Apple Sued Over Not Letting Customers Disable Two-Factor Authentication After Two Weeks

[Brandhouse]

I want to start a class action law suit against all the quacks, weirdos and I'm -not-responsible-for-anything's who dream up dumb stuff like this.

 

[bkaus]

I guess I'm in the minority here. I think it is ridiculous that Apple won't let people disable 2FA "after two weeks". This would sit better with me if there was a more obvious "off" switch, but it's quite hidden without a Google search on how to find it. For those who think the lawsuit is stupid, let me tell you that 2FA creates big problems when sharing an Apple ID aceross multiple devices in a family. Why should a teenager's iPod Touch have it's own Apple ID when they have permission to make purchases on their parent's account? Are they supposed to have their own credit card and Apple ID at 13 years old? Imagine that when the parent wanted to install an OS update on their MacBook Pro, it sent a 2FA authentication code to the kid's iPod Touch. I made up this scenario, but this was basically my experience except with different devices (iPhones, iPads, Mac Pro, and MacBook Pro) on the same Apple ID.

I remember the iPhone / iPad settings notification deceptively duped me into turning it on in the first place (some services will not be available until you sign into your Apple ID again, or some message like that...) I clicked continue and BOOM it's on and there. There wasn't sufficient disclosure that I was even turning it on! It wanted me to "sign in again" and put in the password twice and it turned it on. The settings page didn't mention what was really going on. I couldn't find an off switch for over a week until I finally searched for it and turned it off with a few days to spare before the two-week limit. It is ridiculous... I couldn't even do something on my Mac Pro without it pinging someone in my family's iPhone for approval because we're on the same Apple ID. Yeah... the first time it did that, I took care of the issue promptly. This isn't a big deal if there's one Mac and one iPhone, but it can get messy from there.

Family sharing. Much better solution and gives screentime monitoring.

 

[StrainedDig4]

Should have been 10 miles wide, 65 million years ago. Wouldn’t have this problem!

 

[Smearbrick]

Ah Journalism. Where have you gone?

 

[chinito77]

Frivolous indeed...

 

[Cmdrx3]

Yea, it's such a pain having to remember my PIN too. The ATM should just give me money.

That's not 2FA though is it. Your ATM doesn't send you a text message asking you to authenticate that you are using that ATM.
[doublepost=1549841180][/doublepost]

Is annoyed with the way a product works that he doesn't have to purchase.
Initiates class action lawsuit.
What.

Depends on whether the feature was added after he purchased his device.

 

[4jasontv]

How is it frivolous? Changing something about a product after you purchased it and being illegal seem like reasonable reasons to go to court.
[doublepost=1549841498][/doublepost]

Capital nonsense.

Want to expand on that? Are you agreeing or disagreeing with the post? If so why?
[doublepost=1549841661][/doublepost]

You can get the code sent as a SMS to the phone number you have added on the "My Apple ID" site.

Not if the sms isn’t delivered. They are rarely sent as standard sms, and I have this issue all the time where two factor codes are blocked as spam by my service provider.

 

[abhibeckert]

You had 14 days to turn it off, genius. Take some responsibility in your life for your own actions.

When I enabled 2FA on my account, it was a hoop I had to jump through maybe two or three times a year.

These days I sometimes I'm doing it several times in one day — it's very annoying and you might not realise that immediately.

Given the option to turn it off, I'd still keep it. But Apple needs to definitely needs to fix the frequency of confirmations and in the mean time it should be possible to disable the feature.

 

[Heineken]

When I enabled 2FA on my account, it was a hoop I had to jump through maybe two or three times a year.

These days I sometimes I'm doing it several times in one day — it's very annoying and you might not realise that immediately.

Given the option to turn it off, I'd still keep it. But Apple needs to definitely needs to fix the frequency of confirmations and in the mean time it should be possible to disable the feature.

So don't enable it if you have no clue what the implications are. Crybaby nation.

 

[racerhomie]

I’m pretty sure you can’t. My mom wanted it off because she doesn’t have a second device and she ended up just linking it to my sisters phone

Did that cause your mother irreparable harm?
[doublepost=1549843081][/doublepost]

When I enabled 2FA on my account, it was a hoop I had to jump through maybe two or three times a year.

These days I sometimes I'm doing it several times in one day — it's very annoying and you might not realise that immediately.

Given the option to turn it off, I'd still keep it. But Apple needs to definitely needs to fix the frequency of confirmations and in the mean time it should be possible to disable the feature.

You should check how many new devices have tried to login. Apple said in WWDC last year that 70%+ accounts on iCloud have 2FA. You might have guys trying to hack into your accounts. Change your password with iCloud keychain.
[doublepost=1549844022][/doublepost]

I hate giving up info to the data miners, still see the value in the 2FA.

The average John/Jane don't seem to understand the drowning that happens in identity theft. It is so easy for the thieves.

I have lost two "free" email accounts - Google and Microsoft - just by being careless enough to not logout of the account before logging in at another computer; its complicated. However, the lesson learned is, how serious these services are about security.

The only peeve is that they keep asking for complicated passwords, which need to be changed every so often. Caps, numerals, special characters … it is impossible to keep in memory. Only way is to use a password program or meticulously write them down!

That is a lot to ask a 70-year old retiree who is wading into online banking/billpay, smartphones, multiple devices, preference of feature phones, and all the phishing/hacking out there. Or, getting them to understand how devastating their final years can be if they do get their identity stolen.

Most people, young and old, don't even understand the concept of credit freeze. Still, learning and implementing these safeguards is not nuclear physics.

iCloud keychain on ios 12 has been an excellent builtin password manager.

 

[AussieSimon]

That's not 2FA though is it.

Actually it is—the two factors at an ATM are

1. Something you have (the plastic card)
2. Something you know (the pin code)

This is comparable to an online 2FA situation where the two factors are

1. Something you know (password)
2. Something you have (authenticator)

 

[gavroche]

I don't think the issue is with 2FA, it's that it gets stuck on permanently because of the 2-week rule. Let us turn it off, that is all.

It is so surprising to me (or maybe it isn't) that people feel so entitled to dictate to service providers which security measures they choose to require. Apple are far from the only ones doing this. Try logging into a bank without security measures in place. They have a duty to protect users information, and can be held liable for breaches.

 

[carrrrrlos]

Somebody call the wambulance.

 

[applefan69]

I hope the day will soon come when ridiculous lawsuits get fined for wasting everybody‘s time.
[doublepost=1549838340][/doublepost]

Or they just don‘t want to be held responsible by the same idiots after they have gotten their data stolen by clicking on a phishing link.

Since when are they liable for the ol' phishing leak scam? Pretty sure the legal departments have fought and won that one combined 1 million times by now.

"Oh you clicked the link the stranger gave you? I am sorry sir but you authorized that transaction we are unable to help you".

I am sure no lawyer has EVER lost defending their company from the case of "Sir Mcdumbdumb gave out his banking information willingly".

If I want to expose myself to additional risk the company can easily write it into their terms and conditions that they are not liable for it. Knowing that, my explanation for these forced 2-step verification system starts to make more sense.

 

[duervo]

I’m waiting for someone to sue Apple for not letting downgrade iOS versions. So you have a lot of Apps that won’t be updated to 64-bit or post iOS 11, Apps that you’ve paid for, and Apple doesn’t let you install a iOS version that supports them.

It’s like if you couldn’t install previous Mac OS versions on a Mac or previous Windows versions on a PC.

So Apple has charged you for some apps in the past, but Apple doesn’t let you install an operating system that supports them. That’s not right.

The same right has a customer to update the operating system at the time they like than to downgrade it whenever they want.

That's the App developer's fault. They were given lots of lead time to update their apps, but chose not to for whatever reason. Largest culprit of this in my experience has been developers of kids apps, but lots of other developers do it too. They simply don't give a crap once they have your money.

All the apps that are actually developed by Apple, like Numbers, Pages, Keynote, Garageband, are updated to support the latest version of iOS.

 

[kildraik]

When I enabled 2FA on my account, it was a hoop I had to jump through maybe two or three times a year.

These days I sometimes I'm doing it several times in one day — it's very annoying and you might not realise that immediately.

Given the option to turn it off, I'd still keep it. But Apple needs to definitely needs to fix the frequency of confirmations and in the mean time it should be possible to disable the feature.

Two-Factor only requires authentication if you log into a new device or log into iCloud on an untrusted computer/device that isn't saving the "Remember Me," box's cookies.

I essentially have to deal with Apple's 2FA once a year upon upgrading my iPhone (outside of my daily 3rd party 2FA for logging into my employers systems, for obvious reasons).

Sounds like you need to appropriately manage your digital life (not using cookie blockers, private/incognito mode, etc) so you can circumvent that issue of needing verification multiple (!?) times per day.

 

[gavroche]

I'm probably missing something obvious, but I've had two-factor authentication turned on for years and I always get the 6 digit passcode popping up on the actual device I am asked to input it in, as well as on my other devices. I don't really see the point of it if they are "giving you the answer" like that. Maybe there's a glitch with my account or I'm not understanding the concept.

It is pairing a trusted device with a password. A hacker wouldn't be trying to log in from a trusted device. Think of it like your bank atm card. It is two step essentially... Your pin, and the physical card. Need both to access.

 

[kildraik]

I'm probably missing something obvious, but I've had two-factor authentication turned on for years and I always get the 6 digit passcode popping up on the actual device I am asked to input it in, as well as on my other devices. I don't really see the point of it if they are "giving you the answer" like that. Maybe there's a glitch with my account or I'm not understanding the concept.

What gavroche said.

They aren't giving you the answer, they're sending the authentication code to your already trusted devices/phone numbers. The perfect example is when setting up a new iPhone that has your SIM card installed (that is the same number as your trusted number), that code can be sent to your number. The same thing goes for trusted devices (such as logging into iCloud.com in a private browser on a trusted device), which you can remove yourself in your security settings if you sell them.

It's not a difficult concept to understand, it is simply always advised that people read everything before accepting anything. At least Apple isn't malicious in their Terms and Processes. Every bit of information you need is always presented to you before confirming your options. You just have to actively seek to understand.

Everything is very well explained in Apple Support article HT204915, which is prompted as "Learn More," before enabling two-factor authentication.

 

[gavroche]

Such condescending attitude doesn't do you any credit. I'm well aware of my intelligence and my life choices without some random dude on Internet assessing it.

1. If you read my earlier comment, "genius", you'd at least derive from it that I was not given such option hence I'm hanging up with their support for over a month.
2. Why 14 days at all? Why not month? Year? Why the time frame at all?
3. Why can't I turn it off 2FA if I want?

So funny how you just got done saying how you don't care about anyone but yourself, then criticize him for being condescending....

 

[kildraik]

The point here is to have the ability to disable dual factor when it's not needed. Apple should allow the change regardless of two weeks. When I changed my device, I was unable to get the dual factor on my new phone. I called apple for hours without success, eventually, I realized I had an old iPhone 6 inside which I powered on and thankfully got the code for dual factor. If I didn't have that phone, I would have gotten a runaround.

I feel this security is enforced to make the pockets deeper. Typical of Apple. "Remember the battery fiasco - It is for sure not the most ethical company imo but they do make good devices so we kind of have to buy it.

Thats impossible, unless you changed your phone number AND permanently didn't have access to your email when you changed your device, which would be poor management of personal data.

When prompted to enter the verification code, there are several options listed. You select "Didn't Get A Code?" and select a new code to be sent to either the trusted email or trusted phone number.

Most runarounds are user error, especially with the "battery fiasco." It's hilarious that people think batteries should last a lifetime. Just like tires, they're consumable components that degrade over time. It would be hilarious if you went to a dealership and bought a vehicle with tires that you think should last more than three years and still get peak performance.

 

[gavroche]

Good. Apple deserves it. It's annoying not being able to disable it.

Tenth page to finally get to the legal standard to sue... If something is annoying...
[doublepost=1549847919][/doublepost]

I'm not convinced this is a frivolous lawsuit.

I use two-factor authentication all the time for connecting to client firewalls, VPNs, and other secure services and devices. Authy does two-factor correctly: you have to launch the application on your Mac or iPhone, and enter the six-digit code it gives you.

Apple does two-factor both incorrectly and stupidly: it pops-up a six digit code, OFTEN ON THE SAME DEVICE YOU'RE TRYING TO LOG IN FROM, that you need to enter. Sometimes, it goes through this process TWICE. Sometimes, you have to append the six digit code to your login. In some cases, Apple will require a user to go through their two-factor waste of time several times when setting up a new computer.

And don't even get me started about how lame Face ID is compared to Touch ID!

Weird how you bolded the part about it often being on the same device. As if you don't understand the concept of a device already being established as trusted... And that a hacker wouldn't be trying to access from a trusted device. So many people have made this comment that clearly a lot of people don't understand how it works. Fortunately, people in charge do.

 

[0947347]

Thank you for taking the time to reply. I am able to use workarounds but all of them are a pain in the neck for me. e.g. to log into icloud at work I have to got and get my phone from another room or find someone on my account (who also happens to be available at that time) to tell me the authentication code. The steps are simple but a huge pain. It's fine when I have my phone with me but often I don't. I had assumed that the code could be emailed which would make it easy but they don't. Thank you again for your help
[doublepost=1549814156][/doublepost]
Thanks, but what about logging into my iCloud account etc ? Can the verification be sent to an email address? I use a different PC / desk pretty much every day. The authentication code goes to my phone....which isn't with me

As I stated above, you don’t need the verification code.

On iCloud.com when it asks you for verification, there should be a link underneath to just Find My Phone if you want to locate or disable lost device.

I don’t have “untrusted” computer to try it on right now.
If you do test it, please, let us know if it works.

 

[2010mini]

Can Apple counter sue for wasting their time and money?

 

[KPandian1]

Can Apple counter sue for wasting their time and money?

And collect … zilch? Or cents that will not be worth the effort for such a large company!

Unless, it is just revenge … okay, that is worth it.

 

[MobiusStrip]

People think their use case is the only one, much like Apple itself. If THEY didn't imagine it, then they'll reject it even when it's brought to their attention.

For example: Two-factor authentication for application updates can be a crippling pain in the ass for businesses. I develop software that works with Apple applications, for which our company has a license. But it's a company license; when I wanted to update an app, Apple insisted on sending a code to an obscure computer on another continent... which wasn't even manned at that hour.

HOWEVER: Apple DID let us turn that off eventually, so I don't know why they don't offer this across their entire security regime.

But again, you're talking about Apple, a company that forces people to use an E-mail address as their user ID. That's not just amateur-hour; it's stupid.