Then why does it bother asking for a code at all when you are on your “trusted device” if it’s just going to give it to you anyway?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Sued Over Not Letting Customers Disable Two-Factor Authentication After Two Weeks
- Thread starter MacRumors
- Start date
- Sort by reaction score
Yeah. This issue is weird. If I’m on my trusted device then it should know that regardless of if I’m logging in in a different browser on that device for the first time or whatever.
I don’t get it. I hope they figure this one out.
Well everyone hates two factor autentification you need a trusted device which is nuts, tryied and unrolled, never again
While it certainly does sound frivolous I do find it interesting that two weeks is also the limit for returning a purchased item to the Apple Store. If Apple wants to make two factor a requirement then they really should should turn it on right out of the box and provide no option to the end user to turn it off.
In my opinion, using "frivolous" in the first sentence of your article shows clear bias. Shouldn't you let your readers decide?
I'm guessing the reason is there will be some people who either don't understand what it is or how it's used. And after enabling it without that understanding, cannot make it work for them - for whatever reason. Two weeks should be enough time to make that determination and go back if people are still not getting it.
If you have a tech background it all makes sense and is a no-brainer. Easy to use and provides enhanced security.
If your background isn't in tech, I can see how many people would not understand the logic behind it or how to make it work for them. I think this is an area Apple can put its resources to use to make it easier to understand and use.
I'm not convinced this is a frivolous lawsuit.
I use two-factor authentication all the time for connecting to client firewalls, VPNs, and other secure services and devices. Authy does two-factor correctly: you have to launch the application on your Mac or iPhone, and enter the six-digit code it gives you.
Apple does two-factor both incorrectly and stupidly: it pops-up a six digit code, OFTEN ON THE SAME DEVICE YOU'RE TRYING TO LOG IN FROM, that you need to enter. Sometimes, it goes through this process TWICE. Sometimes, you have to append the six digit code to your login. In some cases, Apple will require a user to go through their two-factor waste of time several times when setting up a new computer.
And don't even get me started about how lame Face ID is compared to Touch ID!
I use two-factor authentication all the time for connecting to client firewalls, VPNs, and other secure services and devices. Authy does two-factor correctly: you have to launch the application on your Mac or iPhone, and enter the six-digit code it gives you.
Apple does two-factor both incorrectly and stupidly: it pops-up a six digit code, OFTEN ON THE SAME DEVICE YOU'RE TRYING TO LOG IN FROM, that you need to enter. Sometimes, it goes through this process TWICE. Sometimes, you have to append the six digit code to your login. In some cases, Apple will require a user to go through their two-factor waste of time several times when setting up a new computer.
And don't even get me started about how lame Face ID is compared to Touch ID!
Unpopular opinion here, but 2FA can be inconvenient if you actually want or need someone else to be able to manage your account regularly. The whole point is to make sure "nobody else can access your account, even if they know your password." But what if I want someone else to be able to access my account, who doesn't have access to my devices? Actually didn't even know you were forced to keep 2FA on after 2 weeks, glad I saw this article -- I'm keeping 2FA off as long as they allow me to.
(Just one example - a friend and I went in together on an Apple dev subscription for a couple years until they made local device testing free, and we did it by sharing my Apple account password. Of course Apple would have preferred we each pay, but we were just getting started and a joint investment made more sense.)
I've also just been a little too weirded out by the idea that if you actually lost your iOS devices (stolen, damaged, etc.) you could be forever locked out of your Apple account if you misplaced or lost (or was damaged) a piece of paper with some kind of recovery code. And of course the main thing you'd lose if that happened is all the stuff you paid for that's linked to your account, so I'm sure Apple would be happy for you to make a new account and purchase everything all over again.
(Just one example - a friend and I went in together on an Apple dev subscription for a couple years until they made local device testing free, and we did it by sharing my Apple account password. Of course Apple would have preferred we each pay, but we were just getting started and a joint investment made more sense.)
I've also just been a little too weirded out by the idea that if you actually lost your iOS devices (stolen, damaged, etc.) you could be forever locked out of your Apple account if you misplaced or lost (or was damaged) a piece of paper with some kind of recovery code. And of course the main thing you'd lose if that happened is all the stuff you paid for that's linked to your account, so I'm sure Apple would be happy for you to make a new account and purchase everything all over again.
They do this because IMO Apple is all about the perception of security not necessarily the reality. Now don't get me wrong, Apple's reality is better than the other's perception or reality, the others just don't care. But in the end, given real security (at a high cost) or the perception of security at a low cost, Apple will choose perception every time, thanks to Mr. Cook.
Banging people around for two favor authentication makes users feel better at night. At least if the users are idiots. Think about it, if someone steals or access my device while it's not locked (like walking away from a work iMac), what good is two factor authentication? Search the web, there are a number of ways to get around two factor authentication. Secure two factor authentication is only really secure when the authentication device is completely separate and requires a password every time to view the authentication code.
It's the same reasoning that occurred during in the initial flying days after 911. Airline security broke the nail file off of the nail clippers. They had to do something to convince stupid people (the masses) that they were doing something, and that no security action was too small, they did them all. The public idiots assumed that if they focused on these small items, then they must be really diligent about the big ones. We now know it was a farce, even today smuggled items succeed more than they are caught. They can't keep weapons and explosives off of planes. But everyone feels the false sense of security is worth the inconvenience it causes. BTW, I don't. Idiots don't mind giving up anything or everything as long as they feel better.
For example, why is two factor authentication at the account level and not the device level? When I am traveling I would use two factor authentication on my laptop, but when I am at home on my Mac, why? We have security system and when we leave the Mac's are shutdown. I have no need for 2 factor on my Mac.
Of course if someone has gotten into my iPhone, all they have to do is tap yes to the 2 factor prompt. What good is that. See it is security theater, where the real security has been eviscerated for ease of use, nothing more.
Yes, there are a couple of situations where 2 factor the way Apple does it might be beneficial, but in a lot of cases it is not, unless, of course, one does not know anything about security. In which case you are Apple's demographic. That is dumb enough to pay more for the perception of reality and don't care about what is really going on.
So I'm assuming all of you have 2FA set on your Gmail, Facebook, Instagram, Dropbox and Amazon accounts as well Apple? Yep, I didn't think so.....
Isn't that a bit like arguing, "If someone has already gotten into my home, what good is having a door lock?"
I'm surprised that Apple just doesn't force all users to use two factor authentication and be done with it.
Maybe in future iOS devices and version you won't be able to upgrade until you enable it.
Once everyone is on two factor then they can start rolling out the next level like biometric authentication and eventually require it.
Maybe in future iOS devices and version you won't be able to upgrade until you enable it.
Once everyone is on two factor then they can start rolling out the next level like biometric authentication and eventually require it.
What did you say that is bogus? I was to the point and brief - leaning towards supporting 2FA.
I have a longer post; kind of solidifies the need for 2FA, esp. when people young and old put vital detail into their iPhone/iPad.
#157
KPandian1, post: 27082106, member: 854685 :-
I hate giving up info to the data miners, still see the value in the 2FA.
The average John/Jane don't seem to understand the drowning that happens in identity theft. It is so easy for the thieves.
I have lost two "free" email accounts - Google and Microsoft - just by being careless enough to not logout of the account before logging in at another computer; its complicated. However, the lesson learned is, how serious these services are about security.
The only peeve is that they keep asking for complicated passwords, which need to be changed every so often. Caps, numerals, special characters … it is impossible to keep in memory. Only way is to use a password program or meticulously write them down!
That is a lot to ask a 70-year old retiree who is wading into online banking/billpay, smartphones, multiple devices, preference of feature phones, and all the phishing/hacking out there. Or, getting them to understand how devastating their final years can be if they do get their identity stolen.
Most people, young and old, don't even understand the concept of credit freeze. Still, learning and implementing these safeguards is not nuclear physics.[/QUOTE]
Last edited:
No, then they’ll sue Apple for “letting Plaintiff easily get hacked, by not making well-known security best practices mandatory.”
Apple’s 2FA is one of the easiest and most well-designed, and it seems completely reasonable that it can’t be turned off. For people who don’t have any other eligible device, they aren’t harmed because they don’t need to use it in the first place.
Apples 2FA is the worst implementation I have ever seen or even heard of. A decent portion of the time the code doesn't get sent and even when it does work as intended, you need to grab that code from a different device.
The information about your account they can access is limited. It’s not simply they let law enforcement log in as you.
The lines between opinion and fact are increasingly blurred in our society. In this case, I don't think you would have been taken to task for reporting clear-cut falsehoods in the claim without labelling the lawsuit as frivolous.
As for 2FA, Apple's implementation can be quite confusing. As others have pointed out, it seems odd to be asked to enter a verification code that is sent to the same device that you're using to authenticate. Maybe Apple thinks that if someone steals your device, user name, and password, sending the 2FA notification to other trusted devices will alert you. I think they can do better.
Apple ID management is also a mess. I have two, one of which I'd like to drop. But all my app and media purchases are tied to it, and there's no apparent way to transfer them to the other account.
I think the lawsuit is more of a way to get Apple's attention than a serious case. If you contacted Apple directly with this request, you would probably be ignored.
I agree that there should be an option, without time limit, to disable or re-enroll into 2FA.
Some people will say that it's like pointing a gun at your foot, and they are probably right. But if it's my gun and my foot, then I should be allowed to take the risk if I want.
There also remains the risk of locking yourself out of your Apple ID if you only have an iPhone and use its number for SMS verification.
I agree that there should be an option, without time limit, to disable or re-enroll into 2FA.
Some people will say that it's like pointing a gun at your foot, and they are probably right. But if it's my gun and my foot, then I should be allowed to take the risk if I want.
There also remains the risk of locking yourself out of your Apple ID if you only have an iPhone and use its number for SMS verification.
Apple Article HT204915 said:
This is how secure your iPhone is: https://motherboard.vice.com/en_us/article/8xyq8v/how-to-unlock-icloud-stolen-iphone
Hint: it isn't
Hint: it isn't