Tuesday, April 24, 2012

Apple's New iOS Security Questions

Disclaimer (you will see a lot of these): I believe Apple is a great company and it is well run; I use its products and services and am generally quite satisfied. That aside...

Recently, I wanted to download a new app on my iPhone. However, before doing so, the app store required me to enter in new security questions and answers.

The eminent and brilliant Bruce Schneier breaks down what is wrong with security questions far more capably than I can, so I won't reiterate, and potentially diminish, his beautiful prose. More here. And here. Summary: they are a huge security weakness in the password protocol, in addition to being a big pain in the neck.

In addition to this, however, I'd like to comment specifically about why Apple's security questions, in particular, were really bad. Normally, when one is asked a security question, it is about an objective fact: "What city did you grow up in?" "Who was your first grade english teacher?" "What was the name of your first pet?"

Because these are prompts for easily identifiable, objective facts, these questions will produce the same answer every time, a quality that is valuable for a security question. Apple's questions, however, required the user to make judgment calls, which, in my opinion, are probably not reliably reproducable. For instance, Apple asks "What city was your best job in?" "Who was your least/favorite teacher?" First off, I genuinely do not want to be making those calls at the insistence of the robot-phone that I already pay, way, way too much for and consistently offers me shitty service. Second, apparently, I am not alone. Third, importantly, when you introduce this level of judgment into questions, you are going to get answers that vary highly from time to time. Ask me those questions on any given day and I may have completely different answers, meaning I'm going to have to physically write down the answers or forget them and use the email password reset anyway.

So, basically, not only did Apple 1) make a bad decision to implement new iOS security questions but 2) doubled down on this bad decision by making the questions intrusive and so subjective as to the point of uselessness.

BTW, the best approach to password security was very beautifully illustrated by Randall Munroe, reproduced here:
Now, if you will excuse me, I have to go send Apple some more money.

No comments:

Post a Comment