While reading this, I originally thought that the birthday aspect would reduce the attack population for such an exploit, but then I remembered that all the major social networks have birthdays (and will display it, unless the privacy settings say otherwise).

I am thankful for the recent increase in 2-factor capabilities, and I encourage everyone to take advantage of them.

Since my earliest days on the internet and on the web in the early 1990's, I've always been nervous when services wanted by birthdate for (AFAICT) no good reason whatsoever. Since then, I've always used proxy dates as my "birthday" (dates that are easy for me to remember, but no one else knows) for services that don't legally require my real birthday (when filling out bank/govt forms, I will use my real DOB).

I'm thankful that I've done that, but of course it doesn't help when a FB friend helpfully sends me a "Happy Birthday" message on my real birthday or when my real birthday is available through so many public records. Sigh.

It is still not entirely clear to me why people allow the whole Facebook wall shenanigans. I've closed mine a long time ago, exactly because I never understood why would I want to mix in one place the public, the personal, and the intimate. The very idea of blurred boundaries is not sane, it's bound to keep creating problems (like the one you describe).

They ask for legal reasons. To make sure you are older than 13 due to COPPA (Children's Online Privacy Protection Act).

This would be much better satisfied with a checkbox.

Yes, or further, by simply reminding you "Using the service may be illegal if ..." and letting you make the decision.

If it's done this badly, and this cumbersomely, there must be a law requiring it.

No, it's not that you could get in trouble for being under 13... it's the site that could be breaking the law by collecting data on children (without parental consent).

It's unfortunate that (at least in my experience) Apple makes you wait 3 days to enable two-factor auth. I'm still waiting and crossing my fingers that this gets patched ASAP.

They only make you wait 3 days if you've modified any of your information recently. From what I've seen they've also taken down the site that contained the security flaw.

Although a lot of people have weak passwords that need to be updated to enable two factor... which apparently invokes the three day wait.

It already got patched. Or rather, Apple disabled password reset functionality already. In fact, the article was already updated an hour ago to say that.

I just activated it on two accounts (including one account that didn't have an Apple device attached, so I had to use an SMS device) and it worked right away.

Taken off the frontpage: https://news.ycombinator.com/item?id=5424999

appleid.apple.com is where you go to set up 2-factor auth.

Oh... boy...

I'm guessing the 2-factor auth is tucked away under "Password and Security."

Which is hidden behind a bunch of inane "security questions" that I dreamt up years ago.

Not only am I unable to setup 2-factor auth, I can't even change my password!

They couldn't hide it behind an e-mail confirmation, or provide alternate options to login?

Obviously it's my fault for (A) not trying to change my AppleID password in nearly 10 years, and (B) not having systems in place to prevent this sort of thing... However, this is a service that basically has unchecked access to the associated credit card account. The fact that they don't even have a "Can't remember? Contact Support" link frustrates me.

I see no options about 2fa even though I'm in the UK. Also, it doesn't seem to support OTP and I have an Android phone (I don't always have my iPad with me).

They could've done this better.

When you enable 2FA you need to register at least one Apple device or a phone numbers that can receive SMSs. After that first device is added, then you can add more devices. So you can have both your iPad and phone number registered to receive the code.

After it's enabled when you try to login it shows you a list of your registered devices and phone numbers and asks where you'd like the code sent.

Same here in Finland. I have my phone number entered in "Phone Numbers" section but still see no two-factor authentication option. Besides, the Addresses form is buggy, won't let me save (keeps asking save/discard confirmation forever).

I just enabled two-factor auth yesterday so I can't see the interface anymore but it seemed like there was a "Just email me" backup below the questions.

Just checked again.

I have no such option.

Their support docs mention something about a "backup e-mail address", which I can't setup w/o verifying my account, which I can't verify w/o answering these questions.

-___-; I'm just going to call Apple.

I just tried to enable 2-factor and it's telling me I need to wait 3 days until it can be turned on.

So I guess I'll just be exposed to this for 3 days because Apple.

I'll never understand why Apple customers put up with such poor treatment.