New York resident Jay Brodsky has filed a class action lawsuit against Apple, claiming that the company forces users into a two-factor authentication (2FA) straitjacket that they can’t shrug off, that it takes up to five minutes each time users have to enter a 2FA code, and that the time suck is causing “economic losses” to him and other Apple customers.
The lawsuit, filed on Friday in Newport Beach, California, is accusing Apple of “trespass,” based on Apple’s “locking [Brodsky] out” of his devices by requiring 2FA that allegedly can’t be disabled after two weeks.
From the filing:
Plaintiff and millions of similarly situated consumers across the nation have been and continue to suffer harm. Plaintiff and Class Members have suffered economic losses in terms of the interference with the use of their personal devices and waste of their personal time in using additional time for simple logging in.
The reference to two weeks comes from support email that Apple sometimes sends out to Apple ID owners after it enables 2FA. That email contains what the lawsuit claims, with italicized emphasis, is an unobtrusive last line that says that owners have two weeks to opt out of 2FA and go back to their previous security settings.
The suit claims that around September 2015, Brodsky’s Apple devices – including an iPhone and two MacBooks – were updated to have 2FA turned on, “without [his] knowledge or consent,” thus “[locking] up access” to Brodsky’s own devices and making them “inaccessible for intermittent periods of time.”
How dare you smear security all over my device
The main gist of Brodsky’s claim: it’s my device, you didn’t ask me if I wanted 2FA in the first place, using it is a pain, and you don’t give users the right to stop using 2FA.
The suit iterates what it claims is the onerous slog of logging in:
Logging in becomes a multiple-step process. First, Plaintiff has to enter his selected password on the device he is interested in logging in. Second, Plaintiff has to enter password on another trusted device to login. Third, optionally, Plaintiff has to select a Trust or Don’t Trust pop-up message response. Fourth, Plaintiff then has to wait to receive a six-digit verification code on that second device that is sent by an Apple Server on the internet. Finally, Plaintiff has to input the received six-digit verification code on the first device he is trying to log into. Each login process takes an additional estimated 2-5 or more minutes with 2FA.
Apple is causing injury to class members by “intermeddling” with the use of their devices and not letting them choose their own security level or “freely enjoy and use” their gadgets, the suit claims.
Also, by “injecting itself in the process by requiring extra logging steps,” Apple is allegedly violating California’s Invasion of Privacy Act – Section 637.2 of the California Penal Code. A third count is allegedly violating California Penal Code section 502: California’s Computer Crime Law (CCL). A fourth count is that Apple allegedly violates the Computer Fraud and Abuse Act (CFAA) by accessing people’s devices without authorization.
Finally, count five: Unjust Enrichment. By better-securing people’s devices, Apple has the gall to make money off all this, be it by selling devices or because it…
… received and retains information regarding online communications and activities of Plaintiff and the Class.
The suit wants Apple to knock it off with the 2FA. It’s also seeking disgorgement of Apple’s “ill-gotten gains,” payable to Brodsky and other class members.
What the what, now?
Where to start? When Apple introduced 2FA for Apple ID for iOS 9 and OS X El Capitan, it did so with opt-in. The feature became available first for iCloud after a spate of celebrity iCloud hacking incidents, and then more broadly to secure Apple devices soon after.
Implementing 2FA requires an explicit, multiple-step opt-in procedure requiring users to consent. However, 2FA is, in fact, required to take advantage of some of Apple’s services, like Home Sharing and HomeKit Hubs.
As far as Brodsky’s claims that logging in with 2FA eats up 2-5 minutes of his time, well, user mileage may vary. Apple Insider reports that it “hasn’t been randomly presented” with 2FA authentications, even following OS updates to an iPhone XS Max, an iPhone X, and two sixth-generation iPads. However, the publication managed to force the issue on a new device.
Apple Insider’s Mike Wuerthele whipped out a stopwatch and found that the resulting 2FA time sink was 22 seconds.
Of course, even if Apple didn’t force users into 2FA, it certainly isn’t shy about nudging them into it… for good reason.
2FA: It’s not perfect, but it’s good
2FA – particularly older forms that use SMS to deliver the code – isn’t an impenetrable shield. Way back in 2016, the US National Institute for Standards and Technology (NIST) updated its official “rules for passwords“, announcing that phone-based 2FA would no longer be considered satisfactory, at least as far as the public sector goes.
More recently, we’ve seen new methods to attack 2FA: Last month, researcher Piotr Duszyński published a tool called Modlishka (Polish: “Mantis”) capable of automating the phishing of one-time passcodes (OTPs) sent by SMS or generated using authentication apps.
If you’re worried about the risks of SMS-based 2FA for your own accounts, consider switching to an app-based authenticator instead, such as the one built into Sophos Free Mobile Security (available for Android and iOS).
Of course, the security of an authenticator app depends on the security of your phone itself, because anyone who can unlock your phone can run the app to generate the next code you need for each account.
What else causes “economic losses”?
You can’t really argue with people over 2FA being a bit of a bother. It does take more time to enter a second authentication factor, for sure. But whether it takes up 22 seconds of your life or the two to five minutes of Brodsky’s life, how much time, and potentially money, does it take to untangle a hijacked bank account, or that of a kidnapped Facebook or Twitter account?
Security is laudable, but forcing users into a straight jacket devised by the ever knowing supreme Apple guru is tantamount to similarly applied forms of guvmint coercion. Why is it there are so many people with good ideas that for them to work the population has to be drafted into the nannystate. Enough already. We get it. Apple is good at what they do. But they also are not out here were the rank and file have to deal with nannystatism that serves as another impediment in the real world. Keep in mind that often the last words spoke by a corporation are, “But it worked in the lab”.
No one forced to use apple products, and it’s your choice to do business with them.
When I got a car insurance, every insurance company “forced” me to put an immobiliser otherwise I won’t get insured. And guess what? No one sued them or complained about it.
Who coerced you into buying an Apple device? How is 2FA an impediment in the real world? (It doesn’t take 2 to 5 minutes in real life to login using 2FA, not even with the most intrusive and annoying system I can think of.)
If compromised devices affected only the owner, I wouldn’t care so much about security. But your insecure device has a knock-on insecurity effect and an overall cost on everyone else, including me, and that does matter.
I’d argue that if you buy an Apple device, you know you’re buying into this.
“Second, Plaintiff has to enter password on another trusted device to login.”
What if you only have the one device?
It falls back to text or phone call for the code.
Apple needs to enforce 2FA as most users remain willfully ignorant of security but at the same time always want to blame corporations when their account/data is compromised. People need to get smarter about security and it seems like forcing it on them is the only way it will happen. If you don’t want security on your phone then buy a cheap Android device.
How ridiculous.
I use a thumb to unlock my phone to get my 2FA token/password. And I use it because it’s faster than entering my phone password.
You know I meant ‘a’ thumb as in ‘my’ left or right thumb, right? I use either so as not to wear one down, otherwise I could sue Apple for having uneven thumbs…!
This is just another example of a litigious country such as the US where if we make a decision and don’t like the result, it’s clearly someone else’s fault. Apple’s 2FA is still opt-in at last I knew, and the article is simply saying if you want to use a few specific services (relating to Home Kit, etc.) it may be required. So other frivolous/hyperbolic claims from the suit aside, he must have at one point enabled it, missed the requirement to disable within two weeks if he didn’t like it and is now angry that he no longer has the option to disable it.
He always has the option to dump the Apple devices and switch to something else. He’s probably the type to have a blank login password on his computer anyway…oh, and door locks – you should probably just leave those open too, as they take a good 10 seconds or more to unlock.
Please, for all that is good in this world, let this lawsuit get dismissed immediately!
And if he has 2FA removed and his account is then hacked, will he sue them for not securing his account properly?
And so if this genius’s information was compromised and he didn’t have 2FA, he’d sue Apple for NOT having it installed. Some people just need to take responsibility for themselves and stop blaming others.
One bank I use for ATM withdrawals and credit card purchases while traveling overseas forces 2FA on me every time I log in online, mainly because I use a VPN at all times (and especially on untrusted networks abroad). This was fine when they included email as an option for receiving the security code. But then suddenly they eliminated the email option and I’m left with only text message or phone call options for the security code. How am I supposed to rely on either of those when I’m traveling abroad? When overseas I will have a different cell phone number (local, foreign SIM), which I won’t know in advance, so I won’t be able to add it to my account beforehand. And my US cell phone number won’t be operational. And I won’t be able to add a foreign number or a hotel room number AFTER I arrive overseas…because 2FA!
I agree that more options should be available in these circumstances, but email (true for SMS too) was likely removed because it’s not a very secure option. Someone could have access to your email, or even be monitoring network traffic if you’re using an email client. As mentioned, SMS isn’t that reliable either, so the best bet would be to use one of those services like Google Voice that gives you a free phone number you can access from anywhere with an internet connection…
Agreed…except for the suggestion of my ever using anything Google (not gonna happen). There are other voice call options, though, as you point out. Thanks for the idea.
Human factor will always be the loose end in cybersecurity.
Wow, I wonder if all of his passwords are lowercase with 3 letters since he can’t bear the hassle of typing in something longer or more secure? It takes too long.
Or simply no password whatsoever on a phone or personal computer.
Note to Evil Self…
Don’t bother searching for Jay Brodsky’s “elsewhere” accounts; his passwords will most assuredly be diverse, complex, and unique.
In a way I have to agree. I do not own an apple or a mobile device. If my OS vendor forced me to to use 2FA, I would have to purchase a mobile device ***and*** subscribe to some overpriced mobile plan. Both an effort on a wee pension.
AFAIK, the 2FA is neither compulsory nor dependent on any sort of mobile plan at all.
(At least in Europe and the GSM world, mobile phone connectivity for *receiving* texts is incredibly cheap. Notably, you don’t pay to receive texts at all, and you don’t need a contract.)
I really don’t think this has anything to do with security or inconvenience; I smell shyster shenanigans. Class action, huh? Where the lawyers always make out like bandits while even legitimate victims get a silly credit voucher for something they didn’t want anyway. If you lose, all you lose is whatever you put into the case, but if you win, the other guy pays your bill. WIN/WIN! Some attorneys make their careers out of cases like this.
@Steve
Yeah, until they get nearly caught and nearly killed–then frantically switch to managing an Omaha Cinnabon.