Apple sued because two-factor authentication… oh, I give up

Will someone please buy this guy an Android?

Graham Cluley
Graham Cluley
@[email protected]

Apple sued because two-factor authentication.. oh, I give up

There are plenty of things worth getting really upset about.

Racism. Climate Change. Brexit (regardless of whether you’re pro-Brexit or anti-Brexit, you’re almost certainly feeling very unhappy about how things are going.)

What you shouldn’t be getting upset about is the security that companies like Apple put in place to help prevent your accounts being hacked.

Sign up to our free newsletter.
Security news, advice, and tips.

And yet, a man called Jay Brodsky is bringing a class action against Apple in California, complaining that two-factor authentication (2FA) on an iPhone or Mac takes too much time.

In his class action suit, Brodsky alleges:

  • Apple enabled 2FA on his account without his explicit consent. Which seems very odd, as my experience has been that Apple only offers 2FA on an opt-in basis.
  • 2FA is too inconvenient to actually set up – requiring several steps on several devices.
  • 2FA is just too darn inconvenient to use… because it requires to both remember a password *and* have access to a trusted device. Umm, isn’t this exactly how 2FA is supposed to work? Helping to stop hackers simply needing your password to break into your accounts.
  • Apple doesn’t let you disable 2FA after it has been enabled for two weeks straight. This appears to be true. It looks like Apple gives you 14 days’ grace to deactivate 2FA if you wish, but after that… you’re 2FA-secured. Of course, this could be argued to be a good thing security-wise.
  • 2FA is required every time an Apple device is turned on. Really? Can’t say I’ve noticed.
  • 2FA takes between two to five minutes to complete. Hmm. When AppleInsider got its stopwatch out, it reckoned the 2FA process took them in total about 22 seconds to complete.

Brodsky goes on to claim that “millions” of Apple users are suffering “harm” and “economic losses” because of the large amount of time that 2FA eats up.

Will someone please buy this guy an Android? Or maybe offer him some free technical support so he can log into his account a wee bit faster?

Hear more discussion on this case in the latest edition of the “Smashing Security” podcast:

Smashing Security #115: 'Love, Nests, and is 2FA destroying the world?'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

Further reading: The man suing Apple over two-factor authentication has ‘previous’.

Read more about two-step verification:

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

58 comments on “Apple sued because two-factor authentication… oh, I give up”

  1. John

    Apple should be sued for this shit. The goal is to force anyone with an Apple device to have a second Apple device in order to use the first one.

    1. Dawn · in reply to John

      Bull. Add another phone number

      1. Shawn Standish · in reply to Dawn


      2. Corjo · in reply to Dawn

        He’s absolutely right. If Apple really only cared about the security of your devices, they would allow 2-FA to use emails or other forms of contact (the way that every other service with 2-FA does). As it stands, if you own a single Apple device and it breaks or is lost, you are unable to access your data on iCloud or even sign in online to step up an appointment with tech support. This is purely intentional inconvenience. If they could just allow you to include an email as an alternative for 2-FA then there would be no problem, and it would be just as secure because google also has 2-FA

    2. Joe · in reply to John

      What a dumb comment. If you're "anti-Apple" then buy a different product, it's that simple

      1. Bear · in reply to Joe

        That’s one of the reasons why I bought a sanding phone. Apple are tech nazis.

    3. Dawn · in reply to John

      Or you can add a second phone number and only own one product. Geez

      1. Shawn Standish · in reply to Dawn


    4. Bird · in reply to John

      I agree. Two factor is an inconvenient drag. I work three to five freelance jobs a day, and use my phone for documentation. My iPad might be in a different building than my phone, but unless they are near each other, I can’t send email or messages. Ridiculous.

    5. Noe huerta · in reply to John

      I agree- they connect that stupid 2-step verification and if you loose your device it is almost impossible for you to retrieve your own data and information that belongs to you and the money that you pay to have access to their iCloud- I have 2 step verification

  2. coyote

    Ridiculous. Frankly It never registered that it takes a few seconds. Never noticed it. And if he has such a problem with it why did he enable it in the first place? His own fault. And if he'd rather more insecurity then that's his choice. Let's just hope it doesn't cause other people problems.

    Beyond petty. About as stupid as the woman who spilt hot coffee on herself (what kind of person would put hot coffee between their legs is beyond me) and because she's careless (and stupid?) she decided to sue for it. Funny though… Stupidity is something of a speciality of humans (and a STI though that does not mean everyone has symptoms as such) and it says volumes (of coffee?) that more people don't try and profit from their own stupidity. Whether that's because they're too uncreative to see it I do not know but I'd like to believe it's they're not that pathetic.

    1. Bill · in reply to coyote

      I agree the 2FA lawsuit is stupid but the spilled coffee lady turned out to be legit. Everyone got it wrong and dragged her name into it when she was in the right.

    2. Will · in reply to coyote

      Guess what, I didn't choose to activate 2FA it was FORCED on my device. I was given ZERO choice.

      1. Soooo Frustrated · in reply to Will

        Same here. Never asked for it, just suddenly can’t do anything. And the other trusted device is with my husband who is three hours away at the moment. Can’t contact apple support because I can’t even download their app. I regret this stupid iPhone (and the two others my family has) just about every other day.

    3. MLBrowne · in reply to coyote

      In newer devices, Apple decided to automatically enable Two-Factor (not Two-Step) Authentication. You cannot opt out, and you cannot turn it off.

      I'd say that's pretty draconian, and flies directly in the face of free choice. And it is MAJORLY a pain in the neck to keep having to enter authentication codes. I really hate them for doing this.

    4. Corjo · in reply to coyote

      You know that woman won her case, right? Her story was completely misrepresented so that people could have a nice laugh at her expense. The coffee was, as it it turned out, way hotter then coffee normally should be. There was something wrong with the machine and she got seriously injured as a result. Of course though, it’s easy to make a funny article making fun of someone for “sueing coffee for being hot” or some shit, so that’s what everyone believes now. I think your connection between her story and this one is probably pretty spot on though. People don’t sue large companies in expensive legal battles without a genuinely good reason. It’s stupid to make a judgment about their case when don’t know shit about it.

  3. cruachan

    Is this Marissa Mayer in disguise? She was "too busy" to even lock her phone whilst CEO of Yahoo.

    Presumably if Apple disable 2FA and he gets hacked he'll sue them for that too.

  4. Pete

    Nothing surprises me any more. Just look at the quailty of the jerks people elect to public office…and nowhere on planet Earth is that more evident than in California, where this clown is bringing his lawsuit.

    There is no substitute for personal responsibility. You can’t elect morons to take responsibility for your behavior, or expect the state to come to your rescue when the cost of being.a responsible user is the “inconvenience” of the time it takes to secure your systems.

    It’s especially incongruous that this jerk is suing Apple, of all companies. There’s plenty Apple does that annoys me, but I can’t fault them on their efforts to streamline the process of making my devices and my account more secure. Once it’s set up, it’s actually pretty unintrusive.

    Normally, I’d say that such an idiotic lawsuit is likely to get thrown out. But in California, where the state is aggressively legislating to protect people from even having to take responsibility for their own emotions, this kind of idiocy is business as usual.

    1. The Adversary · in reply to Pete

      Sheep like you are why we can’t have nice things that work all the time. The problems with Apple’s 2FA are legion and well documented. There’s a long Reddit thread about a poor guy who got held up at knife point and the robber took his phone and demanded he unlock it. The robber reset the password and NOTHING the victim did — including sending Apple a copy of the police report — could convince them to give him back his 10+ year account.

      Then there is the inconvenience of having to have the authentication device on you at ALL TIMES. I have three iPads, an iPhone, and an Apple Watch all tied to my account. If I were stupid enough to turn on 2FA, I would have to keep my iPhone on me at all times. That is completely idiotic. Leave the phone at work? Too bad, no iPad for you tonight unless you want to go back and get your phone.

      Apple 2FA is HORRIBLE and anyone cheerleading it makes the Fanboi base look even worse than they normally do.

  5. Angie Jones

    No organisation as far as I know sets up 2-factor authentication for you as a default, you have to opt in and set it up yourself. He's probably tried to log into his Apple ID too many times with the wrong password, so he's been locked out.

    This compensation culture has got out of hand. It makes you wonder how many companies have been sued and lost. I personally think some people shouldn't be allowed out!

    1. David · in reply to Angie Jones

      True, but I think you can opt-out as well. If you don't like the feature after two weeks you're stuck and it gets to be pretty damned annoying. I live with it, but I'd rather turn it off at this point. Every time something gets signed off or reset or updated; password and passcode. That's not too bad on the iPhone, but it's kinda silly on the iMac, the MacBook Pro, the Apple Watch, iPad mini, iPad Pro, Apple TV. It becomes a bit much considering my passwords are already difficult enough on devices like the AppleTV where I sometimes have to use the remote and on-screen keyboard. My passwords are 15+ characters, random, letters, number, upper & lower case, special characters and changed ever 6-8 weeks. I have honestly never had an account hacked. I'd prefer two-factor authentication on my credit.

      1. Will · in reply to David

        And what happens when Apple forces 2FA on you with no choice to opt out? It happened to me.

    2. Mike Faraday · in reply to Angie Jones

      Well, they are so buck up buddy.

  6. Arya

    @coyote Again with the misconceptions. That woman got third-degree burns on her legs and genitals and needed extensive surgery to treat.

    1. Jim · in reply to Arya

      He didn't say the injury wasn't serious, he said who puts a cup of hot coffee between their legs. All it takes is something unexpected to happen, and the person squeezes their legs and coffee everywhere.

  7. Mike C.

    This is almost too funny, except that it gives other "smart" people the wrong ideas. I have 2FA turned on anything I can to protect my self. I stress it to my family, who unfortunately thinks the same way this cheese ball thinks. "I don't want to turn that on, it will take an extra 2 seconds Everytime, and I just don't have the time." Till their stuff gets hacked………and then I never hear the end of it…….

  8. Filip

    SMS not secure, Mobile operator can send a text message if your phone has been switched off and on immediately (throttling).

  9. Arf

    Apple should not make the opt-out period limited to 2 weeks. We should have ability to disable 2FA after 2- weeks.

    Apple does not allow you to opt-out of 2FA after 2 week period, which is insane.

  10. Joe

    Is this guy for real? Why wouldn't you want 2FA. I wouldn't lose any sleep if this moron has his sensitive data stolen.

    1. Will · in reply to Joe

      maybe because he has a disability? I have issues with something that forces you to do something against your wishes.

      Android phone companies are starting to do the same thing now.

  11. Dan N

    I predict Apple will do some custom work to manually opt him out as part of a settlement. Then, because of all the press, he will become a target and get hacked, and sue Apple again because they didn't adequately protect him from hackers.

  12. Ray

    Totally agree with the lawsuit. I'm sick and tired of finger print scanning that's a joke, constant entering of pass codes, 2-factor requiring a second device, Apple ID re-entry's, constant updates, constant maintenance.

    If people want a stupid electronic device to control a good part of their life (uh, the above seems like a good proxy of the people I'm referring to), so be it. But I'm drawing myself away from all this nonsense. Gradually but by the time I'm done I'll be back to a flip phone. A luddite for sure.

    Oh, jee, a few days ago yet another email from yet another service I use, letting me know their servers got hacked, and all my personal information got stolen. A few years ago talked to my bank's security department as my credit card had unauthorized use 6 times. Each time the card was replaced with a different number. Only 3 companies had my credit card on file. Apple was one of them. The bank fingered them as having recently been hacked. Oh, and I need to put up with Apple nonsense to make sure no one can access all my important information.

    You folks are so far beyond understanding the problem you probably shouldn't be working in tech.

    Yes, I came out of Tech.

  13. Nexus

    No guys, this 2FA thing is causing a lot of trouble, especially for developers around the world who have multiple accounts that are decoupled from their personal icloud account.
    Apple recently forced developers to use 2FA and has caused a lot of developers locked out of their accounts already. Take a look at the developer forums on reddit and macrumors.

  14. Lesley

    I misplaced my IPhone one evening, and went to my PC to use find my Iphone, but couldn't log in to do it, because it was sending the 2FA code to my phone, which I was trying to find. This can be a problem

  15. Brian Moisy

    It is a major issue, I had an iPhone.. lost it.. but cannot afford a new one… I cant change the device nor can I change where the auth code goes. I have called apple and because I cannot provide all of the minute data they are requesting, access is denied EVEN THOUGH I HAVE THE GOD DAMMED PASSWORD. If on an iMac I still cannot het the damned code. they have effectively locked me out of my email. this is a major problem and BTW I worked at apple for 6 years, YES THEY PUT YOUR ACCOUNT ON TWO STEP AUTH WITH OUT CONSENT. this writer is an idiot… the complaint is a little frivolous but this is a real problem and a lawsuit needs to be started regarding hijacked information and apples security standards and denying users there data.

  16. Lenny

    Wow! Once again, the sheeple have spoken. Personally, I hope he wins. I believe in security and I have 2FA enabled on everything that needs two-factor and my Apple ID is NOT one of them. Having 2FA on my personal account should be a choice, not a requirement. Apple forcing 2FA on us is their way of subsidizing to the end user their refusal to put proper security in place. At a bare minimum, I should be able to receive a code through my email which I can access from anywhere on any device and not be forced to use an Apple or SMS device which, quite often, is the same device and may not be in my possession at the time when I really need it. I've been burned by that more than once. Forget your phone? Need to log in to iCloud? Nope. Ain't happening.

    I've seen a company have their entire development access locked out and scrapped because Apple forced an ex-employee to enable 2FA and when they went to recover the account there was no way to do it as the device tied to it was long gone. Apple refused to give them access even when they produced evidence that they were the rightful owner of the account. It was a stupid, useless protection that ultimately costed the company heartache and money to recover.

  17. AppleSince1984

    When my wife and I did an IOS update on our phones, my wife unknowingly activated 2FA (since it comes up as a default that you have to basically opt out of after an upgrade). I could not use our other two phones or our several computers without access to HER phone. Since we had just activated it, I managed to opt out, but doing so required changing the password on the account. This seemed sort of counter-intuitive, since the whole 2FA thing is to prevent someone from using your devices with just your password, but apparently saying you forgot your password and creating a new one just circumvents the whole 2FA thing and lets you create a new password without 2FA. This workaround seems insecure, but I did not mind since I got my password-only access back.
    I still get alerts on all my devices to complete the 2FA process, so I hope it really has gone away.

    2FA should be an option and it should be reversible at ANY TIME, if the user is willing to give up whatever services Apple ties to it.

  18. Quincy Bingham

    I agree. There is NOTHING I hate more than two-step verification. Let me risk my stuff if I want, but don't waste my time with this irrelevant BS. I have lass pass and a password scrambler. I don't need two-step verification on ANY of my apps. That guy is a HERO. Leave US ALONE.

  19. William Holder

    Cluley? More like clueless. Yes, 2FA sucks and so do you.

  20. Pabloleyva

    If you have an iphone an a Mac and for werever reason you iphone gets damage, lost, etc, and have to wait some times weeks, to regain access to your computer, then you will realize how stupid two factor authentication is. As Apple will tell you two factor authentication is not a choice for some new futures, and once they force you to sign in, is no way to cancel it. I am all in for security I just don't think two factor authentication is a good fit for everybody, and shouldn't be forced on to anyone.

  21. Emilee

    Haven't seen an update on this but I really hope this guy wins. I am SO SICK of Apple. They do all this shit and require tyou to Google questions about how the fuck to log into your account. The guy trying to sue Apple is ABSOLUTELY CORRECT. The person writing this article is being a close-minded arse. It is so frustrating. Imagine being a teacher, as I am, and every time I try to open anything on Apple it asks for extra shit and half of those times it doesn't even work. And to not have an option as to whether or not to participate in this time-consuming, annoying, hair-pulling step is just peak Apple. I have a Samsung phone because I HATE Apple's evilness and sneakiness. It's amazing to me how many people just follow Apple blindly. Google too has added ways to protect its customers but at least it doesn't make it fuckin impossible to sign into an account. I HATE APPLE!!!!!

  22. hal

    F**k apple. Now I cannot access my email in Outlook because of 2FA. F**k off Apple and all its stupid cult followers

  23. Sayre

    My 1.5 year old Macbook randomly broke on me last week. Apparently, I was signed up for two-step authentication without knowing it when I first got the computer and after the first month you're barred from opting out- I was told it's literally impossible. That's a pretty strange thing to require.

    I have an old Macbook from 2008 running on Yosemite that still works really well (but no other Apple products), so I decided to just link up my iCloud and I'd barely suffer an inconvenience with any lost work or time. After all, I have the password and my Samsung phone is listed as one of my devices.

    When I tried signing into iCloud, I was only given the option to send it to the Apple device which is completely broken (I was quoted essentially the price of the unit to repair it). I was not given the option to send to an alternate approved device. I called tech support and the guy told me there is basically nothing they can do. He said, if I had an additional newer Apple device linked to the account, he might be able to do something, but otherwise SOL. (I don't) I asked if there wasn't anything they could do on their end for cases like this with lost or broken items and he said they have absolutely no access to assist to keep it super secure. I said, "Security's important but I'm never going to be able to get into that device again so it kind of sounds like I'm just going to permanently lose all my stuff…" and he kind of chuckled and said, "Yeah, sometimes we can help them find a way, but I'm not gonna lie, people actually get permanently locked out of their stuff pretty often." and suggested that I buy a new Apple device with AppleCare.

    Guess who's not a Mac person anymore. (Points to self) Pretty obviously not actually for the customer's best interest through the fact that they completely disallow opting out and can make it easier for you if you have multiple Apple devices. Screw this company. I hope they get sued often and repeatedly.

  24. RK

    Why does Apple not correct two factor authentication or advise how to circumvent since so many of their customers dislike it? I hate it and find it to be a great hassle. I never even enrolled and Apple cannot/will not show me confirmation that I did. After 2.5 hours on chat, the Apple expert and her supervisor answered I was stuck. Apple showed no indication or interest to look for a solution.

    I need to purchase a new a new laptop, but I do not know if that will get me out of two factor authentication. I am ready to get a new Apple ID and new iCloud account and email address.

    Should I cut my losses and stop using Apple devices, services et al? I have 2 Macs, 3 iPhones, 2 iPads and an Apple TV. Replacement is a hardship with a reduced income from retirement. But because I am technologically illiterate, learning all the functionality from the past 15 years is daunting. Never got the impression Apple valued seniors.

  25. Irv

    I am a poor 88 year man without a phone, so I'm stuck with an iPad I can't use!

  26. Irv

    The os upgrade that Apple did on my iPad without my permission, put in a 2FA that locked me out of my own property as I don't have a phone.

  27. Don Gillies

    My laptop spams me 4x a day asking me to enable 2-factor authentication. This is harassment. When I bought the product it did not have this spamware on it. Apple is a spam-producing company!

  28. Tedros Adhanom

    F**k you. 2FA is a thinly veiled method for extorting yet more of users' sensitive personal information (namely phone numbers). You can offer strong encouragement, but IT SHOULD BE POSSIBLE TO OPT OUT.

  29. blackfire_twentynine

    I didn't sign up for two-step authentication; they don't allow me to opt out.
    Two-step authentication has made it impossible for me to even log into youtube without giving them my phone number. My phone number is none of their effing business, and they demand too much info.

  30. AB

    I loathe 2FA, too. It's enabled on most of my accounts, but I've been waiting for YEARS for U2F to replace it. The authentication app's on my phone which, thanks to how much I use it, is always plugged in charging somewhere else from my computer. So with every secured account I want to access, I have to get up, walk downstairs to my phone, punch in its security code to get into the phone, open up the app, memorize the 2FA code, run back upstairs before the 2FA code expires, and if it's Google Authenticator, manually position my mouse in the entry field (unlike Authy that does this automatically), and hope there isn't some problem so that I have to repeat all the steps. Just to get into one out of 100 such "secured" accounts. I'd much rather use Authy than GA, but far too many of my accounts don't support Authy, so…

    I bought a U2F device just so I could conveniently use it instead, leaving it next to my computer. But, of course, none of the sites I need to protect are compatible with U2F, so I'm stuck with 2FA. A lot of my colleagues disable 2FA when they're working because of these same issues–frustrating the security objectives of 2FA. If someone else doesn't mind these steps, OK for them. But it's time to make U2F truly universal so all the rest of us have to do is plug in our secure device to get into our accounts. We can marry security and user convenience if enough companies make the switch to U2F.

  31. Joe

    You're a veteran of the security industry? Lol. You shouldn't be let anywhere near security and you should be sued for writing something this stupid. 2FA using SMS is the dumbest thing anyone could have ever thought of.

    1. Graham CluleyGraham Cluley · in reply to Joe

      I'm not saying SMS-based authentication is fantastic. If you read many of the articles on this site you'll see I'm an advocate for folks to use stronger methods of protecting their accounts.

      But, even though SMS is one of the least secure methods of multi-factor authentication, it does makes your account a lot more secure than if it doesn't have *any* additional authentication checks in place.

      SMS-based 2FA is better than no 2FA.

      1. The Adverssary · in reply to Graham Cluley

        That is just wrong. Amazon is using SMS 2FA now. For whatever reason, and/or my iphone will not recognize each other. Each time I log in it insists upon sending an SMS AUTHENTICATION LINK TO THE SAME iPHONE I AM LOGGING IN FROM. Open the text, click the link, click approve and I am in. It is annoying, time wasting, and adds ZERO additional security because it is coming to the same device that is trying to access the account.

        2FA just plain sucks.

  32. MB

    It's time for places to start being sued for all of this two factor authentication, captcha, "complicated" passwords, etc. bullshit. Enough is enough. Do you know I need a password to pay my property taxes? Like, seriously… you're worried somebody is going to PAY them for me?

  33. The Adversary

    Here is why Apple 2FA sucks.

    Read this guy’s story. Even with a police report Apple REFUSED to unlock his 10+ year old account. He gets locked out of every Apple device he owns and then has to start a new account with factor resets and the whole nine yards.

    The only security lesson here is buy a gun.

    I will never voluntarily turn on 2FA.

  34. CB

    Tried watching an Apple TV plus tonight in my room on my tablet. Nice new big screen so didn’t want to use my iPhone 12. Logged in, 2 nd stupid verification on phone. Next, chose episode and it wanted a freaking credit card verification, so now it’s f’n 3 factor. I have it memorized so entered as requested then said you can turn on age restrictions (whatever). Closed that and it asked for card again and agin and again. Turns out it went right back to a 2 factor for that as well. By the time I figured it out, Apple locked me out on my Amazon tablet. You guys still support Apple when a paying customer can’t watch a freaking show? Btw, it’s like 4 factor at that point. Fu** Apple! F’n hate it. Also old Apple TV doesn’t work because of this, no means of doing 2 factor on original Apple TV so they suggested buying the latest. Criminal. Argue with me or support Apple still after reading this and you are a moron and part of the idiot herd mentality for sure.

  35. John

    Unless Apple has changed its policy on two step authentication. I thought it was optional unless you activated it and then it will not allow you to disable it. So this person must have activated it and then decided it was to frustrating. I guess another frivolous lawsuit which in my opinion Apple could have avoid by just allowing users to turn it off if they decide they don't want the extra security.

  36. Damien

    You, sir, are an idiot who has entirely too much time on his hands ….apples 2fa IS a nightmare for anyone who stores important shit on their phones and they SHOULD BE SUED. For a company that issues a new phone per year to have a system wherein it cannot let people in their accounts if something goes wrong that’s a nightmare-one I’m going thru at present. They charge an arm and a leg for these devices so I don’t think it’s asking too much to aske them to actually provide adequate solutions to problems with their software features that NOONE asked for

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.