Imagine this: Someone buys a car from you, but later files a lawsuit against you, claiming, “The car has these seat belts that take too long to put on and can’t be removed. What if I lose the key and can’t open the door? I don’t like how these features were implemented in the car, so I’m suing you.”
My response would be, “Give me the car back — no one is safe with you on the road!”
Well, that kind of senseless thinking is similar to the logic one plaintiff is using to bring a class action lawsuit against Apple for the company’s use of multifactor authentication (MFA).
Now, I’m no lawyer, but as an information security expert with more than two decades of experience, I’d like to take a look at all the ways this lawsuit is senseless and potentially dangerous. First, it’s worth defining MFA and explaining its importance.
In the digital world, we authenticate ourselves using three types of factors:
• Something you know, like a password or an answer to a question.
• Something you have, like a hardware device or digital certificate.
• Something you are, like your fingerprint or face (or any biometric).
In the past, we only used one of these factors — primarily a password — to authenticate ourselves. However, endless password database leaks have proven that humans aren’t good at using passwords. If your passwords aren’t long, complex and random enough, super-fast computers can brute-force them. Worse yet, if you use the same password everywhere, it only takes one leak for an attacker to steal your identity.
This is exactly what happens when companies leak millions of user passwords, which hackers then apply to other online accounts to break in (an attack called credential stuffing). Good password practices fix these problems, but almost no one follows them since it’s impossible for humans to remember hundreds of complex passwords without help.
You might think, “What about other factors, like fingerprints or hardware devices?” They aren’t perfect either. Hackers can replicate biometrics, while hardware can be lost or stolen. That’s where MFA or two-factor authentication (2FA) comes in with stronger validation, making it exponentially harder for attackers to get all your factors. With over 80% of network breaches involving weak or stolen credentials, MFA is one of the best things you can do to protect yourself online. So, why is someone suing Apple for using it?
Let me paraphrase the four main reasons why an apparently disgruntled user is suing Apple.
First, the plaintiff alleges that Apple does not get user consent to enable 2FA. That’s incorrect. While Apple pushes 2FA, it still requires customer opt-in most of the time. The only expectations are developer accounts and some Home Sharing or HomeKit features, which require 2FA. However, you don’t need to use it (but I recommend it).
Second, he asserts that 2FA imposes a long and extraneous login procedure, which he claims can take two to five minutes. It’s true that 2FA can take a little longer than normal password entry, but this is by design. The extra step and factor add additional security to your authentication. That said, I believe the plaintiff greatly exaggerates how much time Apple’s 2FA takes, as well as how often it’s required. In the suit, he describes the initial setup for 2FA, which is only required once per device. Others have timed the process and found it only takes about 22 seconds. Once you’ve finished, Apple’s software doesn’t actually ask you to re-authenticate with 2FA that often.
Next, the plaintiff mentions that the 2FA interruption is “continuous, systematic and ongoing.” I disagree with him here. Once you set up 2FA with a new device, Apple asks you if you want to trust that device. If you do, it doesn’t repeat the 2FA request every time. When logging into your Apple account with a browser, it asks if you want to trust the browser. If you do, you won’t have to do a 2FA login every time. So frankly, Apple doesn’t ask for 2FA all the time, even though other 2FA solutions can and do make such requests by design.
Finally, the plaintiff is suing because Apple doesn’t allow you to turn off 2FA after two weeks. This last claim is true. If you opt-in to 2FA, you will not be able to disable it after two weeks. This is clearly stated in its support pages, though I don’t remember how prominent the warning is when you first enable it. Personally, I like the security feature, so I don’t see the problem. Creators are allowed to make their product however they want. You don’t have to buy it.
In short, many of the things the plaintiff alleges aren’t quite true or are greatly exaggerated. While 2FA imposes some extra steps, it improves security without much time required at all. In most cases, Apple doesn’t force 2FA; you have to opt in. The plaintiff didn’t have to turn it on. To me, his suit sounds like the temper tantrum of someone who lost his password and authentication factors (something you really don’t want to do) and is throwing a fit. If you don’t like Apple implementing good security, you can choose not to buy its products.
Like the seatbelts in our cars, MFA is a useful feature we all should use, even if it takes a bit more time. After all, this extra time adds security. Furthermore, when implemented well, MFA can be quick and easy. New MFA solutions sometimes don’t require passwords, and they allow you to authenticate just by checking your phone and pressing “approve.” Futuristic solutions are even moving toward risk-based authentication, where you may not authenticate at all until the system detects a risky action. In the end, even the most difficult MFA method is worth it compared to the time, data and money you risk losing without multiple factors of authentication.
This frivolous suit does a disservice to everyone’s cybersecurity, and I hope it gets thrown out of court.