Shakespeare has a line that correctly describes this
situation. If you know it, please step forward and move to the front of the queue.
If you don't you may be the problem.
So can you not use an Apple product without passwords? I use a passcode and finger print scanner on my OnePlus phone, but it's not a requirement. Seems as though it should be optional. But 22 seconds is 22 seconds and isn't that much time if you are authenticating other devices.
You're confusing password authentication with 2FA. They are not mutually exclusive.
You can use password, Face ID, Touch ID, or any other authentication mechanism in a 2FA implementation.
Now, Apple’s 2-way-authentication is notoriously bad (it often gives me the authentication code on the same machine that requested it - defeating the purpose, and yes it’s slow), but what options do they really have?
I've often wondered about this...I guess with all my devices synched via iCloud, getting code on same device requesting is bound to happen. Not good from a security point of view, but it is, um...convenient.
Strange that this hasn't been thought through though. I would think some sort of check could be put in place to determine which iCloud connected device is requesting the 2FA, and to omit it from the code distribution. Would be good to include a note explaining to the requestor that the code will be on another one of their devices, and if one is not available, what to do.
Perhaps the initial 2FA sign-up/registration process should require at least one (with more than one recommended) alternate destination(s) for code distribution such as a non-device specific landline or email--but that the process would only distribute to the alternate if another iCloud device is not detected or a code is not authenticated by the user within a period of time.
PS: What has thrown me off is where to enter the authentication code. I forget how exactly this happened to me, but I think it was when I was re-purposing an old iPhone to be an iPod. Maybe while connecting it to my iCloud account? I think we're supposed to enter the code after the password in the password entry box, right? Anyway, it wasn't clear to me at the time, and I entered the code in the password field all by itself (without the password). Thinking I mis-typed, I ended up making too many attempts and had to reset my password. This was a bigger deal than I thought because of how many Apple devices and services I have that are connected to the account. I had to re-enter my new password in a bunch of places! I think it would be better if there was a third dedicated entry box for authentication code, after the User ID and Password entry boxes.
I have 2 factor on everywhere I can. You want to know who is the worst? It's Amazon!!! Why, because every time I do there, no matter the device or browser, it always wants me to enter the second factor. Even though there is a check box there to remember your device so that you don't have to keep entering. It does nothing!!!!
Still I've have has people get into my accounts. The worst so far was Paypal. Now I use completely 20+ random digit passwords that are different everywhere and turn on 2 factor everywhere I can. It's a little more of a hassle, but it's better than my accounts getting broken into by others. I use LastPass for password manager which these days is a must have.
Apples Keychain is ok and free, but way to limited for my needs and so turned it off. This lawsuit needs to be tossed. It's just crazy.
I would agree with the lawsuit. The two factor authentication process is time consuming and inconvenient for the users. Apple should work on another way to strengthen security. What happened to simple and intuitive philosophy of Apple’s?
I got a great idea for you: switch to an Android phone. You obviously are not happy with the security systems provided by Apple. You probably shoulnt own any of their products “hey Alexa, make my phone less secure please”
I would agree with the lawsuit. The two factor authentication process is time consuming and inconvenient for the users.
Has it occurred to you that:
1. Apple didn't invent two-factor authentication, it's an industry security standard
2. Apple did not create the security issues that forced the necessity of 2FA: users did.
Where are the lawsuits against Windows and Android for largely creating the problems that led to needing such strong security measures? Where are the lawsuits against the users who insisted on no passwords or "12345" passwords that largely made 2FA a necessity?
Such a reversal will need an equally strong security to prevent bad guys from turning off your 2FA at will. That means you'll need your 2FA to turn off your 2FA, which won't help the plaintiff anyway when he's already in trouble. :-)
No, not if it works such that when you're authenticated and into your account (ie: already authenticated using 2FA) then you can turn it off.
patsu said: There is already a fallback when your trusted devices are unavailable. It's your trusted phone numbers:
You'll receive the code via text or an automated call.
So much for any security of 2FA, then.
patsu said: Other companies like Microsoft use this awfully silly long code as your last backup code. Everyone has to write or print it for safekeeping. I never remember where I keep that piece of paper. So it's completely useless in this regard.
A home safe? But, then yeah, it wouldn't help you while traveling. But, it's more secure than Apple's 2FA (w/ security questions and that backup SMS). If you have a low-tech, low-security path in, then the whole system is compromised by that. At least if it's a complex code you keep in your safe, it is a relatively high security entry point on the scale of the on-line world. Security questions and SMS are hacker's dreams.
I don't use iCloud Keychain because I prefer 1Password, but I believe it requires 2FA.
Kind of. If requires a 'secret key' in addition to your account/password to set any device up (or, login via website). So, I guess if you were traveling and lost your only device, then you'd be out of luck unless you could call someone with access to your safe (or some place you store that secret key. So, yeah, it's a form of 2FA but IMO, preferable to low-security stuff like questions, SMS, etc.
sumergo said: Don't you have to voluntarily opt-in to Two factor?
Yes, but Apple keeps pushing it in front of your face at OS updates or 'ToDos' in settings... and when you go into the UI in those cases, you have to hit the 'skip' or 'not now' instead of taking the path Apple wants you to take. So, yes, I guess you can opt-out and technically are opting in by following Apple's excessive prompting.
hammeroftruth said: These are the same idiots who don’t back up their devices and think it’s Apple’s fault when they stop working and their data is lost.
No, more like I'd include Apple in the fault if they include backup functionality that routinely fails to work properly, or make the system such that it's really hard to backup and restore independently. (ie: iOS).
hammeroftruth said: 2 factor is important now that other countries are working to hack your data to get your info for future manipulation of our elections and our country’s interests, both foreign and domestic.
LOL, Russia under your bed? It's important to differentiate between real threats and propaganda devised to advance the Industrial Military Complex™ or Rock The Vote ___insert political party here___™.
roundaboutnow said: Strange that this hasn't been thought through though. I would think some sort of check could be put in place to determine which iCloud ...
You'd think iCloud would have been thought through, for sure. But, given the history of it, it seems more a hodgepodge of non-thought-through tech that has been slowly improved to the point of being somewhat useable. Anyone remember MobileMe? If the 'sends it to the device that requested it' is indeed the case, it probably is just one of the many holes yet to be plugged. Same with the login messages constantly popping up on my devices, or worse, the dialogs with previous email addresses of my Apple ID that I can't possibly authenticate (with no way fix).
Apple builds really nice hardware (when they aren't trying to 'innovate my a--') and used to have really good (in comparison) OSs, but their services and often apps have been pretty poor in terms of functionality or even reliability.
roundaboutnow said: PS: What has thrown me off is where to enter the authentication code. I forget how exactly this happened to me, but I think it was when I was re-purposing an old iPhone to be an iPod. Maybe while connecting it to my iCloud account? I think we're supposed to enter the code after the password in the password entry box, right? Anyway, it wasn't clear to me at the time, and I entered the code in the password field all by itself (without the password). Thinking I mis-typed, I ended up making too many attempts and had to reset my password. This was a bigger deal than I thought because of how many Apple devices and services I have that are connected to the account. I had to re-enter my new password in a bunch of places! I think it would be better if there was a third dedicated entry box for authentication code, after the User ID and Password entry boxes.
Yeah, that's the kind of thing I mean by thinking it through. Apple used to really think through UI stuff, at least. They don't seem to much anymore. Same thing for entering your Apple ID in particular. There should be *****ONE***** place in the settings where you go to enter your Apple ID. Any service that needs you to do so, should direct you there. Any service that needs that info should be authenticating based on that. NOT random dialog boxes popping up anywhere, anytime asking for you to login. That's just plain stupid UI design, as well as really horrible security procedure.
I don’t think this warrants a lawsuit, but let me tell you a story.
1. I sent my iPhone 6s in for a battery replacement. 2. One day, I woke up and thought “I’m going to wipe my IPad clean” - Background: I actually do this several times a year, usually after a significant OS upgrade. It also cleans of any games, junk, etc. that I don’t really need. I do this with the knowledge that I don’t use backup, but my contacts, calendar, shortcuts, passwords will sync back.
I think you can see my problem. My 6s has been gone 10 days at this point, and it took a full 2 weeks to get my phone back (bad Apple).
Anyways, my wiped iPad boots up but I run into 2FA to set up the iPad. I know everything I need to know (password to AppleID) but what I don’t have is my 6s. (Apple sends the code to the 6s and there’s no alternative).
I also don’t know my email password because it’s saved in Keychain.
At this point, I also don’t know what happened to my phone. It should be fixed (it was just a freakin battery) and as of the previous day I’d already reached the highest level of support. (There was no update on Apple’s site that they even received it). The nice support lady, wanted to call me with an update... no phone. So, we agreed on email... now no email.
Fortunately, I remembered that I removed the SIM card. So, I went to my T-mobile store and used a display phone to authenticate. Got my IPad up and running and found my iPhone was found/done and being shipped back.
Moral of the story is 2FA is great, but I really want it tied to something other than Idevice, like a YubiKey.
So, the lawsuit isn’t entirely frivolous. I also didn’t enable 2FA for my AppleID... I do want 2FA to log into my devices, but that’s not currently an option. I don’t care as much about my AppleID password it’s really really complex... as in come back in a few 100 million years (cracking it with today’s tech).
Yep. Try having your phone stolen.
2FA is a pain. Better to just choose a good password.
On the same idea, maybe worse is CAPTCHA. Sure, choose which of the blurry photos is a store front, or a car, or a street sign. No, I'm not a robot, but robots are better at this shit than I am. A better Turing test is which pictures do computers get right but people get wrong.
I would agree with the lawsuit. The two factor authentication process is time consuming and inconvenient for the users. Apple should work on another way to strengthen security. What happened to simple and intuitive philosophy of Apple’s?
Other way is: don’t turn it on or move to Android.
While I usually hate these ridiculous types of lawsuits, I would wholeheartedly agree that once you're stuck in this process it's infuriating! I think it's presumptuous to assume that a person would necessarily have/want a trusted device handy. Plus, maybe I'm just unlucky but it seems to take 2 attempts to get a code at least half the time.
2FA isn’t perfect, but it’s heck of a lot better than just a password. Even if you use a complex unique password for your Apple ID, 2FA provides an additional layer of security if there’s a compromise. Most end users don’t think about information security best practices until a compromise has already occurred. This lawsuit is a waste of any courts time.
Comments
Do lawyers go to special law schools to represent these cases ?
Shakespeare has a line that correctly describes this situation. If you know it, please step forward and move to the front of the queue. If you don't you may be the problem.
Strange that this hasn't been thought through though. I would think some sort of check could be put in place to determine which iCloud connected device is requesting the 2FA, and to omit it from the code distribution. Would be good to include a note explaining to the requestor that the code will be on another one of their devices, and if one is not available, what to do.
Perhaps the initial 2FA sign-up/registration process should require at least one (with more than one recommended) alternate destination(s) for code distribution such as a non-device specific landline or email--but that the process would only distribute to the alternate if another iCloud device is not detected or a code is not authenticated by the user within a period of time.
PS: What has thrown me off is where to enter the authentication code. I forget how exactly this happened to me, but I think it was when I was re-purposing an old iPhone to be an iPod. Maybe while connecting it to my iCloud account? I think we're supposed to enter the code after the password in the password entry box, right? Anyway, it wasn't clear to me at the time, and I entered the code in the password field all by itself (without the password). Thinking I mis-typed, I ended up making too many attempts and had to reset my password. This was a bigger deal than I thought because of how many Apple devices and services I have that are connected to the account. I had to re-enter my new password in a bunch of places! I think it would be better if there was a third dedicated entry box for authentication code, after the User ID and Password entry boxes.
Still I've have has people get into my accounts. The worst so far was Paypal. Now I use completely 20+ random digit passwords that are different everywhere and turn on 2 factor everywhere I can. It's a little more of a hassle, but it's better than my accounts getting broken into by others. I use LastPass for password manager which these days is a must have.
Apples Keychain is ok and free, but way to limited for my needs and so turned it off. This lawsuit needs to be tossed. It's just crazy.
1. Apple didn't invent two-factor authentication, it's an industry security standard
2. Apple did not create the security issues that forced the necessity of 2FA: users did.
Where are the lawsuits against Windows and Android for largely creating the problems that led to needing such strong security measures? Where are the lawsuits against the users who insisted on no passwords or "12345" passwords that largely made 2FA a necessity?
Oh wait, they don't have deep pockets.
So much for any security of 2FA, then.
A home safe? But, then yeah, it wouldn't help you while traveling. But, it's more secure than Apple's 2FA (w/ security questions and that backup SMS).
If you have a low-tech, low-security path in, then the whole system is compromised by that. At least if it's a complex code you keep in your safe, it is a relatively high security entry point on the scale of the on-line world. Security questions and SMS are hacker's dreams.
Kind of. If requires a 'secret key' in addition to your account/password to set any device up (or, login via website). So, I guess if you were traveling and lost your only device, then you'd be out of luck unless you could call someone with access to your safe (or some place you store that secret key. So, yeah, it's a form of 2FA but IMO, preferable to low-security stuff like questions, SMS, etc.
Yes, but Apple keeps pushing it in front of your face at OS updates or 'ToDos' in settings... and when you go into the UI in those cases, you have to hit the 'skip' or 'not now' instead of taking the path Apple wants you to take. So, yes, I guess you can opt-out and technically are opting in by following Apple's excessive prompting.
No, more like I'd include Apple in the fault if they include backup functionality that routinely fails to work properly, or make the system such that it's really hard to backup and restore independently. (ie: iOS).
LOL, Russia under your bed? It's important to differentiate between real threats and propaganda devised to advance the Industrial Military Complex™ or Rock The Vote ___insert political party here___™.
You'd think iCloud would have been thought through, for sure. But, given the history of it, it seems more a hodgepodge of non-thought-through tech that has been slowly improved to the point of being somewhat useable. Anyone remember MobileMe? If the 'sends it to the device that requested it' is indeed the case, it probably is just one of the many holes yet to be plugged. Same with the login messages constantly popping up on my devices, or worse, the dialogs with previous email addresses of my Apple ID that I can't possibly authenticate (with no way fix).
Apple builds really nice hardware (when they aren't trying to 'innovate my a--') and used to have really good (in comparison) OSs, but their services and often apps have been pretty poor in terms of functionality or even reliability.
Yeah, that's the kind of thing I mean by thinking it through. Apple used to really think through UI stuff, at least. They don't seem to much anymore. Same thing for entering your Apple ID in particular. There should be *****ONE***** place in the settings where you go to enter your Apple ID. Any service that needs you to do so, should direct you there. Any service that needs that info should be authenticating based on that. NOT random dialog boxes popping up anywhere, anytime asking for you to login. That's just plain stupid UI design, as well as really horrible security procedure.
2FA is a pain. Better to just choose a good password.
On the same idea, maybe worse is CAPTCHA. Sure, choose which of the blurry photos is a store front, or a car, or a street sign. No, I'm not a robot, but robots are better at this shit than I am. A better Turing test is which pictures do computers get right but people get wrong.
Nearly every one one of the scenarios presented in the comments is addressed in the Apple support document about 2FA:
https://support.apple.com/en-us/HT204915#FAQ
2FA isn’t perfect, but it’s heck of a lot better than just a password. Even if you use a complex unique password for your Apple ID, 2FA provides an additional layer of security if there’s a compromise. Most end users don’t think about information security best practices until a compromise has already occurred. This lawsuit is a waste of any courts time.