New iTunes Security Questions Are Confusing And Can Be Easy To Figure Out


iTunes prompt for new account security questions
iTunes prompt for new account security questions

Apple recently began prompting users to select three security questions for their iTunes Store accounts. The move helps to ensure that you’re the authorized account holder if you have problems or forget your password.

The idea is well intentioned and a sensible protection for Apple and its customers. Unfortunately, Apple’s way of rolling out these security questions and the questions themselves highlight the old adage about the way to hell being paved with good intentions.

Let’s start with the way Apple is rolling out the questions. Rather than alerting users in advance via email or a push notification that it would begin adding such a security measure, Apple decided to just throw up an alert that users see when attempting to make purchases (or download app updates on an iOS device).

That means that users have no warning when they see an alert prompting them for the security questions. That isn’t too far off the mark from how other companies have rolled out security questions. When most companies roll out similar security measures, the first sign of them can be a prompt when logging into an online banking or account management site – but most companies let you bypass that prompt the first time (and often for a limited period after that) and continue with your business.

Apple doesn’t offer that option. You get prompted and you can either continue to the questions or cancel. If you cancel, you can’t complete your purchase or download. That means that most people are getting prompted for security questions, which will be important identity protection, at inopportune times. That could lead to answers with typos, capitalization issues, and even off the cuff answers that users may not remember.

Then there’s the questions themselves. Some of them are pretty standard like your first car. Some are unusually personal like the city where you were first kissed. Some are a bit bizarre like your least favorite teacher.

More disturbingly, some of them could be easy to for someone to figure out. For most people, the city of their first kiss is the city where they grew up – something that’s not hard to find (Facebook’s Timeline makes it very easy, in fact). For younger folks, the question about your first teacher could be easy to figure out based on where you went to school.

Ironically, Apple’s online tool for managing your Apple ID, offers a much better option by letting you compose your own security question. The security question that I entered there, for example, is something that only I know the answer to – and anyone guessing at that question would be misdirected to a wrong answer because of the phrasing I chose.

The Apple ID management site

This raises another issue with the process. These questions apply to your iTunes account, which for many of us is our Apple ID. These questions are different than those used for managing your Apple ID on Apple’s website. Of course, it’s possible to have more than one Apple ID (if you do, there is no mechanism to merge them, by the way). This points to the larger issue, which is that Apple needs to cleanup and streamline the use of Apple IDs across various services.

Ultimately, this is a step towards great account protection but it’s a confusing one that Apple hasn’t managed well. As a result, it could easily turn into a big headache while delivering less than optimal security.

Deals of the Day

  • applewax

    I cringe at these so-called “security” questions. Way too easy to “hack” into someone’s email, bank account, etc. by guessing (or researching) the answers to these inane questions. I always append the answer with a four-digit code, e.g., “Chicago4309”. The code, of course, is a number or word that I will always remember.

  • turbohand

    I never give real answers to those questions. I have stock replacement answers. I like the idea of appending numbers though.

  • technochick

    If Apple didn’t do this and left it at one just as easy to figure out question, or worse no question at all then they would be yelled at about not doing anything to protect their users. They can’t win.

    And they give you 5 choices for each question. Hopefully one of each 5 is something you haven’t talked about on Facebook etc. Pick your own question stuff is actually more likely to be something you have mentioned somewhere since folks use things like their nickname, boy/girl friends name, pet (who is in every other photo) etc.

  • kate27

    This is another pain in the ass I don’t need & an intrusion on my privacy I don’t want. They should invest time in making this work on their end. If I buy this product on hardware they designed and that’s registered with them – it should just work.

    I’ll buy my music elsewhere

  • james1964

    As an English speaking expat in the Netherlands I am now forced to have security questions in Dutch, a language in which I am far from fluent. Quite apart from any benefits of enforcing these new security questions, surely Apple have the technology to support alternative languages. I’m sure that I’m not the only Apple user in the Netherlands who isn’t a fluent Dutch speaker. This must work for countries with multiple official languages (Belgium or Switzerland, for example), so why can’t English be selected as an alternative to a national language?