Apple sued for ‘forcing’ 2FA on accounts

Apple. Image courtesy of GongTo/Shutterstock.

New York resident Jay Brodsky has filed a class action lawsuit against Apple, claiming that the company forces users into a two-factor authentication (2FA) straitjacket that they can’t shrug off, that it takes up to five minutes each time users have to enter a 2FA code, and that the time suck is causing “economic losses” to him and other Apple customers.

The lawsuit, filed on Friday in Newport Beach, California, is accusing Apple of “trespass,” based on Apple’s “locking [Brodsky] out” of his devices by requiring 2FA that allegedly can’t be disabled after two weeks.

From the filing:

Plaintiff and millions of similarly situated consumers across the nation have been and continue to suffer harm. Plaintiff and Class Members have suffered economic losses in terms of the interference with the use of their personal devices and waste of their personal time in using additional time for simple logging in.

The reference to two weeks comes from support email that Apple sometimes sends out to Apple ID owners after it enables 2FA. That email contains what the lawsuit claims, with italicized emphasis, is an unobtrusive last line that says that owners have two weeks to opt out of 2FA and go back to their previous security settings.

The suit claims that around September 2015, Brodsky’s Apple devices – including an iPhone and two MacBooks – were updated to have 2FA turned on, “without [his] knowledge or consent,” thus “[locking] up access” to Brodsky’s own devices and making them “inaccessible for intermittent periods of time.”

How dare you smear security all over my device

The main gist of Brodsky’s claim: it’s my device, you didn’t ask me if I wanted 2FA in the first place, using it is a pain, and you don’t give users the right to stop using 2FA.

The suit iterates what it claims is the onerous slog of logging in:

Logging in becomes a multiple-step process. First, Plaintiff has to enter his selected password on the device he is interested in logging in. Second, Plaintiff has to enter password on another trusted device to login. Third, optionally, Plaintiff has to select a Trust or Don’t Trust pop-up message response. Fourth, Plaintiff then has to wait to receive a six-digit verification code on that second device that is sent by an Apple Server on the internet. Finally, Plaintiff has to input the received six-digit verification code on the first device he is trying to log into. Each login process takes an additional estimated 2-5 or more minutes with 2FA.

Apple is causing injury to class members by “intermeddling” with the use of their devices and not letting them choose their own security level or “freely enjoy and use” their gadgets, the suit claims.

Also, by “injecting itself in the process by requiring extra logging steps,” Apple is allegedly violating California’s Invasion of Privacy Act – Section 637.2 of the California Penal Code. A third count is allegedly violating California Penal Code section 502: California’s Computer Crime Law (CCL). A fourth count is that Apple allegedly violates the Computer Fraud and Abuse Act (CFAA) by accessing people’s devices without authorization.

Finally, count five: Unjust Enrichment. By better-securing people’s devices, Apple has the gall to make money off all this, be it by selling devices or because it…

… received and retains information regarding online communications and activities of Plaintiff and the Class.

The suit wants Apple to knock it off with the 2FA. It’s also seeking disgorgement of Apple’s “ill-gotten gains,” payable to Brodsky and other class members.

What the what, now?

Where to start? When Apple introduced 2FA for Apple ID for iOS 9 and OS X El Capitan, it did so with opt-in. The feature became available first for iCloud after a spate of celebrity iCloud hacking incidents, and then more broadly to secure Apple devices soon after.

Implementing 2FA requires an explicit, multiple-step opt-in procedure requiring users to consent. However, 2FA is, in fact, required to take advantage of some of Apple’s services, like Home Sharing and HomeKit Hubs.

As far as Brodsky’s claims that logging in with 2FA eats up 2-5 minutes of his time, well, user mileage may vary. Apple Insider reports that it “hasn’t been randomly presented” with 2FA authentications, even following OS updates to an iPhone XS Max, an iPhone X, and two sixth-generation iPads. However, the publication managed to force the issue on a new device.

Apple Insider’s Mike Wuerthele whipped out a stopwatch and found that the resulting 2FA time sink was 22 seconds.

Of course, even if Apple didn’t force users into 2FA, it certainly isn’t shy about nudging them into it… for good reason.

2FA: It’s not perfect, but it’s good

2FA – particularly older forms that use SMS to deliver the code – isn’t an impenetrable shield. Way back in 2016, the US National Institute for Standards and Technology (NIST) updated its official “rules for passwords“, announcing that phone-based 2FA would no longer be considered satisfactory, at least as far as the public sector goes.

More recently, we’ve seen new methods to attack 2FA: Last month, researcher Piotr Duszyński published a tool called Modlishka (Polish: “Mantis”) capable of automating the phishing of one-time passcodes (OTPs) sent by SMS or generated using authentication apps.

If you’re worried about the risks of SMS-based 2FA for your own accounts, consider switching to an app-based authenticator instead, such as the one built into Sophos Free Mobile Security (available for Android and iOS).

Of course, the security of an authenticator app depends on the security of your phone itself, because anyone who can unlock your phone can run the app to generate the next code you need for each account.

What else causes “economic losses”?

You can’t really argue with people over 2FA being a bit of a bother. It does take more time to enter a second authentication factor, for sure. But whether it takes up 22 seconds of your life or the two to five minutes of Brodsky’s life, how much time, and potentially money, does it take to untangle a hijacked bank account, or that of a kidnapped Facebook or Twitter account?