There is an aggrieved user who has taken Apple to court over the two-factor authentication (2FA) claiming it is a “waste of their personal time.” That got us thinking, have cybersecurity awareness made us too paranoid that we pushing security defenses too far?
The lawsuit facing Apple as cited by the MacRumors says the complaint alleges the 2FA the company has placed requires “an additional estimated 2-5 or more minutes.” The user further complains of the fact that once you enable 2FA for two weeks, it becomes impossible to disable it.
The lawsuit filing by the aggrieved user against Apple reads in part:
First, Plaintiff has to enter his selected password on the device he is interested in logging in. Second, Plaintiff has to enter password on another trusted device to login. Third, optionally, Plaintiff has to select a Trust or Don’t Trust pop-up message response. Fourth, Plaintiff then has to wait to receive a six-digit verification code on that second device that is sent by an Apple Server on the internet. Finally, Plaintiff has to input the received six-digit verification code on the first device he is trying to log into. Each login process takes an additional estimated 2-5 or more minutes with 2FA.
When you read the above very wordy filing, you would think the 2FA security measure makes it complicated and time-wasting to log in to one’s account. But according to Apple’s documentation, the prompt for ‘Trust or Don’t Trust’ only appears once per computer, and once a trusted device has been registered, it stays saved for future use.
This user claims that Apple has trespassed onto his personal property by setting 2FA requirement for him to use the device. He further claims, Apple has violated the California Invasion of Privacy Act, Computer Crime Law, and the US Computer Fraud and Abuse Act.
The complaint also picks a case with Apple for not explicitly telling users that once they enable 2FA for over two weeks, they cannot disable it. There is an Apple documentation that addresses that allegation, and it reads in part as follows:
“Certain features in the latest versions of iOS and macOS require this extra level of security, which is designed to protect your information. If you recently updated your account, you can unenroll for two weeks… this makes your account less secure and means that you can’t use features that require higher security.”
2FA poor UX ratings
There was a survey done in August 2018, which found out that 63% of decision-makers in companies’ IT departments found resistance whenever they installed 2FA for staffers’ authentication.
That is despite it being proved that multi-factor authentication provides better security to enterprise applications. Since they are much harder to spoof when compared to having just a single password login.
It is thus recommended that businesses and tech companies should not give in to the pressure of the users over securing the entire system. Users are also called upon to appreciate the danger lurking and the need to sacrifice convenience for security purposes.