Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Sued Over Not Letting Customers Disable Two-Factor Authentication After Two Weeks

dr1320 said:
Your personal choice is to use the software or not. Apple owns the software, you do not. It is their choice on the security they require. Would a choice be nice? Yes, but Apple is not legally required to.
Click to expand...

I hear this a lot, but despite what the customer agreement says, I’m not sure it’s ever been tested in court. Precedent was set by the music industry, but this isn’t music, and they never claimed the right to modify the content with or without user permission.

If the customer wins suddenly there becomes a question if Apple can ever remove any feature. The only way anyone wins here is if Apple can understand why people want to turn it off. Or at least let customers disable notifications without completing the task.
 
  • Like
Reactions: MadeTheSwitch
ohboy... said:
Shame on this writer for calling this frivolous (let us form our own opinions, rather than telling us what to do and think as Apple does) , and... what a mean crowd. It's not about security, it's about choice and being in control of our devices instead of being dictated to. Shame on Apple.
Click to expand...

Oh boy.. this gets better and better. Have you read the article? Do you know what the 2 factor authentication is being used for? It’s connected to your iCloud account and not to your device.
And you actually HAVE a choice for crying out loud.
 
flygbuss said:
Simple answer: Because that exactly is part of the additional security. It's like a captcha, a human link in the chain.
Even though the code shows up on the device it's not connected to the browser. You have to close the gap manually.
Click to expand...
Also doesn't appear on any other computer or device anywhere else in the world. So someone trying to remotely login to your account needs your trusted device.

This is what you’re really protecting against. Remote logins.
 
  • Like
Reactions: chabig
MacRumors said:
... The complaint is riddled with questionable allegations, however, including that Apple released a software update around September 2015 that enabled two-factor authentication on Brodsky's Apple ID without his knowledge or consent. Apple in fact offers two-factor authentication on an opt-in basis. ...
Click to expand...
I don't know who he think's he's actually going to convince with that line of reasoning, because it's a simple matter to debunk this particular claim: if events had actually transpired as he describes, I'm pretty sure I wouldn't still be harassing my wife to enable 2-fac on her account!
 
I think a compromise might be to allow a user to turn it off at any later date, that seems sensible to me.
 
chabig said:
Isn't that a bit like arguing, "If someone has already gotten into my home, what good is having a door lock?"
Click to expand...

Nope, getting into my phone should not be giving people access to my accounts and information. That IS the whole purpose of 2 factor authentication. Duh! Unless of course a company like Apple eviscerates the functionality because they only care about perception.

So in your example, getting into the home should give everyone access to the safe inside the home. That makes sense.
[doublepost=1549895396][/doublepost]
iApplereviews said:
You realize 2 factor is off by default right? So the claim it was forced on you was false. If you do turn it on and don't like it then you have a time period to turn it off. The only reason someone would absolutely need to turn it on would be using advanced features that require a higher level of security such as using an Apple Watch to unlock a Mac.
Click to expand...

The point being that I should be able to turn it on or off at will. BTW you should try to turning it off sometime, it is a nightmare of resetting accounts, resetting devices, logging out, logging in, etc. Apple clearly does not expect it to be turned off. Also note below from Apple support documents, the word required.

From https://support.apple.com/en-us/HT207198
Two-factor authentication is our most advanced, easy-to-use account security, and it's required to use some of the latest features of iOS, macOS, and iCloud. If you're using two-step verification, we'll automatically update your account when you sign in to iOS 11 or later or macOS High Sierra or later. You can also manually switch your account from two-step verification to two-factor authentication when you follow the steps below.
Click to expand...
 
ignatius345 said:
Huh. What's the "official" way to deal with this? I never stopped to think about it because I have multiple Apple devices, but how do you get an authentication code if you just own (say) one iPhone and nothing else from Apple?
Click to expand...
Follow Apple's instructions: https://support.apple.com/en-us/HT204915

"You should also consider verifying an additional phone number you can access, such as a home phone, or a number used by a family member or close friend. You can use this number if you temporarily can't access your primary number or your own devices."
 
  • Like
Reactions: ignatius345
4jasontv said:
I hear this a lot, but despite what the customer agreement says, I’m not sure it’s ever been tested in court. Precedent was set by the music industry, but this isn’t music, and they never claimed the right to modify the content with or without user permission.

If the customer wins suddenly there becomes a question if Apple can ever remove any feature. The only way anyone wins here is if Apple can understand why people want to turn it off. Or at least let customers disable notifications without completing the task.
Click to expand...
Lol. It’s been tested a hundred times in court.
[doublepost=1549897627][/doublepost]
Ladybug said:
I think a compromise might be to allow a user to turn it off at any later date, that seems sensible to me.
Click to expand...
That’s what the criminal hackers are hoping for.
 
  • Like
Reactions: chabig
cmaier said:
Lol. It’s been tested a hundred times in court.
Click to expand...

Great. Provide a few. Cause the only ones I have seen revolve around giving customers the right to first doctrine sale. Of course that goes against the idea that they are only licensing the software.
 
Why do you defend corporations and call their customers idiots? I wonder what kind of human being assumes such arrogance to call other people idiots. Most likely those looking at themselves in the mirror.
Didn't occur once in a while that it is corporations that are idiots? Reality abounds.
Click to expand...
I don’t call their customers idiots in general, only those that do idiotic things like ridiculous lawsuits instead of using their brains.
 
  • Like
Reactions: zarmanto
AussieSimon said:
Actually it is—the two factors at an ATM are
  1. Something you have (the plastic card)
  2. Something you know (the pin code)
This is comparable to an online 2FA situation where the two factors are
  1. Something you know (password)
  2. Something you have (authenticator)
Click to expand...
No it isn't. In your ‘online situation’ you’re forgetting something - your account number. Whether its your email address, a username, or a literal account number - it’s the clear text or publicly know portion. In Donald Rumsfeld parlance this would be a ‘known known’ and therefor is not a “factor” in the equation.

If you want to get technical - Yes, the ‘plastic’ card is “a thing you have” but since it’s static information its captureable like a password. Therefore it only something you need to know. So the reality is you are using two of the same ‘factor’. With one of your ‘factors’ being known information.

It’s one factor authetication.
 
  • Like
Reactions: maverick28
Taipan said:
I don’t call their customers idiots in general, only those that do idiotic things like ridiculous lawsuits instead of using their brains.
Click to expand...
That's the same thing. "Ridiculous", "idiots", "use their brains" are subjective qualitative adjectives and definitions that have a neutral contributing value and a weak evidential effect.
 
flygbuss said:
Oh boy.. this gets better and better. Have you read the article? Do you know what the 2 factor authentication is being used for? It’s connected to your iCloud account and not to your device.
And you actually HAVE a choice for crying out loud.
Click to expand...
What does that have to do with what was brought up in the quoted post?
 
C DM said:
What does that have to do with what was brought up in the quoted post?
Click to expand...

See the quotes below.

It seems that some people here are complaining about 2 factor authentication without much knowledge how it actually works. I do understand that not everyone finds it necessary, though I think this is something you can figure out within two weeks (and turn it off if you don't like it). Could they provide this possibility for good? Of course!
Do I have to sue because they don't?
I don't think so. All you get is a more secure online service even if it feels inconvenient to some.
The device you bought from apple is not directly affected and remains the same (you can call, write, surf, take pictures etc.) It's not that you need 2 factor authentication to unlock your phone.

ohboy... said:
Shame on this writer for calling this frivolous (let us form our own opinions, rather than telling us what to do and think as Apple does) , and... what a mean crowd. It's not about security, it's about choice and being in control of our devices instead of being dictated to. Shame on Apple.
Click to expand...

flygbuss said:
Oh boy.. this gets better and better. Have you read the article? Do you know what the 2 factor authentication is being used for? It’s connected to your iCloud account and not to your device.
And you actually HAVE a choice for crying out loud.
Click to expand...
 
flygbuss said:
See the quotes below.

It seems that some people here are complaining about 2 factor authentication without much knowledge how it actually works. I do understand that not everyone finds it necessary, though I think this is something you can figure out within two weeks (and turn it off if you don't like it). Could they provide this possibility for good? Of course!
Do I have to sue because they don't?
I don't think so. All you get is a more secure online service even if it feels inconvenient to some.
The device you bought from apple is not directly affected and remains the same (you can call, write, surf, take pictures etc.) It's not that you need 2 factor authentication to unlock your phone.
Click to expand...
And that still doesn't deal with the simplicity of being to enable or disable an option that affects you and is really up to you. (Or that reporting news is different that writing an opinion piece.)
 
jdmachogg said:
Lo I would barely consider 2FA 'tough', nor compare it to driving safely :D

Its barely even a nuisance, and totally worth it for the extra security.
Click to expand...
So is a passcode or Touch ID or Face ID, and yet the user is allowed to enable or disable those as desired.
 
31 Flavas said:
No it isn't. In your ‘online situation’ you’re forgetting something - your account number. Whether its your email address, a username, or a literal account number - it’s the clear text or publicly know portion. In Donald Rumsfeld parlance this would be a ‘known known’ and therefor is not a “factor” in the equation.

If you want to get technical - Yes, the ‘plastic’ card is “a thing you have” but since it’s static information its captureable like a password. Therefore it only something you need to know. So the reality is you are using two of the same ‘factor’. With one of your ‘factors’ being known information.

It’s one factor authetication.
Click to expand...


he was correct.. and nowhere did he mention account number as one of the factors. account number, like Apple ID, would be useless in trying to withdraw money. If you were correct in saying that password and physical card were the same thing.. and this only one factor, you would only need one to gain access. good luck withdrawing money from any bank atm with just the code... or just the card.. see how far you get with that.
 
gavroche said:
It is so surprising to me (or maybe it isn't) that people feel so entitled to dictate to service providers which security measures they choose to require. Apple are far from the only ones doing this. Try logging into a bank without security measures in place. They have a duty to protect users information, and can be held liable for breaches.
Click to expand...
That's true, which is why I don't blame them for doing it. I was just stating the unintended consequences of 2FA in my particular case. Yes, I'd still rather have it off.
 
Zwhaler said:
That's true, which is why I don't blame them for doing it. I was just stating the unintended consequences of 2FA in my particular case. Yes, I'd still rather have it off.
Click to expand...

Fair enough. I think the irony is that the reason many companies are starting to use 2FA is because the responsibility to keep accounts secure, and that they can and do get sued for breaches. So a lawsuit here just exasperates the problem.. kind of proving their point.
 
  • Like
Reactions: flygbuss
C DM said:
And that still doesn't deal with the simplicity of being to enable or disable an option that affects you and is really up to you. (Or that reporting news is different that writing an opinion piece.)
Click to expand...
You can disable it within 14 days. iCloud and the connected services are free unless you need more then 5GB of storage.
This service runs through apple servers and they are responsible for the provided security.
IMO they can dictate the rules of such service and it's access.
They don't charge you extra, they don't ask for any additional personal information.
I really can't see any resulting downside besides you're old and / or unable to cope with too much technology.
That's why my grandparents disabled it for now. Their iMac and iPhones still work flawlessly.
 
flygbuss said:
You can disable it within 14 days. iCloud and the connected services are free unless you need more then 5GB of storage.
This service runs through apple servers and they are responsible for the provided security.
IMO they can dictate the rules of such service and it's access.
They don't charge you extra, they don't ask for any additional personal information.
I really can't see any resulting downside besides you're old and / or unable to cope with too much technology.
That's why my grandparents disabled it for now. Their iMac and iPhones still work flawlessly.
Click to expand...
Which doesn't change any of what was brought up. What's the issue with being able to disable it beyond those initial two weeks? Apple deciding that's the way is certainly a response, but that doesn't mean that the approach can't be questioned or that it all can't (or perhaps even shouldn't) be different/better just because that's how it's been decided.
 
gavroche said:
he was correct.. and nowhere did he mention account number as one of the factors.
Click to expand...
AussieSimon, the individual i responded to stated there are two factors at an ATM. #1 The plastic card. #2 the PIN code for that card.

AussieSimon was mistaken on that account. Just because you have to present the username or account number on "a plastic card" (something you have) does not make it serve as a factor.

This would be like arguing that the prox card that you maybe use at work to open doors is "1-factor" authentication on the basis of "it's something you have". No it isn't. Because anyone can use it (or steal it) and gain access. It's identity only. 0-factor.

The ATM is only reading identity info off the mag stripe on the card - The account number. But, go ahead, if you want to argue semantics that AussieSimon didn't literally say "account number is a factor" that's fine. But, that's what the ATM card represents, your bank account number. They were representing that the ATM card counts as a factor.

gavroche said:
account number, like Apple ID, would be useless in trying to withdraw money. If you were correct in saying that password and physical card were the same thing.. and this only one factor, you would only need one to gain access. good luck withdrawing money from any bank atm with just the code... or just the card.. see how far you get with that.
Click to expand...
Correct.

That ATM card, its mag stripe data, account usernames, or account numbers are useless on their own for account withdraws or logging into a website or ordering something. Why? Because the identity that they provide is protected by (typically) 1 factor of authentication. Needing to know the PIN for the account at the bank. Or the password for the website login or order purchase.
[doublepost=1549919586][/doublepost]
gavroche said:
he was correct.. and nowhere did he mention account number as one of the factors. account number, like Apple ID, would be useless in trying to withdraw money. If you were correct in saying that password and physical card were the same thing.. and this only one factor, you would only need one to gain access. good luck withdrawing money from any bank atm with just the code... or just the card.. see how far you get with that.
Click to expand...
Looking back though - I can see now how what I wrote was confusing though. I could have written that better. My apologies.
 
Last edited:
C DM said:
Which doesn't change any of what was brought up. What's the issue with being able to disable it beyond those initial two weeks? Apple deciding that's the way is certainly a response, but that doesn't mean that the approach can't be questioned or that it all can't (or perhaps even shouldn't) be different/better just because that's how it's been decided.
Click to expand...

Agreed. Of course apple's decision can be questioned. Some people in this thread brought up that it might be relevant for future features or ambitions in raising the security level on apple's side in general.
I just don't think that a law suit is a reasonable response to that decision even if one doesn't agree.
(Their House / Service - Their rules).
Also some people seemed to twist the facts here about the feature itself.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back