This is why, you come up with some random word or phrase to use with all the questions. Now the answer has nothing to do with the question being asked and someone can not use social engineering or other investigative type of information gathering to hack into your accounts.
That doesn't work for the general public and might not work in your case either because what you think of is seldom random.
It also goes against the idea of enhanced security by multiple questions and answers and the easy way to remember it.
It is better to introduce one fallback password provided by Apple and remove the security questions altogether.
funny, on my wife's computer, I could not find her original recovery key%u2026 you do have the option to regenerate a new one. However, you get to a page that asks you to confirm that you have the new one by entering it. When you do and you click "Activate", you get an ERROR page! So, is the new one active or not? How the hell will I know this????
Apple's 2-factor authentication does not work well if you have more than one Apple ID, which most people who had an existing iTunes and MobileMe/Mac account do. It will work for SMS notifications, but only the main iCloud "Find My xxxx" can be enabled on a device, that means it's not possible to use 2 different Apple IDs for "Find My xxxx", meaning that won't work for more than on Apple ID.
Apple's "solution" to this is to have you use friends/relatives to send SMS codes to in case you lose your phone. That's a less than ideal solution.
If you get locked out of your Apple ID currently, you can't change your password or make iTunes/App Store purchases on new devices.
You won't be able to access your account information on any device because Apple has no concept of "trusted devices". Basically if you lose 2 of the 3 pieces of info (password, device capable of receiving code and recovery key), you are screwed since you won't be able to change your password or set up new devices. Existing signed-in devices will continue to work until you sign out or are forced to do a restore.
Why do people think that your answer to a security question has to have anything to do with the question?
Q: "Where do you want to live when you retire?"
A: "In the same grave as Dracula." or
A: "Secretariat was the best horse to ever win the Triple Crown." or
A: "Anything."
Just be sure to write the answer down to remember it.
This.
I haven't been answering security questions with accurate, truthful information for years. I use random nonsense answers which I store in 1Password. That being said the idea of security questions is stupid. If you answer them truthfully they are worthless and if you answer with made up stuff, like I do, it becomes a problem managing them defeating their purpose.
Any company using security questions is in engaged in "security theater". They want to look like they are doing something in regards to security but they really aren't
Apple Should ENFORECE 2-step authentication anytime there is a login via a web browser. This is how gmail works. This would protect all forms of access via a browser.
Currently, the "partial" 2-step verification only protects you from someone trying to change your AppleID account info/setup.
Maybe I'm doing something wrong. My trusted device is my iPhone, so if I log into iCloud or manage my Apple ID on my Mac, I get the verification code SMSed to my iPhone number.
Here's the thing. If I go log into appleid.apple.com using Safari on my iPhone, then it will send the verification code to the iPhone! So two step authentication on the iPhone is moot! Useless! Similar problem with iCloud.
Comments
That doesn't work for the general public and might not work in your case either because what you think of is seldom random.
It also goes against the idea of enhanced security by multiple questions and answers and the easy way to remember it.
It is better to introduce one fallback password provided by Apple and remove the security questions altogether.
Apple's 2-factor authentication does not work well if you have more than one Apple ID, which most people who had an existing iTunes and MobileMe/Mac account do. It will work for SMS notifications, but only the main iCloud "Find My xxxx" can be enabled on a device, that means it's not possible to use 2 different Apple IDs for "Find My xxxx", meaning that won't work for more than on Apple ID.
Apple's "solution" to this is to have you use friends/relatives to send SMS codes to in case you lose your phone. That's a less than ideal solution.
If you get locked out of your Apple ID currently, you can't change your password or make iTunes/App Store purchases on new devices.
You won't be able to access your account information on any device because Apple has no concept of "trusted devices". Basically if you lose 2 of the 3 pieces of info (password, device capable of receiving code and recovery key), you are screwed since you won't be able to change your password or set up new devices. Existing signed-in devices will continue to work until you sign out or are forced to do a restore.
Why do people think that your answer to a security question has to have anything to do with the question?
Q: "Where do you want to live when you retire?"
A: "In the same grave as Dracula." or
A: "Secretariat was the best horse to ever win the Triple Crown." or
A: "Anything."
Just be sure to write the answer down to remember it.
This.
I haven't been answering security questions with accurate, truthful information for years. I use random nonsense answers which I store in 1Password. That being said the idea of security questions is stupid. If you answer them truthfully they are worthless and if you answer with made up stuff, like I do, it becomes a problem managing them defeating their purpose.
Any company using security questions is in engaged in "security theater". They want to look like they are doing something in regards to security but they really aren't
-kpluck
Currently, the "partial" 2-step verification only protects you from someone trying to change your AppleID account info/setup.
Please get on the ball Apple!
I have setup 2 step auth - yet when I log on to icloud.com I am not prompted for an auth code. Whats up?
Maybe I'm doing something wrong. My trusted device is my iPhone, so if I log into iCloud or manage my Apple ID on my Mac, I get the verification code SMSed to my iPhone number.
Here's the thing. If I go log into appleid.apple.com using Safari on my iPhone, then it will send the verification code to the iPhone! So two step authentication on the iPhone is moot! Useless! Similar problem with iCloud.