Recorded February 19, 2019 at G-Unit Studios in Rhode Island!
- RSA Conference 2019 is coming up March 4 – 8 in San Francisco! Go to rsaconference.com/securityweekly-us19 to register now using the discount code 5U9SWFD to receive $100 off a full conference pass! If you are interested in booking an interview or briefing with Security Weekly, please go to securityweekly.com/conferencerequest to submit your request!
- Join us April 1-3, at Disney's Contemporary Resort for InfoSec World 2019 where you can connect and network with like-minded individuals in search of actionable information. Visit https://infosecworld.misti.com/ and use the registration code OS19-SECWEEK for 15% off the Main Conference or World Pass. If you are interested in booking an interview or briefing with Security Weekly, please go to securityweekly.com/conferencerequest to submit your request!
- Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand.
That’s right folks, Apple is being hit with a class action lawsuit because of their 2-factor authentication setup! I saw this bit of news somewhere else online, but Graham Cluley has a pretty amusing blog post on it. What it boils down to is that a gentleman named Jay Brodsky has decided that Apple’s two-factor authentication system is just too burdensome for the world to bear.
Here are some of the highlights that Graham points out. First, the plaintiff alleges that Apple turned on two-factor authentication without his permission. I’ve got a lot of Apple devices and I seem to recall needing to turn this on explicitly. Perhaps I turned it on before this was possible??
Mr. Brodsky also complains that he has to remember his password and have access to a trusted device. Like Graham, I’m puzzled over this one. That’s pretty much the definition of two-factor authentication. Something you know, paired with something you have or are. Weird.
He has a number of other complaints as well. The process is a pain in the behind to use (which I’ve griped about to myself a couple of times), you can’t turn it off, and it takes so long that it causes economic damage. The economic damage one is lame. It doesn’t take that long to use unless I’ve lost my phone, my iPad, and my watch. Of course, he could just have his phone or computer and misplaced his phone somewhere. Maybe he spent 5 minutes looking around for it.
According to AppleInsider, Brodsky also alleges that Apple has violated the Computer Fraud and Abuse Act. As a response to all these unjust actions, Brodsky is demanding “All funds, revenues, and benefits Defendant has unjustly received as a result of its actions rightfully belong to Plaintiff and the Class.” So whatever money Apple has made off of their 2FA system belongs to Brodsky and any other user of Apple’s 2FA.
I’ve worked on security projects that have gotten some people very angry before. I remember one director being incredibly steamed that several large customers were requiring changes to our authentication system. I got to be the target of his ire due to me actually being available for it. But this is a bit absurd and stunning. Graham calls for someone to give Brodsky an Android device so he can settle down, but if he ever sees Google offering their 2FA his head is going to explode and he’ll say it’s collusion designed to take down the world’s economy!
I don’t have a clue how this one will play out in the courts. Amazingly enough, he has legal representation. I can only guess that this will end up in some kind of settlement and go away at some point. I doubt we’ll see any changes to Apple’s 2FA system and I certainly can’t see it turning into a situation where Apple has to “disgorge all of its ill-gotten gains to Plaintiff and other Class Members”. I guess their opinion is that the economic impact of passwords being easily guessed is much less than that of 2FA? I’m curious to see how it turns out.