I don't know if this is very interesting, but I've rarely seen such a blatant example of incompetency.
The axioms are like this:
1. Even with 2FA active, Apple will, apparently every couple of years, make you answer the security questions you gave when you first set the account up.
2. If you don't know the answer to your security questions (I used generated passwords I simply can't find after several years of not needing them), you can reset them.
3. If you attempt to reset your security questions, you first need to answer your security questions.
Like the people in that thread, I've contacted Apple support and after a 30 minute conversation about why the process of resetting my forgotten security questions (which requires me to know my security questions) doesn't work, they suggested I create a new Apple ID. Naturally with no path towards keeping my past purchases, data etc.
> 1. Even with 2FA active, Apple will, apparently every couple of years, make you answer the security questions you gave when you first set the account up.
One might question the usefulness of that feature, since after a few years one may have forgotten the answer when it is clear that one might have to answer it some day in the case one lost access to one's account by usual means.
Maybe things are different with Apple, but on other systems, the questions are usually simple enough that good acquaintances might be able to answer them (eg, "parent's place of birth" or some such). In a sense, one wouldn't expect an acquaintance to steal a device, thus one may accept the weakness of those questions.
If one choose to use a contrived answer for that feature, one reduces the risk of someone guessing it, but at the same time it might make it harder to remember it when it matters.
I don't really believe that Apple is at fault here.
That's saying I shouldn't have forgotten the answers in the first place - which is a fair point I suppose. What bothers me is that there _is_ a process for resetting the question in case you've forgotten them, but that very process requires you to know them.
(Same person, different throwaway, cannot prove it though)
> What bothers me is that there _is_ a process for resetting the question in case you've forgotten them, but that very process requires you to know them.
I'll be honest and tell you that I tend to forget the answer to these questions, simply because I don't want to use a simple question/answer set which could be guessed by someone else, but if I use a more elaborate answer, then I am bound to forget it after a while (essentially what happened to you), so clearly I also find this system painful, but I don't see how this could be improved. Unless, somehow a physically unique token (like an ID card, or a biometric feature) would be used instead of passwords, but not every device nowadays has the ability to handle them, and even them it raises the question of how it could be exploited, or how to handle the terrible case of one losing access to that token.
4 comments
[ 2.3 ms ] story [ 18.9 ms ] threadThe axioms are like this:
1. Even with 2FA active, Apple will, apparently every couple of years, make you answer the security questions you gave when you first set the account up.
2. If you don't know the answer to your security questions (I used generated passwords I simply can't find after several years of not needing them), you can reset them.
3. If you attempt to reset your security questions, you first need to answer your security questions.
Like the people in that thread, I've contacted Apple support and after a 30 minute conversation about why the process of resetting my forgotten security questions (which requires me to know my security questions) doesn't work, they suggested I create a new Apple ID. Naturally with no path towards keeping my past purchases, data etc.
One might question the usefulness of that feature, since after a few years one may have forgotten the answer when it is clear that one might have to answer it some day in the case one lost access to one's account by usual means.
Maybe things are different with Apple, but on other systems, the questions are usually simple enough that good acquaintances might be able to answer them (eg, "parent's place of birth" or some such). In a sense, one wouldn't expect an acquaintance to steal a device, thus one may accept the weakness of those questions.
If one choose to use a contrived answer for that feature, one reduces the risk of someone guessing it, but at the same time it might make it harder to remember it when it matters.
I don't really believe that Apple is at fault here.
> What bothers me is that there _is_ a process for resetting the question in case you've forgotten them, but that very process requires you to know them.
I'll be honest and tell you that I tend to forget the answer to these questions, simply because I don't want to use a simple question/answer set which could be guessed by someone else, but if I use a more elaborate answer, then I am bound to forget it after a while (essentially what happened to you), so clearly I also find this system painful, but I don't see how this could be improved. Unless, somehow a physically unique token (like an ID card, or a biometric feature) would be used instead of passwords, but not every device nowadays has the ability to handle them, and even them it raises the question of how it could be exploited, or how to handle the terrible case of one losing access to that token.