Apple Sued Over Not Letting Customers Disable Two-Factor Authentication After Two Weeks

[Tooldog]

I don’t believe you are necessarily entitled to that particular choice, no. However, I can be convinced. So, since you are the one positing that such a choice is an entitlement, I repeat my question: why? What is the source of this entitlement? Contractual? Deriving from statute? Natural law? Is everyone entitled to choices in every situation? Is every manufacturer required to allow me to customize every device in any way I want? Are they required to cede their rights under Title 17 of the U.S. Code?

What is your basis for saying that consumers have this right, and how far does this right extend?

Basis is that the purchaser has "title and ownership" of the device. I take note you interject that Title 17 "copyright law" is applicable. I suspect that it will be ruled not to be applicable if Apple attorneys are brazen enough to open the lid on that steaming pile. Owner cannot be "compelled" to do anything with their device under current U.S. law. California, or other states, may have laws covering this.

"macrumors.com" should not utilize technical legal phrasing. Especially without a statement revealing it to be their personal "uninformed opinion" and "not based upon published ruling."

 

[spullum]

It's totally stupid we can't turn it off.. but suing over it? WTF.

Suing is prob. the only way the person would be able to turn it off in future. Apple's probably not going to allow it to be turned off otherwise.

If Apple makes it opt-out for new devices, and a few people turn it off, they chose to accept responsibility (they can prompt you to agree).

 

[Kastellen]

Realize even on your Authorized Mac, it takes Apple to send you the code to it to confirm. When you send to is not the same as receiving from.

Okay, can you clarify that? Because Apple IS sending the "allow"/"don't allow" dialogue TO THE MAC I'M ON. I click "allow", and it gives me a code to put on the web page ON THAT MAC. Code and place to put it on the same machine. I usually have to move the window WITH the code out of the way of the window that WANTS the code.

And this is all of course on a Safari browser that has been authenticated (and "trusted") fifty times already on that same Mac.

 

[IG88]

It doesn't matter, the code will come to every trusted device connected to your apple ID.
It's not that you actually need two devices to make it work. What if I just have my phone with me? Or just the MacBook? Two Factor Authentication is only to make sure that you'll need more then just you're password to log into icloud.
If the Device is trusted, the code will come to the same device the website is being used one. (and to every other trusted device available)

Yes this is correct actually, although still somewhat confusing.

 

[Ruskes]

Okay, can you clarify that? Because Apple IS sending the "allow"/"don't allow" dialogue TO THE MAC I'M ON. I click "allow", and it gives me a code to put on the web page ON THAT MAC. Code and place to put it on the same machine. I usually have to move the window WITH the code out of the way of the window that WANTS the code.

And this is all of course on a Safari browser that has been authenticated (and "trusted") fifty times already on that same Mac.

OK, let me try
You can log with Apple ID from any device.
With two step verification you can not do that.
Only from devices you added to trusted devices where you will get the code.
You can log in with someones laptop, as long you have one of your trusted devices with you to get the code.

 

[Ladybug]

Lol. It’s been tested a hundred times in court.
[doublepost=1549897627][/doublepost]
That’s what the criminal hackers are hoping for.

Criminals are everywhere doing criminal things that won’t change.

 

[gavroche]

AussieSimon, the individual i responded to stated there are two factors at an ATM. #1 The plastic card. #2 the PIN code for that card.

AussieSimon was mistaken on that account. Just because you have to present the username or account number on "a plastic card" (something you have) does not make it serve as a factor.

This would be like arguing that the prox card that you maybe use at work to open doors is "1-factor" authentication on the basis of "it's something you have". No it isn't. Because anyone can use it (or steal it) and gain access. It's identity only. 0-factor.

The ATM is only reading identity info off the mag stripe on the card - The account number. But, go ahead, if you want to argue semantics that AussieSimon didn't literally say "account number is a factor" that's fine. But, that's what the ATM card represents, your bank account number. They were representing that the ATM card counts as a factor.

Correct.

That ATM card, its mag stripe data, account usernames, or account numbers are useless on their own for account withdraws or logging into a website or ordering something. Why? Because the identity that they provide is protected by (typically) 1 factor of authentication. Needing to know the PIN for the account at the bank. Or the password for the website login or order purchase.
[doublepost=1549919586][/doublepost]Looking back though - I can see now how what I wrote was confusing though. I could have written that better. My apologies.

Edit:

Pointless debate....

 

[cmaier]

Criminals are everywhere doing criminal things that won’t change.

Not true. There is no criminal behind my sofa. Just mismatched socks. So not everywhere.

 

[Ladybug]

Not true. There is no criminal behind my sofa. Just mismatched socks. So not everywhere.

Haha, are you really really sure? Have you looked? Perhaps that is why you only have mismatched socks left.

 

[MadeTheSwitch]

I’m hoping is attorney is offering a no win no fee incentive

But this is certainly a frivolous lawsuit! I’m one of the first to criticise apple when they try to screw over customers or pull a fast one! However, I really can’t see the merit in this case! It’s akin to suing my locksmith so that the locks they install are easier to break!

Not a good analogy. Your locksmith isn’t in control of your lock. You can do what you want with your lock, your door, and your house. Unlike the Apple situation where you could be locked out of your own content that you paid for. In your analogy, it would be like the locksmith keeping you from getting into your house and accessing your stuff ever again.

Actually it is—the two factors at an ATM are

1. Something you have (the plastic card)
2. Something you know (the pin code)

This is comparable to an online 2FA situation where the two factors are

1. Something you know (password)
2. Something you have (authenticator)

Not comparable. If I forget my password and lose my ATM card, I can go to the bank and resolve it and still have access to my money. In this situation you lose two things and you are shut out of your stuff.
[doublepost=1549940709][/doublepost]

Yeah this is just so ridiculous. Can I sue a local data center because they force a card, pin and finger print to enter the building?

Is it your building that you paid for and own?
[doublepost=1549941791][/doublepost]

This is why we need tort reform. Baseless case over a valuable feature. This is like suing your landlord for not allowing you to remove the locks from your apartment door.

If you were merly renting your iphone from Apple like renting that apartment, your analogy might be more accurate. But not if you bought it.

 

[Ethosik]

Is it your building that you paid for and own?

Do you own Apple's servers and the Apple ID? I OWN my servers in the data center. It should be my choice to lower the security as I do not care if someone comes in and takes my servers.

This is the same situation. Your Apple ID is yours, but it is on Apple's servers and Apple's environment.

 

[MadeTheSwitch]

Do you own Apple's servers and the Apple ID? I OWN my servers in the data center. It should be my choice to lower the security as I do not care if someone comes in and takes my servers.

This is the same situation. Your Apple ID is yours, but it is on Apple's servers and Apple's environment.

Sounds like you are renting a space in the data center. That’s a different situation than the phone you own. You can separate your servers from the data center if you do not like the policy whereas an iphone that is your property cannot be separated from Apple’s 2FA policy after the two week period that people aren’t even informed of ahead of time. That’s the point.

I really don’t see why some here are so bent out of shape over someone wanting to turn something off. Obviously it is not a technical problem as they can and do reverse it within an arbitrary two week period. So a customer should be able to turn it off later if they want. It doesn’t impact you.

 

[Zwhaler]

Fair enough. I think the irony is that the reason many companies are starting to use 2FA is because the responsibility to keep accounts secure, and that they can and do get sued for breaches. So a lawsuit here just exasperates the problem.. kind of proving their point.

Yep... and I respect that! "Enforcing" 2FA in this way will surely reduce the number of security breaches since they have millions and millions of customers.

 

[Ruskes]

The only ones who oppose the 2FA are Scammers and Hackers.

 

[Ethosik]

Sounds like you are renting a space in the data center. That’s a different situation than the phone you own. You can separate your servers from the data center if you do not like the policy whereas an iphone that is your property cannot be separated from Apple’s 2FA policy after the two week period that people aren’t even informed of ahead of time. That’s the point.

I really don’t see why some here are so bent out of shape over someone wanting to turn something off. Obviously it is not a technical problem as they can and do reverse it within an arbitrary two week period. So a customer should be able to turn it off later if they want. It doesn’t impact you.

Yes it does impact me. This will set a precedent allowing just a random Joe on the street to control how a program or business operates just by filing a lawsuit for not liking something. I wouldn't want someone getting on my account and disabling two-factor authentication and re-enabling it for just their devices. They should NOT allow it to be turned off for security reasons.

So how about whenever I log in to my credit card website on a new browser or new computer, I am asked for my security code and expiration date for multiple verification? That takes up my time too.

 

[Ruskes]

Yes it does impact me. This will set a precedent allowing just a random Joe on the street to control how a program or business operates just by filing a lawsuit for not liking something. I wouldn't want someone getting on my account and disabling two-factor authentication and re-enabling it for just their devices. They should NOT allow it to be turned off for security reasons.

So how about whenever I log in to my credit card website on a new browser or new computer, I am asked for my security code and expiration date for multiple verification? That takes up my time too.

Actually wondering when will the online banking introduce the 2 step verification.
After all it is a very clever way of protecting my account.
Right now they only pester you if you change the computer or the browser.

 

[flygbuss]

Not a good analogy. Your locksmith isn’t in control of your lock. You can do what you want with your lock, your door, and your house. Unlike the Apple situation where you could be locked out of your own content that you paid for. In your analogy, it would be like the locksmith keeping you from getting into your house and accessing your stuff ever again.



Not comparable. If I forget my password and lose my ATM card, I can go to the bank and resolve it and still have access to my money. In this situation you lose two things and you are shut out of your stuff.
[doublepost=1549940709][/doublepost]

Is it your building that you paid for and own?
[doublepost=1549941791][/doublepost]

If you were merly renting your iphone from Apple like renting that apartment, your analogy might be more accurate. But not if you bought it.

So you’re saying you bought iCloud?
And apple didn’t give you the keys to it?
Because I just bought a phone and I don’t need 2 factor authentication to unlock it.

 

[Ruskes]

It is simple
If you want to use Apple service it requires 2 step verification
End of Story.

 

[C DM]

It is simple
If you want to use Apple service it requires 2 step verification
End of Story.

Apparently not that simple since there are people who use the services without that, and even Apple allows people not to use it or to stop using it within an arbitrary period of two weeks.

 

[MadeTheSwitch]

So you’re saying you bought iCloud?
And apple didn’t give you the keys to it?
Because I just bought a phone and I don’t need 2 factor authentication to unlock it.

Why are you taking the conversation into a different direction? Of course not. That is a silly comment. But, if you want to change a setting on YOUR phone, that causes certain interactions on YOUR phone that you do not want, you cannot turn it off. Worse, if you lose your ability to authenticate, you lose access to the things you bought and paid for. This is for people that have turned it on, or had it forced upon them through an osx upgrade. If you didn’t turn it on and never will, bully for you. Then this entire matter is not a concern to you.

Yes it does impact me. This will set a precedent allowing just a random Joe on the street to control how a program or business operates just by filing a lawsuit for not liking something. I wouldn't want someone getting on my account and disabling two-factor authentication and re-enabling it for just their devices. They should NOT allow it to be turned off for security reasons.

It literally does not impact you. Your coulda woulda maybe scenarios, aren’t realistic and seem like fearmongering. How is someone going to get into your account and disable two factor? Are you totally pissed that for two weeks it can be disabled now?

I am really amazed at the lengths people will go to to defend Apple no matter what they do.There’s no reason why such an ability could not be set on an account by account basis. You never want 2 factor revoked on your account...fine. Done! Locked in stone forever. Meanwhile other accounts can have different choices.

 

[Ruskes]

Apparently not that simple since there are people who use the services without that, and even Apple allows people not to use it or to stop using it within an arbitrary period of two weeks.

So what is the problem then ?
You can be without it or with it.
The choice is yours.

 

[batchtaster]

While the plaintiff might have some stupid points, I do agree that enabling or disabling two-factor should be the user's choice.

The same nimrods will then complain - and sue - when they're locked out of a raft of features that Apple will necessarily switch off for security reasons when the user chooses to disable 2FA.
Apple has a duty of care and responsibility to the services they provide, to protect them from attack and misuse.

EDIT: These are also the same numbskulls who would sue Apple for not protecting their details when their phone gets compromised because they turned off 2FA. America's litigious, personal responsibilty-shirking culture is well known around the world.

 

[C DM]

So what is the problem then ?
You can be without it or with it.
The choice is yours.

Seems like what's under discussion is what's across more than a dozen pages in this thread.

 

[Ruskes]

Seems like what's under discussion is what's across more than a dozen pages in this thread.

So for some unknown reason Apple does not let you get out of it after 2 weeks probation period.
And people are all upset about that, but they did sign up in first place.
So what happens if Apple let you sign out of the 2FA and your Apple ID account gets hacked.
Will you blame Apple, or sue them ?

 

[Dave-Z]

The same nimrods will then complain - and sue - when they're locked out of a raft of features that Apple will necessarily switch off for security reasons when the user chooses to disable 2FA.
Apple has a duty of care and responsibility to the services they provide, to protect them from attack and misuse.

Perhaps. Probably. I still stand by my comment--users should have the choice.

There is genuine utility in not having 2FA on an account. I do not have it on for certain family members because I do not want their devices having a passcode because they would end up locking themselves out. That outweighs having to deal with 2FA for me since there's nothing of actual value in their account except some saved game info.