I need to create responses to the above security questions before I can purchase items through Apple’s digital stores. The problem: I actually don’t know the (legitimate/real) answers to any of the questions.

Admittedly the best security procedure, in the face of any vendor authentication questions, is to produce garbage/unrelated responses to any authentication questions that vendors ask. This said, it’s a a bit insane that I have to do this for the questions Apple has provided. Now, is this a problem that most people can overcome? Of course. They just write in answers and (somewhere) they write down their responses. I actually could use 1Password for this, a terrific password and identity manager that I highly recommend. This said, I’m not going to bother. Purchasing the $20 piece of software just isn’t worth the effort for me: in effect, Apple has succeeded in dissuading me from making an impulse purchase. That’s really not great for the business of app developers (Apple, really, doesn’t care that much given the relative amount that the app store contributes to their overall yearly profits).

You might wonder why these questions are being asked. I suspect they’re largely in response to the Mat Honan hack. In short, a Wired reporter’s Apple, Amazon, Twitter, and Google accounts were hacked so a third-party could masquerade as Mat on Twitter. This led to a ridiculous level of criticism in the press concerning how Apple authenticated users’ identities. I have no doubt that these questions – again, pictured above – are largely meant to better authenticate users and thus avoid identity fraud.

The problem of authentication fraud can be devilishly hard for companies to address. In the case of Apple, there is no option for the user to generate their own questions and responses. This might be seen as good security amongst ‘professionals’ – it prevents really, really crappy questions and easily found responses – but it creates an incredibly poor user experience. While writing down passwords isn’t the horrific nightmare scenario that some security analysts declare, expecting people to find those responses when they’re in trouble – such as their accounts have been hacked – will meet mixed results at best. Further, given how other companies tend to follow Apple’s lead(s) it’s only a matter of time until more and more (less security conscious) companies adopt similar or identical security questions/answers. Such adoptions will limit the relative novelty of Apple’s authentication questions and thus reduce their capability to genuinely authenticate users’ identities. Consequently, such questions (in the short and long terms) will likely just leave its customers frustrated.

Ultimately, this kind of authentication really is less than ideal; more nuanced and (to the user) transparent analytics protocols to detect aberrant behaviours and then recover accounts would be far, far superior to what Apple is presently rolling out. Hopefully it doesn’t take further authentication failures, on Apple’s part, for them to realize the error of their ways and correct it.