Apple recently began prompting users to select three security questions for their iTunes Store accounts. The move helps to ensure that you’re the authorized account holder if you have problems or forget your password.
The idea is well intentioned and a sensible protection for Apple and its customers. Unfortunately, Apple’s way of rolling out these security questions and the questions themselves highlight the old adage about the way to hell being paved with good intentions.
Let’s start with the way Apple is rolling out the questions. Rather than alerting users in advance via email or a push notification that it would begin adding such a security measure, Apple decided to just throw up an alert that users see when attempting to make purchases (or download app updates on an iOS device).
That means that users have no warning when they see an alert prompting them for the security questions. That isn’t too far off the mark from how other companies have rolled out security questions. When most companies roll out similar security measures, the first sign of them can be a prompt when logging into an online banking or account management site – but most companies let you bypass that prompt the first time (and often for a limited period after that) and continue with your business.
Apple doesn’t offer that option. You get prompted and you can either continue to the questions or cancel. If you cancel, you can’t complete your purchase or download. That means that most people are getting prompted for security questions, which will be important identity protection, at inopportune times. That could lead to answers with typos, capitalization issues, and even off the cuff answers that users may not remember.
Then there’s the questions themselves. Some of them are pretty standard like your first car. Some are unusually personal like the city where you were first kissed. Some are a bit bizarre like your least favorite teacher.
More disturbingly, some of them could be easy to for someone to figure out. For most people, the city of their first kiss is the city where they grew up – something that’s not hard to find (Facebook’s Timeline makes it very easy, in fact). For younger folks, the question about your first teacher could be easy to figure out based on where you went to school.
Ironically, Apple’s online tool for managing your Apple ID, offers a much better option by letting you compose your own security question. The security question that I entered there, for example, is something that only I know the answer to – and anyone guessing at that question would be misdirected to a wrong answer because of the phrasing I chose.
This raises another issue with the process. These questions apply to your iTunes account, which for many of us is our Apple ID. These questions are different than those used for managing your Apple ID on Apple’s website. Of course, it’s possible to have more than one Apple ID (if you do, there is no mechanism to merge them, by the way). This points to the larger issue, which is that Apple needs to cleanup and streamline the use of Apple IDs across various services.
Ultimately, this is a step towards great account protection but it’s a confusing one that Apple hasn’t managed well. As a result, it could easily turn into a big headache while delivering less than optimal security.