Tuesday, April 24, 2012

Apple's New iOS Security Questions

Disclaimer (you will see a lot of these): I believe Apple is a great company and it is well run; I use its products and services and am generally quite satisfied. That aside...

Recently, I wanted to download a new app on my iPhone. However, before doing so, the app store required me to enter in new security questions and answers.

The eminent and brilliant Bruce Schneier breaks down what is wrong with security questions far more capably than I can, so I won't reiterate, and potentially diminish, his beautiful prose. More here. And here. Summary: they are a huge security weakness in the password protocol, in addition to being a big pain in the neck.

In addition to this, however, I'd like to comment specifically about why Apple's security questions, in particular, were really bad. Normally, when one is asked a security question, it is about an objective fact: "What city did you grow up in?" "Who was your first grade english teacher?" "What was the name of your first pet?"

Because these are prompts for easily identifiable, objective facts, these questions will produce the same answer every time, a quality that is valuable for a security question. Apple's questions, however, required the user to make judgment calls, which, in my opinion, are probably not reliably reproducable. For instance, Apple asks "What city was your best job in?" "Who was your least/favorite teacher?" First off, I genuinely do not want to be making those calls at the insistence of the robot-phone that I already pay, way, way too much for and consistently offers me shitty service. Second, apparently, I am not alone. Third, importantly, when you introduce this level of judgment into questions, you are going to get answers that vary highly from time to time. Ask me those questions on any given day and I may have completely different answers, meaning I'm going to have to physically write down the answers or forget them and use the email password reset anyway.

So, basically, not only did Apple 1) make a bad decision to implement new iOS security questions but 2) doubled down on this bad decision by making the questions intrusive and so subjective as to the point of uselessness.

BTW, the best approach to password security was very beautifully illustrated by Randall Munroe, reproduced here:
Now, if you will excuse me, I have to go send Apple some more money.

First Post

Hi everyone.

I'm going to take this opportunity to say a few things:

1. The hardest part of doing something is getting started. That in mind, rather than announce my blog with any fanfare or time it to coincide with a particular news story that I may have some valuable commentary on, I am just going to kick it off.

2. This is me.

3. Absolutely none of the opinions expressed in this blog represent the opinions of any of my clients, employers, or educational institutions, present or former, and all opinions expressed herein are my own, unless clearly specified otherwise. Additionally, all information on this site is precisely that -- an opinion.

4. Absolutely nothing on this blog constitutes legal advice, nor is it a substitute for legal advice. I am not your lawyer. If you have a legal question, you need to consult a lawyer licensed to practice in your area.

So, all that in mind, enjoy.