Tell HN: Lost access to my Apple account even though I have the password
Hi HN,
I'm trying to access my Apple account for the first time in years. I have the email and password in my password manager, but apparently Apple recently got 2 factor authentication mandatory. Problem is, right now, the second factor is security questions to which I don't have the answers (I probably entered random gibberish years ago).
I tried to reset them, but Apple asks me for at least one answer to a security question. I got on a chat with the support, and they can't do anything, except telling me to create another account.
I therefore lost access to everything I "bought" on iTunes and the App Store even if I have the correct login and password for my account.
How is this acceptable ? Of course, the support told me that my data is secure ... so secure I cannot access it ! Do you have access to an Apple Store? If so, try to setup a Genius Bar reservation and talk to someone there. if you can't setup a reservation due to needing an Apple ID, just go into the store and see if someone can help you. It may be difficult since this is a classic way to take over an account through phishing and they have been trying to block that kind of thing. I hate those security questions because, if you answer with real data, it can be guessed by others. If you answer with gibberish, then you need to document your answers and store them like passwords. I'm not in the US, there is no Apple Store near me, only resellers. I never had to answer security questions up to now, and never stored the answers in my password manager. I thought that a reset by email was possible, but apparently not ... The best suggestion I've seen for handling security questions is to use the same stupid response for all of them. Mum's maiden name? 'waffles'. City of birth? 'waffles'. Brand of your first car? 'waffles'. No-one's going to glean that from the internet, and it's going to be difficult for you to forget once you've formed the habit. This is poor advice. A lot of the time these can be used to reset your password, so you've compromised the security of your (hopefully much more intelligently) chosen password. In addition, if a breach ever leaks or a phishing attempt ever intercepts your security question answers, you expose all your accounts to takeover. My secret questions have nonsensical answers but are all unique per app/website which are recorded. Makes social engineering nearly impossible. Just don't put random characters as the answer. True. That makes it very hard when you have to recite it back to a customer service person. Best just to use arbitrary, real words and then store the questions and answers in your password manager. Once I was on the phone with Blizzard support, and they asked me to verify the answer to one of my security questions. I said “oh, it’s probably just a bunch of random letters” and she said “uh, yeah, it is actually” and let me into my account. So be aware of that as an attack vector too This is what I was hinting at but not as coherently Yep, they're all similar to correct horse battery staple or "toilets excite pregnant cabbages". Similar happened to me the other day with Google. Tried to log in for the first time in a few years. Browser has correct login name and password. Upon login, they demand a phone number to text a code to. Aren't getting it. That was rather disturbing, and then to pour some salt on the wound, they sent an email to my inbox with the text, "someone has tried to login with your password!" Thanks. :-/ I’m really tired of “your valid credentials aren’t good enough, comrade. Please come with us to print your extra papers!” Yeah I hate that Google (and others) all demand a mobile number so they can a) send you text spam and b) use it as a unique customer identifier to match you with their advertising and business partners. > How is this acceptable ? Of course, the support told me that my data is secure ... so secure I cannot access it ! Well, this is kind of the point. You may or may not remember that mere weeks before Apple rather forcefully encouraged people to set up 2FA, numerous female celebrities had their accounts breached and rather personal images leaked to the world. When you were prompted to set up 2FA, you were given warnings (on multiple screens, no less) that no-one can help you recover the account if you lose the details. I believe there was also a single chance to save recovery codes, though I'm not sure if the process has changed in the time that has since passed. This one's on you. Apple support aren't going to get you back in to an account for which you cannot provide the security answers. Those were your proof that you are indeed you. As the sibling comment is saying, I never set up 2FA on my account. When I do, I'm using totp and store backup codes. Apple decided to force 2FA and use security questions as the second factor on my behalf. On top of this, many companies provide customer support to reset 2FA with an other way to verify who you are. > When you were prompted to set up 2FA My understanding is that OP did not set up MFA, they provided random answers to security questions which were (at that time) used only as an account recovery mechanism. My further understanding is that Apple unilaterally changed the account policy to require MFA, and automatically used those security questions as a (presumably temporary) second factor. From my reading of the first few search results, this MFA requirement doesn’t apply to all accounts (and alarmingly MFA isn’t even available to all accounts?!). It seems likely to me OP’s has a developer account, which would have the MFA requirement. It’s not clear to me how Apple migrates any account when they make their auth policy stricter for that account. If Apple did in fact change policy such that OP was previously able to gain authorized access by password, but subsequently was not with no action taken by OP, Apple should provide some alternative means to regain authorization—even if only to recover purchases, which would harm no one. Security is an imperfect spectrum which coexists on another imperfect spectrum of convenience. The previous mechanism was effectively like leaving a key under a hypothetical doormat. OP’s description is that Apple placed a new lock inside the door they can already enter, demanding OP produce a key Apple left under that doormat as a matter or convenience in case the previous key was lost. If you told me that one day I might need a former convenience I don’t use and didn’t ask for to enter my home, well… it’s my home. If my home is a rental, I’d have the right to recover my belongings (and to complete the term of my lease, but this is where the abstraction breaks down because digital services have very few consumer protections). OP certainly isn’t entitled to any further service from Apple. But they’re certainly entitled to the goods they’ve already purchased. Even if the terms of service (almost certainly derived from or similar to the butt of joke iTunes tos) disagree. Apple can’t morally just put a lock inside your door and claim it owns what’s behind that. I’ve intentionally buried this disclaimer: I like Apple products and have been a customer since the 1990s. I expect more of them than this. I left this til last because I think the above is pretty straightforward and my loyalties to a brand should not influence that. Give their chat another try. I went through the same a while back and they reset my password. I believe this is the right answer. They can usually fix it over the phone. Apple's primary technical support issue is people who are locked out of their Apple ID/iCloud/iTunes/etc. accounts for various reasons. It's tricky because another big issue is scammers trying to steal or break into other people's accounts. It's also why Apple veers away from privacy by encouraging key escrow for iCloud - otherwise users will lock themselves out with no recourse. In this case it sounds like it is Apple's fault and they should be able to fix it. If you still own an Apple device (presumably you do if you care about the App Store) usually it can be registered (Apple may have to do this if you can't) and used for 2FA. Since you own the payment method for your purchases, that should help as well. I can reset the password myself, what they won't do is reset the security questions through an email for example. They told me that if I don't have the answers, there is no way to recover my account. The person I was chatting with triggered the password reset mail, and stripped my security questions. As said, I was in exactly the same situation and probably entered random answers to their security questions years ago. When I went through the password reset they set up, I no longer had to enter those security questions. Point is, they're able to remove the additional step of providing answers to the security questions by their customer chat service. Give it some more tries until someone's on the other side willing to do so. what is with people giving random answers for security questions? I understand not providing "true" answers, but random gibberish you have no hope of recalling? why on earth would you ever do that? They were valid years ago when I was a kid but god knows what my favorite food was 10 years ago. ah, ok that makes more sense :D There probably is, but it is complicated and involves waiting for a few weeks. Not all representatives might be able or wiling to do this. > Problem is, right now, the second factor is security questions to which I don't have the answers (I probably entered random gibberish years ago). Cold comfort now, but... don't do that. Try to keep escalating the issue. Maybe go in person to an Apple store? > Cold comfort now, but... don't do that. If you answer security questions honestly, you're very vulnerable to account takeover. Most of the answers are public information about a person (where did you grow up kind of thing), or so arbitrary I wouldn't remember what I answered anyway (what's your favorite movie/food/etc). The best strategy I've found is to answer them with random passphrases, and store the answer in my password manager. Passphrases are important because you want it to be words you can speak over the phone. It's often customer-service who will ask. How else do you think 2FA is meant to work? If you could simply bypass it that defeats the point of 2FA. The question should really be why you would put random gibberish in for your 2FA answers: at the very least they should be systematic responses. But I never set up 2FA on my Apple account, security questions were meant to be used as an account recovery procedure if you lost access to your account email. THEY set it up as 2FA and as a result I can't log in. I have accounts on numerous website and this is the first time I'm completeoy lockout. I would gladly send my ID card to Apple but apparently this is not an option. Secret questions are _barely_ 2fa or not 2fa at all, depending on the implementation, they're just about the worst idea in security. They're either public info, arbitrary, or some combination of the two. If you answer them honestly you're very vulnerable to account takeover. Many places treat them as a strict override of the password instead of something additional to a password. The only sensible way to treat them, as a user, is as backup passwords, which ends up making quite little sense.