That doesnt give some random Joe with lawyers control over what a company does. It’s Apple’s iCloud. They can determine what 2FA is like and how it works. They clearly mention it in their documentation.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Sued Over Not Letting Customers Disable Two-Factor Authentication After Two Weeks
- Thread starter MacRumors
- Start date
- Sort by reaction score
That doesnt give some random Joe with lawyers control over what a company does. It’s Apple’s iCloud. They can determine what 2FA is like and how it works. They clearly mention it in their documentation.
******
I think you misunderstand the trusted.
Trusted means that that is a device Apple can send you the Code.
Nothing prevents the user from leaving your keeping the two separated ...ie. someone else picks. up your device and you don't realize it.
Its a form of trust... Apple has to verify who you requested the code, and have the device to confirm it. If the two are separate, there is the security it provides.
Then Apple is using the term in multiple ways. Because every time I do the two factor authentication on a browser (logging in to iCloud.com) it always asks “Do you want to trust this browser?” I always say yes, and Apple always presents the same two factor requirement the very next time I try to log in to iCloud on that same browser. So, still a bug.
Sadly apple integrated all their systems with the single authentication, so like to sign into developer.apple.com to say download software or look at documentation requires 2 factor auth which is ridiculous.
Actually it's not - my wife's iPhone had two factor automatically enabled after iOS 12.x update, and when I went to upgrade her iPhone 6 to XS, it caused a lot of issues. For some reason the two factor was not sending codes to authorized devices. It almost prevent us from upgrading to the XS, but thankfully was within the two week grace period so we were able to disable it and perform the upgrade.
I never had this problem on my own devices - so Apple's two factor isn't bug free and can cause grief when it doesn't work.
And what if you lose your iOS devices... or don't have access to them? Apple two-factor isn't very convenient.
You can designate alternative trusted sourced including a voice call to a telephone/cell phone. I have multiple trusted sources whereby I can get into my account if needed.
That doesn’t make sense. Two-factor authorization doesn’t automatically turn itself on. Furthermore, codes not being sent to devices supports the idea that it isn’t on.
[doublepost=1557078223][/doublepost]
2FA is designed for these situations, and keeps your stuff secure.
You make sure you have backup phone numbers where you can receive two factor codes.
The iPhone still doesn't have audible notifications of missed calls. You want to sue about something? Sue them for the sheer stupidity of that.
Or how about when you miss your flight because of Apple's idiotically defective calendar alarms? Now that actually does create financial harm, and Apple has known about it for years.
Or how about when you miss your flight because of Apple's idiotically defective calendar alarms? Now that actually does create financial harm, and Apple has known about it for years.
I had 2-step verification previously. I had my Android phone as a trusted number, all worked smoothly. After the upgrade to High Sierra my AppleID from 2-step was automatically transformed to 2-FA without any grace period given to roll back. I also had 2 more older OSes running: iCloud is not a function of OS, it's a service, it means I should have access nonetheless even if "old unsupported" and all this high talk, all of them are iCloud-compatible. That led to the array of problems the most troubling of which was that as soon as I tried to get logged non-online it stopped sending these 6-digit codes to my Android device when the iCloud authorization call was initiated from the computer although it should. I had my case scrutinized by the iCloud team, elevated to tier 1 etc. Troubleshooting extended to well over 2 months on the phone support with Apple with no positive outcome. In the course of troubleshooting we tried different solutions (removed all devices etc) none of which was helpful except that 2 times it succeeded after 10+ minutes of waiting for the verification SMS.
It just so happened that my Android device failed so I bought the cheapest iPhone I could with the up-to-date iOS version that had the 2-FA authenticator built in. It's only then that I was able to log in with iCloud on all OSes - both new and old - and re-gain the access. The Apple person was very helpful and patient, he showed regret over what seem to be a poorly engineered or implemented scheme.
If it works, it just works. Period. So called "security" stood in my way more than the dreaded "cyber-threats" which is a greatly overstated danger to intimidate users to upgrade and update. At best it designed off the flawed premise that Apple should secure the user from the user themselves. That fails and isn't reliable when an unplanned user case occurs. A system the more damage-proof the simplier and easier it is. Apple's 2-FA implementation is far from that - over-complicated and clumsy.
Last edited:
The whole thing is hypocritical from a company that now forces people to use their E-mail address as a user ID. Think it through:
When you set up your Apple ID, Apple tells you that you have to use your E-mail address as your ID and provide a password.
Now... people are generally not all that technically knowledgable, so what percentage of people think that this password has to be their E-mail password? I'm guessing a significant percentage.
That's why this policy is so stupid and amateurish. Chances are that your E-mail address is on spammers' lists, all over the world. When you force users to use their E-mail address as an ID, you've made yourself the guardian of not just their account credentials on your sites, but of their entire online identity. If your user database is insecure, hacked, or sold by a disgruntled employee... a ton of those E-mail accounts are now compromised.
Apple has been warned of this blunder repeatedly, and they've only made it worse. Originally, your Apple ID didn't have to be an E-mail address. Later, it had to conform to the format of an E-mail address but didn't have to be a functioning one. Now Apple has completed its migration to stupidity by insisting that it be a functioning E-mail address.
Any talk about security from Apple is hypocrisy until they address this blunder.
When you set up your Apple ID, Apple tells you that you have to use your E-mail address as your ID and provide a password.
Now... people are generally not all that technically knowledgable, so what percentage of people think that this password has to be their E-mail password? I'm guessing a significant percentage.
That's why this policy is so stupid and amateurish. Chances are that your E-mail address is on spammers' lists, all over the world. When you force users to use their E-mail address as an ID, you've made yourself the guardian of not just their account credentials on your sites, but of their entire online identity. If your user database is insecure, hacked, or sold by a disgruntled employee... a ton of those E-mail accounts are now compromised.
Apple has been warned of this blunder repeatedly, and they've only made it worse. Originally, your Apple ID didn't have to be an E-mail address. Later, it had to conform to the format of an E-mail address but didn't have to be a functioning one. Now Apple has completed its migration to stupidity by insisting that it be a functioning E-mail address.
Any talk about security from Apple is hypocrisy until they address this blunder.
In that context, the intention of "let's kill all the lawyers" was to enable a lawless dictatorship by removing all the lawyers who would be supposed to defend people's rights. Be careful with that quote.
[doublepost=1557089289][/doublepost]
That's an intentional security feature. One reason is that you need to remember your passcode. Because TouchID for example can stop working (a weekend hard work in the garden, and TouchID failed for a few days for me because my finger prints were gone!), so you better remember your passcode.
[doublepost=1557089528][/doublepost]
Let me tell you a secret. When you enter the replies for a security question, you are not actuall required to say the truth. When you enter the reply for "first country visited", you can enter "jabberwocky381943@!!" and that will work just fine.
[doublepost=1557119991][/doublepost]FREEDOM OF CHOICE. CONTROL OVER OUR - REPEAT - OUR - DEVICES. SHAME ON YOU MACRUMORS FOR TAKING SIDES ON THIS AND TALKING NASTY ABOUT "FRIVOLOUS" LAWSUITS. RATHER, ALLOW AND SUPPORT FREE DEBATE, STOP SUCKING UP TO APPLE.
New York resident Jay Brodsky has filed a frivolous class action lawsuit against Apple, alleging that the company's so-called "coercive" policy of not letting customers disable two-factor authentication beyond a two-week grace period is both inconvenient and violates a variety of California laws.
The complaint alleges that Brodsky "and millions of similarly situated consumers across the nation have been and continue to suffer harm" and "economic losses" as a result of Apple's "interference with the use of their personal devices and waste of their personal time in using additional time for simple logging in."
In a support document, Apple says it prevents customers from turning off two-factor authentication after two weeks because "certain features in the latest versions of iOS and macOS require this extra level of security":The complaint is riddled with questionable allegations, however, including that Apple released a software update around September 2015 that enabled two-factor authentication on Brodsky's Apple ID without his knowledge or consent. Apple in fact offers two-factor authentication on an opt-in basis.
Brodsky also claims that two-factor authentication is required each time you turn on an Apple device, which is false, and claims the security layer adds an additional two to five minutes or longer to the login process when it in fact only takes seconds to enter a verification code from a trusted device.
The complaint goes on to allege that Apple's confirmation email for two-factor authentication enrollment containing a "single last line" alerting customers that they have a two-week period to disable the security layer is "insufficient."
Brodsky accuses Apple of violating the U.S. Computer Fraud and Abuse Act, California's Invasion of Privacy Act, and other laws. He, on behalf of others similarly situated, is seeking monetary damages as well as a ruling that prevents Apple from "not allowing a user to choose its own logging and security procedure." Read the full document.
Article Link: Apple Sued Over Not Letting Customers Disable Two-Factor Authentication After Two Weeks
It should be our choice whether we want MFA or not. Apple shouldn't force it on people.
I am good with Apple requiring 2 factor. What I hate is requiring to enter the number each time. I would rather have it after I click allow on a device it moves on to the next stage like I can with Google and other that use 2 factor.
You will still retain your Apple ID eternally or unless Apple suspends it. You still will be able to use their App Store and the online iCloud website.
You should never have a two factor setup where you lose access to your account if you lose your phone. Have backup phone numbers configured.
It's not that bad. The 2FA code goes to all trusted devices. If you have an iPad or iMac the code will show there too.
I know but you'd be surprised how many posts I've seen with people saying you'll get locked out if you lose your phone. People might not always have iPhone or Macs but you've got to know someone else with a phone number.