author photo
By Bruce Sussman
Mon | Feb 18, 2019 | 3:30 PM PST

A 2019 class action lawsuit against Apple claims setting up and using two-factor authentication (2FA) is causing Apple customers harm—in many ways—including the loss of time.

Why InfoSec should actually watch this case

And while the case has lead to some funny headlines and a whole lot of snickering, there is an interesting legal question being tested here, and cybersecurity leaders and companies should keep an eye on it.

Apple two-factor authentication lawsuit: the crux for InfoSec

This case reminds us of the debate that took place when seat belt laws were being passed across North America a few decades ago.

The question then: Does anyone (even the state) have the right to tell me how to secure myself in my personal vehicle?

The crux of this lawsuit against Apple's 2FA policies is this: Does a company I pay for services or products have the ability to require me to secure my device, or endpoint, in a certain way?

And if I don't respond appropriately, can they deny me access to that device or those services?

Key accusations in Apple two-factor authentication lawsuit

Apple now requires 2FA when a software update occurs on an Apple device or upon the  creation of a new Apple ID.

And the plaintiff in this case, Jay Brodsky, is claiming this is worth suing over for a variety of reasons.

Apple 2FA lawsuit, point #1: Apple is "trespassing on personal devices"

"Apple has knowingly and intentionally and without authorization interfered with Plaintiff and Class Members’ possessory interest of their one or more Apple devices by requiring an extraneous login process through two-factor authentication that is imposed on Plaintiff and Class Members without authorization or consent."

The translation is that Apple is trying to force cybersecurity on its users, which allegedly interferes with the ability to use a device as the customer sees fit.

Apple 2FA lawsuit, point #2: Apple is "hurting me by wasting my time"

"As a result of Apple’s coercive policies with regards to security of Plaintiff owned devices, Plaintiff and millions of similarly situated consumers across the nation have been and continue to suffer harm. Plaintiff and Class Members have suffered economic losses in terms of the interference with the use of their personal devices and waste of their personal time in using additional time for simple logging in."

The lawsuit claims each use of 2FA costs customers 2-5 minutes of lost time, and that Apple will lock out customers who refuse to follow the company's 2FA rules, which is unfair.

The 14-page lawsuit keeps on going, claiming Apple's two-factor authentication requirements violate California's penal codes, privacy law, and even the Computer Fraud and Abuse Act. 

What the Apple 2FA lawsuit is asking for 

The plaintiff is asking for Apple to be barred from forcing its customers to use two-factor authentication, and asking for money to cover the loss of time from using 2FA and from getting locked out when you refuse to use it.

You can read the Apple 2FA lawsuit here yourself.

Can you imagine the impacts for information security if a court finds in favor of the plaintiff here?

[Resource: 2019 SecureWorld cybersecurity conference calendar]

And while we wait, here's a comment our team got a kick out of. Cybersecurity researcher and author Graham Cluley wrote about the case: 

"Will someone please buy this guy an Android? Or maybe offer him some free technical support so he can log into his account a wee bit faster?"

Perhaps someone will, but we doubt that will answer the questions being raised in this 2019 class action lawsuit against Apple—the outcome of which could impact the ability to secure the endpoint.