Apple Sued Over Not Letting Customers Disable Two-Factor Authentication After Two Weeks

[DoubleU]

What happens if the iPhone is lost? I used to login to a computer to use Find iPhone, but I can’t do that any more because if that computer isn’t “trusted” I can’t get the verification code. I can’t list every device I might use as Trusted. At work I don’t have my phone with me so can’t get on iCloud anywhere because I can’t get a verification code. Any thoughts on how I can get round this should be appreciated

If you go to the iCloud.com website and enter your Apple ID and password it will prompt you for a verification code but underneath the prompt there will be a link to get directly onto the Find My iPhone section of the website without having to enter the verification code.

This allows you to access the options to find or disable a lost device without accessing any of the confidential data stored on iCloud.

 

[flygbuss]

What happens if the iPhone is lost? I used to login to a computer to use Find iPhone, but I can’t do that any more because if that computer isn’t “trusted” I can’t get the verification code. I can’t list every device I might use as Trusted. At work I don’t have my phone with me so can’t get on iCloud anywhere because I can’t get a verification code. Any thoughts on how I can get round this should be appreciated

Just sign up with one of the computers you daily use. It’s not less secure then using it with just your Apple ID credentials before. If someone wants to use that machine with your account the password is still needed.
[doublepost=1549798665][/doublepost]

If you go to the iCloud.com website and enter your Apple ID and password it will prompt you for a verification code but underneath the prompt there will be a link to get directly onto the Find My iPhone section of the website without having to enter the verification code.

This allows you to access the options to find or disable a lost device without accessing any of the confidential data stored on iCloud.

Or even better..

 

[0947347]

"Wonderful" analogy. I'm beaten to dust.

Suppose, my ardent friend, that you cannot get into your car by simply using your key and it's up to BMW how do you get in. In your own car. Suppose, you're hurrying to an important meeting and - surprise - you can't unlock the door with your key. Or, better, you insert your key in the ignition lock and the engine won't start up because you're required authentication. Is that good for you? The answer to this question will be engraved on my wall.

The car analogy didn’t work out for both of you then

When I was setting up the 2FA I was asked if I want to register phone number for SMS or phone call, and other trusted device. That is pretty decent, I think.
I understand if you lose your phone, you may be ....ed though. The problem is that if you lose one device and decide to disable 2FA then the 2FA would be pointless from the start, wouldn’t it? But there should be option to disable it, maybe over phone with Apple, if they can truly verify your identity.

 

[Fancuku]

I may be one of the few people that supports this lawsuit (other than the stupid "suffering" claim).

 

[Ramchi]

Let them not buy mobile phones from Apple! They want security but not interested in security! Wow! This is the problem when you keep repeating the word magic, it can come back and haunt you!

 

[JosephAW]

How does "two-factor authentication" work when you only have one iOS device and no computer at home?
If you broke your iOS device and try to sign back in with a new device with your email and password where does it send the verification code?

 

[Ted13]

Two-factor authentication is tough, but easily learned to speed use.

It is tough, so is driving safely - yet we manage. Lawsuit?

In fact there are lots of senior citizens who can no longer drive due to age, disability, etc. They are exactly the ones who may still be regularly using an iPad to read, FaceTime the grandkids, etc. and have a very hard time using two factor authentication - like the other device is in a different room - it is physically and/or mentally difficult for them to go there, it may involve going up or down stairs... Indeed, given the choice many old people beg for zero passwords, never mind 2FA.

Now, the lawsuit itself may be completely bogus, but your claim is even more bogus.

 

[Jolly-boo]

I imagine Apple's legal team sitting in a room somewhere facepalming all day, all year long.

 

[chabig]

How does "two-factor authentication" work when you only have one iOS device and no computer at home?

All of these questions are answered by Apple. https://support.apple.com/en-us/HT204915

 

[0947347]

What happens if the iPhone is lost? I used to login to a computer to use Find iPhone, but I can’t do that any more because if that computer isn’t “trusted” I can’t get the verification code. I can’t list every device I might use as Trusted. At work I don’t have my phone with me so can’t get on iCloud anywhere because I can’t get a verification code. Any thoughts on how I can get round this should be appreciated

You can do over iCloud.com without verification code. When it asks you for a verification code, there is a link underneath , that to take you to Find My IPhone (or device). Just proceed from there.

 

[code-m]

Seems if people want to disable this and stupidly reduce their personal security, it should be their right.

Though 2FA can be circumvented, it takes some effort to pull off. People litigating for time and security, I am surprised tbh.

Apple sued for lack of security (iCloud Account of Celebrity Photo Hack), and now because extra security measures is wasting time. Next this individual will litigate over less security due to a breached account.

Is 2FA the answer, let’s say there should be a better uncircumventable method incorperated.

 

[Spectrum]

Gotta say though, I wish it was less of a PITA with old devices. When I try to turn on an old device to update such apps as still have updates that will work on it, I get a storm of confirmation popups on all my current devices (MacBook Pro, iPhone, iPad) that come and go faster than I can re-enter password with appended confirmation code on the old device. And that storm usually means I have to re-login to my Apple ID on all the current devices.

Exactly this. Any time I authenticate a device, it seems all my others get logged out. It is a real pain.
[doublepost=1549803887][/doublepost]

They should also be sued for asking for 2-factor on the same Mac that the web page is being used on.

Yeah! What the heck is that about?!?!?!! I see that pretty frequently too!

 

[chatin]

Apple users are targeted by all sorts of marginal companies and individuals. I think Apple is doing a good job by actively trashing bad intentions.

 

[Weaselboy]

What happens if the iPhone is lost? I used to login to a computer to use Find iPhone, but I can’t do that any more because if that computer isn’t “trusted” I can’t get the verification code.

Find my Phone does not require 2FA to get in. If you go to icloud.com you will see this below the login screen allowing you to access Find my Phone without a verification code. You won't be able to access anything else in iCloud there, but you can get into Find my Phone.

Also just as a 2FA backup, you can enter other SMS or voice phone numbers in there as a fall back. I have my daughter's cell phone and my home phone number in there as backups.

 

[MacGizmo]

A lawsuit is ridiculous, but Apple does need to get rid of the notification/icon badge, etc. for 2 Factor. If someone doesn't want to use it, then leave them alone. Particularly since 2 Factor is nearly useless as a security measure.

 

[rlarsen_eu]

How does "two-factor authentication" work when you only have one iOS device and no computer at home?
If you broke your iOS device and try to sign back in with a new device with your email and password where does it send the verification code?

You can get the code sent as a SMS to the phone number you have added on the "My Apple ID" site.

 

[Justanotherfanboy]

Yes, like any email that is generated by a domain that don't own is mine! Gmail, hotmail - all of them.

How to use the iPhone without an Apple ID if you also want to use the App Store; can it be done?

Nope. You can go online, use camera, gps, etc. without an Apple ID... use all the functions of the phone.
But to additionally use their free service of a curated App Store, you’d have to use their other free service of an Apple ID & (just like with Gmail, Hotmail, et al), you wouldn’t get to choose things like whether or not you’d like to use a password, whether or not you’d like your password to be 4 characters, whether or not password retrieval would require 2 factor authentication, etc.
All the security protocols that are designed for all of your free accounts were designed by the hosting entity; by you using that service, obviously you don’t suddenly have the right to dictate how they choose to secure access to those free accounts.
Heck, if Microsoft decided tomorrow that they didn’t want Hotmail passwords to ever get cracked again, they could require new 75 character long passwords w/ 25 alpha, 25 numeric, & 25 special characters. They may lose 90% of their users, lol... but it is within their rights!

 

[nldd]

I fully support this guy. Not being able to remove 2FA whenever you want to is a huge nuisance. I even created a new Apple ID a while ago, just to get rid of this 'security' feature. It's sad that there's a court case about it though.. Apple could have easily introduced the option to switch it on/off.

 

[maverick28]

And there you have it. The lock works! You just don’t wanna use it..

Exactly. If I don't want to use I should be able to disable it any time. Why am I allowed only specific amount of time to do that? There's a number of use cases that don't abide by the "one suit fits all sizes" scheme. In my case I run 2 older OS'es that are iCloud compatible on the same computer. Once I upgraded my account to High Sierra (3rd OS) it automatically converted previously used 2-step to 2-factor and I got locked out of iCloud on those two OS'es. I got confirmation message about that 2-FA without any option to turn it off. This part is what you miss. To summarize:

1. If there was a link to turn off I most certainly would turn off. There wasn't.
2. Suppose, they provided me a way to turn it off in the confirmation message. However, it's always human factor in place: many people are not attentive or patient enough to read all of the text. Others could easily skip or even not notice at all. 14 days pass and suddenly there's emerging need to disable 2FA. Reality is not a beautifully printed marketing scheme. I want 2FA off for the purpose described above. Other people would lose their devices, countless combinations. In all of the cases the process of regaining access is not streamlined and easy. You are definitely going to waste a lot of time, nerves and efforts. Most people care more about their UX than security. Lesser security in the past didn't cause them much headache and all the security things are just the result of hype and, I'm sure, deliberate attempts to lock the user in the ecosystem. 2FA could not prevent a crucial security hole on the hardware architecture level in the form of Meltdown and Specter all those big tech companies allegedly were unaware of: surprisingly, however, nothing had happened to such extent that effect would be felt by people all these decades before detecting it. Of course they "patched" it but that was more on the PR side of things than real security concerns, I believe. In short: I won nothing with 2FA, only lost. Why should I defend Apple if it's they who created the conditions for the troubles to emerge? It doesn't matter that they gave "a grace period": the fact they restrict you is what's bad and non-productive, there shouldn't be such period at all for you to be able to turn it off. Or, if you want us to get hooked, then the implementation has to be more streamlined and simple: however they didn't provide patches to unsupported pre-2015 iCloud-compatible systems to be able to get benefits of 2-factor, no visual clues where to enter this 6-digits code. Instead, they issued a recommendation to append it to the password and how that worked out you can have pleasure to observe on numerous discussion boards. To add, the 2FA verification SMS sometimes can arrive after hours, days: couple of times I received it only the next day and I don't care who's to blame - clearly if not for 2FA there wouldn't the necessity to await this damn SMS. I'd like the plaintiff to win. Apple should try harder, plain and simple: this is not a communist regime with the infallible leader at the head.

 

[Apple_Robert]

They should also be sued for asking for 2-factor on the same Mac that the web page is being used on.

I don't agree with suing them over it. I do agree that that aspect is ridiculous from a security standpoint, and needs to be properly addressed.

 

[TrueBlou]

Just one thing came to mind when I read this.... Jesus suffering ****.

People will sue for the most ridiculous of things these days. Do you need money so badly?

Sure, if you want the option of disabling it, fair enough, have a less secure account. But a court case? Really? Apple have a feature request form you know. Or is it because doing the normal, reasonable thing wouldn’t give you the chance to line your pockets........

..... Not that I think this case will to be honest.

 

[johnnyturbouk]

I’m hoping is attorney is offering a no win no fee incentive

But this is certainly a frivolous lawsuit! I’m one of the first to criticise apple when they try to screw over customers or pull a fast one! However, I really can’t see the merit in this case! It’s akin to suing my locksmith so that the locks they install are easier to break!

 

[apolloa]

How does "two-factor authentication" work when you only have one iOS device and no computer at home?
If you broke your iOS device and try to sign back in with a new device with your email and password where does it send the verification code?

It’s very simple, you have your email for one, accessed through your iOS device, and a code sent by SMS to your mobile number, this code will be sent to any device with your SIM card in it. All you need to do is set up two factor on your email as well plus make secure passwords for everything and your pretty secure.

 

[az431]

it can be disabled just go to apples web page to turn it off did it once just to install some profiles

2FA cannot be turned off. That you did it once doesn't mean you can do it now. Even Apple states that it can't be turned off.

If it could be turned off do you really think they would have filed a lawsuit?
[doublepost=1549809793][/doublepost]

I know apple been acting werid these days but suing due to “waste of time?” Come on. Gotta do better than that, man. Maybe next time he should sue because he was stressing.

Read the article once more, this isn't a lawsuit about wasting time. The lawsuit alleges violations of the Computer Fraud and Abuse Act, which penalizes unauthorized computer access. Nowhere in the article (or in the lawsuit) does it state that Apple is liable for "wasting time"

The allegation is that they were given the option to use or not use 2FA, that a later upgrade forced 2FA without their knowledge, and that disabling it to revert to the settings they did select is not possible. This change without the user's permission constitutes unauthorized access under the Act.

The only reason the lawsuit makes allegations about the time it takes to unlock, etc, is to establish damages. Without damages, the lawsuit fails as a matter of law.

 

[Alp3r]

This is not stupid, I want to turn it off and I can’t.. it’s permanent and annoying.. signing in with AppStore on older device iOS 8 doesn’t work! Signing a Ipa file doesn’t work either. I want it OFF! The downsides is messages in cloud won’t be supported.. apple is such a dilemma in the as$.