I don’t think this warrants a lawsuit, but let me tell you a story.
1. I sent my iPhone 6s in for a battery replacement. 2. One day, I woke up and thought “I’m going to wipe my IPad clean” - Background: I actually do this several times a year, usually after a significant OS upgrade. It also cleans of any games, junk, etc. that I don’t really need. I do this with the knowledge that I don’t use backup, but my contacts, calendar, shortcuts, passwords will sync back.
I think you can see my problem. My 6s has been gone 10 days at this point, and it took a full 2 weeks to get my phone back (bad Apple).
Anyways, my wiped iPad boots up but I run into 2FA to set up the iPad. I know everything I need to know (password to AppleID) but what I don’t have is my 6s. (Apple sends the code to the 6s and there’s no alternative).
I also don’t know my email password because it’s saved in Keychain.
At this point, I also don’t know what happened to my phone. It should be fixed (it was just a freakin battery) and as of the previous day I’d already reached the highest level of support. (There was no update on Apple’s site that they even received it). The nice support lady, wanted to call me with an update... no phone. So, we agreed on email... now no email.
Fortunately, I remembered that I removed the SIM card. So, I went to my T-mobile store and used a display phone to authenticate. Got my IPad up and running and found my iPhone was found/done and being shipped back.
Moral of the story is 2FA is great, but I really want it tied to something other than Idevice, like a YubiKey.
So, the lawsuit isn’t entirely frivolous. I also didn’t enable 2FA for my AppleID... I do want 2FA to log into my devices, but that’s not currently an option. I don’t care as much about my AppleID password it’s really really complex... as in come back in a few 100 million years (cracking it with today’s tech).
That said, it was a real problem for a friend in Europe who had his phone stolen, bought a new one, but wasn’t able to activate it without 2FA. He had traveled with his Apple Watch but Apple didn’t allow 2FA to go to it, because it needed the phone to set it up. So he was unable to download his contacts and info. At some point, people need to be able to deal with these kinds of issues without traveling with an electronic arsenal. That’s where a simple dongle would be helpful.
To me, complaints that 2FA is a fail because “what if you don’t have your other device?” is like complaining about computers not working when you don’t have electricity.
Wow, I got pissed with Apple's approach to password and identity management helping multiple family members with their Apple accounts, but I never thought wow I should file a lawsuit. I would probably sue my family members for not using Android, where Google has a way more convenient, smarter, platform-independent authentication system.
And an OS more vulnerable to security threats, woot. Oh and data-mining. Go family.
There is something to this. I seem to remember APple forcing 2fa in order to use all of the icloud services. I think later they relaxed this rule. Make no mistake. There are far worse consequences than Apple losing lawsuits or even being sued over seemingly frivolous things. Think About how frustrated the customer must be to actually carry out this lawsuit. You know it and I know it. Apple's security measures are a major pain in the ass. Faaaaar outreaches it's usefulness. If Apple keeps this up, it will continue to see its userbase shrink/sales fall. iPhone X series phones, homepod, FLOP FLOP.
Wishful thinking on your part. X was a huge seller, sold more than the 8. HomePod is leading the expensive speaker marker last i heard. Regardless, neither are flops considering their profitability... worshipping at the Church of Market Share is as silly as worshipping in a church.
There is something to this. I seem to remember APple forcing 2fa in order to use all of the icloud services. I think later they relaxed this rule. Make no mistake. There are far worse consequences than Apple losing lawsuits or even being sued over seemingly frivolous things. Think About how frustrated the customer must be to actually carry out this lawsuit. You know it and I know it. Apple's security measures are a major pain in the ass. Faaaaar outreaches it's usefulness. If Apple keeps this up, it will continue to see its userbase shrink/sales fall. iPhone X series phones, homepod, FLOP FLOP.
One of the most patently idiotic fucking posts I've ever read on the internet. iPhone X series a "flop"? Tying homepod's success to 2FA? Claiming this proves Apple's customers are "frustrated", even though everyone who is involved in this class action amount to maybe a blade of grass in Apple's football field of marketshare? Well done, you deserve an award.
Can someone explain this to me? It requires less than a minute of time over the course of a year...
I work in a secure area which allows me a sandboxed Internet connection but no other devices. If I have to sign in with two-factor authentication at my desk, I have to start the process, go out of the area to get access to my phone, get the code, go back into the area, and type in the code. Yes, it's inconvenient, but I've also learned one thing when it comes to security: security and convenience are mutually exclusive goals. If it's convenient for me, then it's likely convenient for someone else to hack into.
I want to sue Apple why they are providing that security options at all.
They create the society of mistrust.
We need to be open, and trust others. Everything starts with example.
That's why I never close a toilet's door.
Well, my mom is always unhappy with me doing that. But hey. What does she knows about building the society of trust?
What a moron. If anything, users should sue Apple for forcing them to use an E-mail address as their user ID, and refusing to consolidate the resulting multiple Apple accounts that people inadvertently set up. The lay user can easily then lose apps or other content that they've purchased with old Apple IDs, when their E-mail address changes (with a job, ISP switch, whatever).
The stupidity of using an E-mail address as a user ID is neatly summed up here: https://goldmanosi.blogspot.com/2012/06/forcing-people-to-use-e-mail-address-as.html
Agreed! Email address as user ID is beyond stupid for so many reasons. I help a lot of friends and family members with their Apple products and this issue has reared its head multiple times. I can only imagine how it must drive Apple support employees crazy.
Lots of silly and extreme reactions on both sides in this thread. Obviously the lawsuit is b-s overkill, but Apple can and should make its 2FA less clunky and easier to deal with. Google had started doing 2FA a while ago (as do many credit card companies and financial websites, as well as government websites like www.sam.com), and it's just so much easier than Apple's.
And, there is no valid reason for Apple to disallow someone -- even if you think they are stupid -- from turning it off. For example, all manner of basic Apple security features can be turned off (e.g., passcode, TouchID, FaceID, if you don't want to use ApplePay) after you try it out and see if it works for you.
The plaintiff is worried about the extra time of 2FA? How much time has he spent on the lawsuit?
And here's what I don't get: the only time I see a 2FA message is when I go into iCloud. But maybe I didn't turn on 2-factor authentication. One thing I do agree with: the user should be able to shut it off.
Also, someone posted that they didn't know their password because they were using an Apple password stored in Keychain. But assuming you know your Keychain password, you can access your other passwords.
Having said that, when you change a password in an application, Keychain still keeps your old passwords and displays them in the app. That's very confusing. When a password is changed, the old passwords should disappear from the list. Keychain also seems to store redundant entries,
patsu said: Not really. You'll still be asked for your password again even if you're logged in (just like when you try to change your password).
Bottomline is downgrading a 2FA account is bad news. It weakens the 2FA for people who adopted 2FA.
I've turned off 2FA on several other major services, and can turn it on/off as needed. Either every one else doesn't know what they are doing, or Apple is trying to hook people in with no way out. I'm pretty sure it's the latter.
patsu said: Had lost my phone temporarily before. Not a big deal. My iPad is easily accessible even on a trip.
1 iPad is not an arsenal. I use it for bedtime reading and trip research anyway. :-)
Yes, I also almost always have 2 devices with me when I travel as well. But, that's not really the point. What about people who only have 1 Apple device? And, most of the time when I'm out and about, I only have my phone.
Are there alternatives to two-factor authentication? Sure, how about Apple actually determining who I am? If Apple is too cheap to come up with their own way, why don't they just use something that we already use to prove our identity, like our passport or other valid IDs? And I could show my physical IDs to an Apple representative in a FaceTime session, since that technology works fine. I know half of you will think I'm joking, but I'm not. I understand each nation has its own ID documents, but Apple is big enough to handle that.
No, I don't think that's crazy at all. But, just like banks, they just want to play security but not really go to that extent of trouble/time/cost. The dead give away to this is those stupid in-security questions. No matter how good the security, if someone knows those, they can just make a phone call.
The ID one is a pretty good idea, unless you're traveling. I'm not sure it's a good alternative to 2FA, but it should be an alternative to security-question unlocks. If someone locks themselves out of their account for whatever reason, the person could go to an Apple store (or other authorized places) and present their ID to unlock. It's not perfect either, but it's way better than how most companies currently do it.
I’ll just say that two factor identification is one thing when it’s your account and your computer. And you know everything in memory.
And it’s another thing for say my parents in their 80s to know all of this. They don’t have smart phones (don’t want them either and yes I’ve tried) so can’t receive text messages via mobile. ... The thing that bugs me the most, is that after I have all of the devices there and I’ve entered all of the passwords and done everything, it seems like minutes later I can get asked to enter all of that information again. That is extremely tedious when you’re doing that for somebody else. Seriously Apple if you just asked me for the password a minute ago don’t bother me with that again for 15 more minutes at least please.
Exactly. This is why it should be optional.... WITHOUT Apple trying every trick to 'opt-in' people.
And, you're absolutely right that the current authentication system is a mess. I get the impression that there are a dozen independent 'services' on the device that all get to pop authentication dialogs at will. Heaven help you if one of those 'services' misses that you changed email address and/or gets out of sync with the others. And, the worst part is that by doing it this way, Apple is just training their users for every phishing attempt they will run across.
USMC5939 said: What are you people doing that requires 2FA codes all the time?
I'm not sure... but I also don't know what I'm doing that would make my iPhone ask for my Apple ID password - sometimes several times within 10 minutes - either. I guess without knowing better, I'd chalk it up to Apple's half-a--'d software.
So beyond all the posts saying this guy's an idiot, or 2FA sucks, what is the actual standing for this suit? To file suit, you have to show damages - is he arguing he should be paid for the extra 20 seconds? Since an Apple ID and iCloud account is a free service, he can't claim damages there. I admit that I haven't read Apple's terms of service, but I'm guessing there's something in there about security as well...
In reading articles on other sites, it seems the primary complaint isn't about the time, but about not being able to turn it back off after like 15 days. While I'm not sure how that will prove damages or whatever, THAT is a completely legitimate thing to complain about and try to reverse. If it takes a lawsuit to pull that off, I say more power to these people!
Two factor authentication as implemented is far too complicated for my 80 year old mother to use. I would prefer biometrics plus a code as the second factor.
It's too complicated - apparently - for many of us tech veterans as well... so, one can only imagine the average user, let alone people's less-than-tech literate relatives.
So on the one hand we have a an AI editorial decrying Apple’s bug bounty program has made us all less safe. On the other hand we have people here supporting this lawsuit against Apple to force them make us less safe. Does anyone see the irony here? The shear cognitive dissonance, the unbridled hypocrisy? So those who support this lawsuit want the option to be less safe but turn around and demand Apple pay huge bounties for bugs to so they can be more safe.
I'm failing to see how someone turning off, or not using 2FA, makes you less safe. And, there's a huge difference between OS-wide security holes and someone deciding that strong, unique passwords are plenty enough given their circumstances. No hypocrisy at all, just a bit of tech common sense.
StrangeDays said: To me, complaints that 2FA is a fail because “what if you don’t have your other device?” is like complaining about computers not working when you don’t have electricity.
No, the problem is that - in certain situations - it raises the complexity level so much more that you might temporarily, or permanently, lose data... that it might not be worth the risk/reward ratio.
StrangeDays said: ... is as silly as worshipping in a church.
??? (Romans 1:21-22 ? I'm starting to understand you better, though.)
HeliBum said: Yes, it's inconvenient, but I've also learned one thing when it comes to security: security and convenience are mutually exclusive goals. If it's convenient for me, then it's likely convenient for someone else to hack into.
Yes, but there is also 'secure enough.' There are hundreds of ways we could all increase the security in our lives far more than we do. But, at some point, you have to decide what tradeoffs you're willing to make. And, that's the point of all this... WE should be able to decide, not Apple, when it comes to something like this.
Are there alternatives to two-factor authentication? Sure, how about Apple actually determining who I am? If Apple is too cheap to come up with their own way, why don't they just use something that we already use to prove our identity, like our passport or other valid IDs? And I could show my physical IDs to an Apple representative in a FaceTime session, since that technology works fine. I know half of you will think I'm joking, but I'm not. I understand each nation has its own ID documents, but Apple is big enough to handle that.
When I booked my first AirBNB I had to verify my identity. For a number of reasons, one of the ways offered which I chose, was recording a short video of myself and uploading it. It is a bit surprising that people are resistant to that kind of technology. Even casual or professional meetings: people would rather exchange photographs to identify themselves than real time video, despite the latter easily being available on everyone’s phone.
You can do it from your mac or even have verification code go to your Apple Watch I think. Additionally you can add a second trusted phone number for occasions such as yours when you don’t have your iPhone - even a landline, where you receive an automated call in lieu of a text verification.
The problem is, it's not very clear how you can configure it so you're able to use 2FA when your primary device is not available. This is not a frivolous lawsuit. Hopefully it forces Apple to improve 2FA.
I had 2 problems with 2FA. The first was when someone took my iPhone by accident. I tried logging into the iCloud web site to findmyiphone, but it required 2FA. They have since changed that, but at the time, my only choice was to change my password. Fortunately I got it back a short time later. The other time was the other day when a charge to my wife's iTunes account was partly to store credit and part to my account (as part of the family group). I couldn't log into her iTunes account because it required 2FA going to her phone which was with her in another city. I had to wait until later in the day to check it.
Odd thing is I have never found it time consuming or annoying. I have iPhones, iPads, Macs and Watches in this household and the system seems to work flawlessly.
Odd thing is I have never found it time consuming or annoying. I have iPhones, iPads, Macs and Watches in this household and the system seems to work flawlessly.
Of course you are everybody, so that must be a bit odd.
spacekid said: The other time was the other day when a charge to my wife's iTunes account was partly to store credit and part to my account (as part of the family group). I couldn't log into her iTunes account because it required 2FA going to her phone which was with her in another city. I had to wait until later in the day to check it.
Yeah, this kind of thing is a big problem for formal or informal tech help situations, or as you say, even administering your own family.
First off, I think a lawsuit if frivolous. That said, when Apple introduced 2FA it was very problematic for me. Sometimes the 2FA never appeared on the second device. Sometimes it took a long time to show up and so I requested it again, which caused problems because I ended up entering the first code when I guess it was expecting the second code. These were just some of the problems. It was indeed so problematic that I avoided 2FA at all costs for as long as I could. However, Apple’s merciless nagging and my family turning it on by mistake forced me into it. All that was some time ago. Now, it seems to work quickly and flawlessly and I have no issue with it, but it was certainly not that way at the beginning.
They should sue.
Our company has now a dozen useless iPads because someone put a mobile number in the iCloud that is not ours. Guess where they send the two-factor authentication to.....i can only see the code on"the other device..." which of the 22?
Apple support.....just does not know. They advised us to create a new Apple ID, what a laugh.
This company gets more stupid every year.
Why do we have the secret questions? Can't they do something for us???
check out Louis Rossman on Youtube you'll see.
Comments
What if you lost that dongle? It’s so small.
And, there is no valid reason for Apple to disallow someone -- even if you think they are stupid -- from turning it off. For example, all manner of basic Apple security features can be turned off (e.g., passcode, TouchID, FaceID, if you don't want to use ApplePay) after you try it out and see if it works for you.
And here's what I don't get: the only time I see a 2FA message is when I go into iCloud. But maybe I didn't turn on 2-factor authentication. One thing I do agree with: the user should be able to shut it off.
Also, someone posted that they didn't know their password because they were using an Apple password stored in Keychain. But assuming you know your Keychain password, you can access your other passwords.
Having said that, when you change a password in an application, Keychain still keeps your old passwords and displays them in the app. That's very confusing. When a password is changed, the old passwords should disappear from the list. Keychain also seems to store redundant entries,
Yes, I also almost always have 2 devices with me when I travel as well. But, that's not really the point. What about people who only have 1 Apple device? And, most of the time when I'm out and about, I only have my phone.
No, I don't think that's crazy at all. But, just like banks, they just want to play security but not really go to that extent of trouble/time/cost. The dead give away to this is those stupid in-security questions. No matter how good the security, if someone knows those, they can just make a phone call.
The ID one is a pretty good idea, unless you're traveling. I'm not sure it's a good alternative to 2FA, but it should be an alternative to security-question unlocks. If someone locks themselves out of their account for whatever reason, the person could go to an Apple store (or other authorized places) and present their ID to unlock. It's not perfect either, but it's way better than how most companies currently do it.
Exactly. This is why it should be optional.... WITHOUT Apple trying every trick to 'opt-in' people.
And, you're absolutely right that the current authentication system is a mess. I get the impression that there are a dozen independent 'services' on the device that all get to pop authentication dialogs at will. Heaven help you if one of those 'services' misses that you changed email address and/or gets out of sync with the others. And, the worst part is that by doing it this way, Apple is just training their users for every phishing attempt they will run across.
In reading articles on other sites, it seems the primary complaint isn't about the time, but about not being able to turn it back off after like 15 days. While I'm not sure how that will prove damages or whatever, THAT is a completely legitimate thing to complain about and try to reverse. If it takes a lawsuit to pull that off, I say more power to these people!
It's too complicated - apparently - for many of us tech veterans as well... so, one can only imagine the average user, let alone people's less-than-tech literate relatives.
I'm failing to see how someone turning off, or not using 2FA, makes you less safe.
And, there's a huge difference between OS-wide security holes and someone deciding that strong, unique passwords are plenty enough given their circumstances.
No hypocrisy at all, just a bit of tech common sense.
No, the problem is that - in certain situations - it raises the complexity level so much more that you might temporarily, or permanently, lose data... that it might not be worth the risk/reward ratio.
??? (Romans 1:21-22 ? I'm starting to understand you better, though.)
Yes, but there is also 'secure enough.' There are hundreds of ways we could all increase the security in our lives far more than we do. But, at some point, you have to decide what tradeoffs you're willing to make. And, that's the point of all this... WE should be able to decide, not Apple, when it comes to something like this.
I had 2 problems with 2FA. The first was when someone took my iPhone by accident. I tried logging into the iCloud web site to findmyiphone, but it required 2FA. They have since changed that, but at the time, my only choice was to change my password. Fortunately I got it back a short time later. The other time was the other day when a charge to my wife's iTunes account was partly to store credit and part to my account (as part of the family group). I couldn't log into her iTunes account because it required 2FA going to her phone which was with her in another city. I had to wait until later in the day to check it.