Have tech companies taken two-factor authentication too far?

Apple is facing a lawsuit from an aggrieved user claiming that two-factor authentication (2FA) is a “waste of their personal time” for performing additional steps to log in, according to MacRumors. The complaint alleges that use of 2FA requires “an additional estimated 2-5 or more minutes,” and that 2FA cannot be disabled after it has been enabled for two weeks.

The filing details the alleged sequence of operations:

First, Plaintiff has to enter his selected password on the device he is interested in logging in. Second, Plaintiff has to enter password on another trusted device to login. Third, optionally, Plaintiff has to select a Trust or Don’t Trust pop-up message response. Fourth, Plaintiff then has to wait to receive a six-digit verification code on that second device that is sent by an Apple Server on the internet. Finally, Plaintiff has to input the received six-digit verification code on the first device he is trying to log into. Each login process takes an additional estimated 2-5 or more minutes with 2FA.

It is possible to make anything sound complicated with excessive verbosity, though the characterization of this sequence of events seems suspect-the prompt for “Trust or Don’t Trust” should appear once per computer, per Apple’s documentation, and trusted devices are saved for future use.

SEE: IT staff systems/data access policy (Tech Pro Research)

The complaint also alleges that Apple does not adequately inform users that 2FA cannot be disabled after two weeks of being enabled. Apple’s documentation indicates “Certain features in the latest versions of iOS and macOS require this extra level of security, which is designed to protect your information. If you recently updated your account, you can unenroll for two weeks. …this makes your account less secure and means that you can’t use features that require higher security.”

The complaint claims that Apple is trespassing on personal property by requiring 2FA, as well as violating the California Invasion of Privacy Act, Computer Crime Law, and the US Computer Fraud and Abuse Act.

End users have long expressed resistance to adopting 2FA. An August 2018 survey found that 63% of IT decision makers faced significant resistance from employees when they try to implement a multi-factor authentication protocol for accessing cloud computing services.

Multi-factor authentication does provide more security for enterprise applications, as the additional factors are ideally harder to spoof than traditional passwords. Businesses shouldn’t give in to employee pressures to get rid of this additional security measure; however, tech companies should take note of how resistant employees are to these measures when devising new ones in the future.

For more on account security, check out these 4 tips to keep your business safe online, and 10 tips to make your employees care about cybersecurity.

Also see

istock-876819100-1.jpg

anyaberkut, Getty Images/iStockphoto

Leave a Reply

Your email address will not be published. Required fields are marked *