On my way home this evening I read about the Battery Health app for giving information about my MacBook battery. Sounded like a handy thing to have so I fired up the App Store when I got home and tried to install it. I say “tried” as no sooner had I entered my Apple ID password as I was faced with this window.
“Bloody hell”, thought I, “more stupid question/answer pairs to remember. Well at least they haven’t …. oh no.” Yes, not only have Apple gone in for the security question theatre but they’ve also gone and implemented a fixed set of questions rather than allowing them to be personalised. Beyond that they’ve gone for the “trendy” approach of asking non-standard questions. No “what’s your mother’s maiden name” type questions here. No, it has to be about your favourite teacher, car, and other such guff. I’ve copied the options you’re allowed to select from below.
Well, this is just bloody brilliant. Possibly these questions do mean something to you and you can always pick the same answer from your mind, in which case these could be secured more easily than any password by using some social engineering or looking at Facebook. If, on the other hand, the questions mean nothing to you (and, as I’ve mentioned before, it’s amazing how many idiots implement lists of questions that don’t apply universally) then you’re either going to get stuck every time you have to answer them or you’ll end up writing them down somewhere. How very very secure. Maybe you think I’m being a bit over the top in accusing Apple of providing a useless set of questions, so let me ask a simple question. Given that one fifth of the available questions depend on car ownership, how many people in the world have never owner a car? Now, as an alternative, how many people don’t know their mother’s maiden name? While the standard questions one finds in these types of forms have no benefits (or indeed detriments) in terms of security level, at least they do tend to cover a wider range of people. Better yet, why not offer completely customisable options? Oh yes, because it’s Apple and Apple knows best.
Unfortunately Apple’s technical support have not been particularly helpful so far, only suggesting I raise a ticket for iTunes feedback. Well, that doesn’t exactly help me install new software on my Mac or update (say to improve security) existing apps. Oh well, once again I realise why I absolutely loathe Apple as a software maker. Love their hardware, hate their systems, hate their policies.
For a good explanation of where this sort of authentication came from and why it’s utterly daft, head over to The Daily WTF to read about Wish-It-Was Two-Factor authentication.