Apple Sued Over Not Letting Customers Disable Two-Factor Authentication After Two Weeks

I hear this a lot, but despite what the customer agreement says, I’m not sure it’s ever been tested in court. Precedent was set by the music industry, but this isn’t music, and they never claimed the right to modify the content with or without user permission.

If the customer wins suddenly there becomes a question if Apple can ever remove any feature. The only way anyone wins here is if Apple can understand why people want to turn it off. Or at least let customers disable notifications without completing the task.

 

Oh boy.. this gets better and better. Have you read the article? Do you know what the 2 factor authentication is being used for? It’s connected to your iCloud account and not to your device.
And you actually HAVE a choice for crying out loud.

 

Also doesn't appear on any other computer or device anywhere else in the world. So someone trying to remotely login to your account needs your trusted device.

This is what you’re really protecting against. Remote logins.

 

I don't know who he think's he's actually going to convince with that line of reasoning, because it's a simple matter to debunk this particular claim: if events had actually transpired as he describes, I'm pretty sure I wouldn't still be harassing my wife to enable 2-fac on her account!

 

I think a compromise might be to allow a user to turn it off at any later date, that seems sensible to me.

 

Nope, getting into my phone should not be giving people access to my accounts and information. That IS the whole purpose of 2 factor authentication. Duh! Unless of course a company like Apple eviscerates the functionality because they only care about perception.

So in your example, getting into the home should give everyone access to the safe inside the home. That makes sense.

--- Post Merged, Feb 11, 2019 at 6:29 AM ---

The point being that I should be able to turn it on or off at will. BTW you should try to turning it off sometime, it is a nightmare of resetting accounts, resetting devices, logging out, logging in, etc. Apple clearly does not expect it to be turned off. Also note below from Apple support documents, the word required.

From https://support.apple.com/en-us/HT207198

 

Follow Apple's instructions: https://support.apple.com/en-us/HT204915

"You should also consider verifying an additional phone number you can access, such as a home phone, or a number used by a family member or close friend. You can use this number if you temporarily can't access your primary number or your own devices."

 

Lol. It’s been tested a hundred times in court.

--- Post Merged, Feb 11, 2019 at 7:07 AM ---

That’s what the criminal hackers are hoping for.

 

Great. Provide a few. Cause the only ones I have seen revolve around giving customers the right to first doctrine sale. Of course that goes against the idea that they are only licensing the software.

 

I don’t call their customers idiots in general, only those that do idiotic things like ridiculous lawsuits instead of using their brains.

 

No it isn't. In your ‘online situation’ you’re forgetting something - your account number. Whether its your email address, a username, or a literal account number - it’s the clear text or publicly know portion. In Donald Rumsfeld parlance this would be a ‘known known’ and therefor is not a “factor” in the equation.

If you want to get technical - Yes, the ‘plastic’ card is “a thing you have” but since it’s static information its captureable like a password. Therefore it only something you need to know. So the reality is you are using two of the same ‘factor’. With one of your ‘factors’ being known information.

It’s one factor authetication.

 

That's the same thing. "Ridiculous", "idiots", "use their brains" are subjective qualitative adjectives and definitions that have a neutral contributing value and a weak evidential effect.

 

What does that have to do with what was brought up in the quoted post?

 

See the quotes below.

It seems that some people here are complaining about 2 factor authentication without much knowledge how it actually works. I do understand that not everyone finds it necessary, though I think this is something you can figure out within two weeks (and turn it off if you don't like it). Could they provide this possibility for good? Of course!
Do I have to sue because they don't?
I don't think so. All you get is a more secure online service even if it feels inconvenient to some.
The device you bought from apple is not directly affected and remains the same (you can call, write, surf, take pictures etc.) It's not that you need 2 factor authentication to unlock your phone.

 

Sorry, should’ve use the: /sarcasm at the end of my post.

 

And that still doesn't deal with the simplicity of being to enable or disable an option that affects you and is really up to you. (Or that reporting news is different that writing an opinion piece.)

 

Lo I would barely consider 2FA 'tough', nor compare it to driving safely

Its barely even a nuisance, and totally worth it for the extra security.

 

So is a passcode or Touch ID or Face ID, and yet the user is allowed to enable or disable those as desired.

 

he was correct.. and nowhere did he mention account number as one of the factors. account number, like Apple ID, would be useless in trying to withdraw money. If you were correct in saying that password and physical card were the same thing.. and this only one factor, you would only need one to gain access. good luck withdrawing money from any bank atm with just the code... or just the card.. see how far you get with that.

 

That's true, which is why I don't blame them for doing it. I was just stating the unintended consequences of 2FA in my particular case. Yes, I'd still rather have it off.

 

Fair enough. I think the irony is that the reason many companies are starting to use 2FA is because the responsibility to keep accounts secure, and that they can and do get sued for breaches. So a lawsuit here just exasperates the problem.. kind of proving their point.

 

You can disable it within 14 days. iCloud and the connected services are free unless you need more then 5GB of storage.
This service runs through apple servers and they are responsible for the provided security.
IMO they can dictate the rules of such service and it's access.
They don't charge you extra, they don't ask for any additional personal information.
I really can't see any resulting downside besides you're old and / or unable to cope with too much technology.
That's why my grandparents disabled it for now. Their iMac and iPhones still work flawlessly.

 

Which doesn't change any of what was brought up. What's the issue with being able to disable it beyond those initial two weeks? Apple deciding that's the way is certainly a response, but that doesn't mean that the approach can't be questioned or that it all can't (or perhaps even shouldn't) be different/better just because that's how it's been decided.

 

AussieSimon, the individual i responded to stated there are two factors at an ATM. #1 The plastic card. #2 the PIN code for that card.

AussieSimon was mistaken on that account. Just because you have to present the username or account number on "a plastic card" (something you have) does not make it serve as a factor.

This would be like arguing that the prox card that you maybe use at work to open doors is "1-factor" authentication on the basis of "it's something you have". No it isn't. Because anyone can use it (or steal it) and gain access. It's identity only. 0-factor.

The ATM is only reading identity info off the mag stripe on the card - The account number. But, go ahead, if you want to argue semantics that AussieSimon didn't literally say "account number is a factor" that's fine. But, that's what the ATM card represents, your bank account number. They were representing that the ATM card counts as a factor.

Correct.

That ATM card, its mag stripe data, account usernames, or account numbers are useless on their own for account withdraws or logging into a website or ordering something. Why? Because the identity that they provide is protected by (typically) 1 factor of authentication. Needing to know the PIN for the account at the bank. Or the password for the website login or order purchase.

--- Post Merged, Feb 11, 2019 at 1:13 PM ---

Looking back though - I can see now how what I wrote was confusing though. I could have written that better. My apologies.

 

Agreed. Of course apple's decision can be questioned. Some people in this thread brought up that it might be relevant for future features or ambitions in raising the security level on apple's side in general.
I just don't think that a law suit is a reasonable response to that decision even if one doesn't agree.
(Their House / Service - Their rules).
Also some people seemed to twist the facts here about the feature itself.