A class action suit has been filed against Apple accusing of the company’s two-factor authentication taking too much time out of a user’s day when it is needed, and since it can’t be rolled back to a less safe login method after 14 days.
The suit, filed by Jay Brodsky in California alleges that Apple doesn’t have user consent to enable two-factor authentication. Furthermore, once enabled, two-factor authentication “imposes extraneous logging in a procedure that requires a user to both remember password; and have access to a trusted device or trusted phone number” when a device is enabled.
The lawsuit claims that a software update has enabled two-factor authentication on or around September 2015. However, neither macOS El Capitan nor iOS 9 released in the time frame had mandated two-factor authentication nor implemented it without an explicit and multiple-step opt-in procedure requiring the user to consent. But is required to leverage on some of Apple’s services, like Home Sharing and HomeKit Hubs.
Brodsky alleges that the email that Apple sends after two-factor authentication is enabled is insufficient to warn the user that the setting is irrevocable. According to the suit, when two-factor authentication is demanded, the process that follows takes between two and five minutes.
The process involves: “First, Plaintiff has to enter his selected password on the device he is interested in logging in. Second, the Plaintiff has to enter the password on another trusted device to log in. Third, optionally, the Plaintiff has to select a Trust or Don’t Trust pop-up message response. Fourth, the Plaintiff then has to wait to receive a six-digit verification code on that second device that is sent by an Apple Server on the internet. Finally, the Plaintiff has to input the received six-digit verification code on the first device he is trying to log into. Each login process takes an additional estimated 2-5 or more minutes with 2FA.”
The lawsuit demands injunctive relief, fines and penalties assessed on Apple in accordance with the Computer Fraud and Abuse Act, and is seeking “all funds, revenues, and benefits” that Apple has “unjustly received” from the action. The filer is also asserting that Apple is violating California’s Invasion of Privacy Act, but how that applies, in this case, isn’t clear.