attempt to patch poor, much less inconvenient, security practices with one that is quite impractical and prone to problems.
And, as I mentioned earlier... if these companies took security seriously in the first place, then I might see them trying to push things further. But, when there are lots of other weak spots, why try to inconvenience people? Maybe Apple would do better by not training users to be phished? Maybe by not using stupid 'security questions'? Maybe by trying to get them to use a good password manager?
I'm fine with having 2FA available, but I don't like how Apple has been pushing it. Most users who aren't technical/comprehensive enough to use a password manager, probably shouldn't be using 2FA either. It is fraught with issues if you don't think them through. (ex: When I ran my web design company, I had instructions in case something happened to me, so someone could transition my clients properly. But, what if I had 2FA enabled for domains, web-services, etc? Would a typical less-technical person even have thought of such things? It raises the complexity considerably, when there are MUCH more simple things that could be done to increase security.)
"...significantly increase the complexity..." Really? It hardly takes more than 15 seconds. Apple "nags" the user for very good reason, to protect the user.
Exaclty!
Bingo! If there is some basis for a lawsuit, this is it. If you can't turn it back off when your situation changes, then that's bad. As mentioned above, you might have turned it on, then thought of a 'gotcha' situation where it would compromise your access or access by loved/trusted ones, should you get into a situation or something happen to you.
I think unlike slurpy's comment above, maybe the problem is that some people HAVE actually put some mental energy into the shortcomings.
It increase the system complexity of things that could go wrong to lock you out of your own data/devices, or access for loved/trusted ones, should something happen to you.
Such a reversal will need an equally strong security to prevent bad guys from turning off your 2FA at will.
That means you'll need your 2FA to turn off your 2FA, which won't help the plaintiff anyway when he's already in trouble. :-)
There is already a fallback when your trusted devices are unavailable. It's your trusted phone numbers:
Hey Slurpy - your usual "11+ on the dial" response I see - but pretty accurate nonetheless.
Good security is hard and takes some time and commitment. There are always better use cases that I think Apple incrementally tries to work towards - I do think Apple is committed to user privacy.
I suspect the lawsuit (and all the usual the whining here) are merely from fools who would just like to open their kimono and enjoy the consequences.
These are the same idiots who don’t back up their devices and think it’s Apple’s fault when they stop working and their data is lost.
If you you want to make it easier to have your ID compromised, then turn off 2 factor for now and don’t ever expect to be able to upgrade your OS. Or even better, get the hell off of Apple’s ecosystem and use android. Then you will really understand the importance of securing your data.
Otherwise, use utilities like Authy and OTP Auth to help make the inconvenience of having to verify your identity much easier and quicker.
2 factor is important now that other countries are working to hack your data to get your info for future manipulation of our elections and our country’s interests, both foreign and domestic.