I'm trying to access my Apple account for the first time in years. I have the email and password in my password manager, but apparently Apple recently got 2 factor authentication mandatory. Problem is, right now, the second factor is security questions to which I don't have the answers (I probably entered random gibberish years ago).
I tried to reset them, but Apple asks me for at least one answer to a security question. I got on a chat with the support, and they can't do anything, except telling me to create another account.
I therefore lost access to everything I "bought" on iTunes and the App Store even if I have the correct login and password for my account.
How is this acceptable ? Of course, the support told me that my data is secure ... so secure I cannot access it !
It may be difficult since this is a classic way to take over an account through phishing and they have been trying to block that kind of thing.
I hate those security questions because, if you answer with real data, it can be guessed by others. If you answer with gibberish, then you need to document your answers and store them like passwords.
A lot of the time these can be used to reset your password, so you've compromised the security of your (hopefully much more intelligently) chosen password. In addition, if a breach ever leaks or a phishing attempt ever intercepts your security question answers, you expose all your accounts to takeover.
Makes social engineering nearly impossible.
That was rather disturbing, and then to pour some salt on the wound, they sent an email to my inbox with the text, "someone has tried to login with your password!" Thanks. :-/
Well, this is kind of the point. You may or may not remember that mere weeks before Apple rather forcefully encouraged people to set up 2FA, numerous female celebrities had their accounts breached and rather personal images leaked to the world.
When you were prompted to set up 2FA, you were given warnings (on multiple screens, no less) that no-one can help you recover the account if you lose the details. I believe there was also a single chance to save recovery codes, though I'm not sure if the process has changed in the time that has since passed.
This one's on you. Apple support aren't going to get you back in to an account for which you cannot provide the security answers. Those were your proof that you are indeed you.
On top of this, many companies provide customer support to reset 2FA with an other way to verify who you are.
My understanding is that OP did not set up MFA, they provided random answers to security questions which were (at that time) used only as an account recovery mechanism. My further understanding is that Apple unilaterally changed the account policy to require MFA, and automatically used those security questions as a (presumably temporary) second factor.
From my reading of the first few search results, this MFA requirement doesn’t apply to all accounts (and alarmingly MFA isn’t even available to all accounts?!). It seems likely to me OP’s has a developer account, which would have the MFA requirement.
It’s not clear to me how Apple migrates any account when they make their auth policy stricter for that account. If Apple did in fact change policy such that OP was previously able to gain authorized access by password, but subsequently was not with no action taken by OP, Apple should provide some alternative means to regain authorization—even if only to recover purchases, which would harm no one.
Security is an imperfect spectrum which coexists on another imperfect spectrum of convenience. The previous mechanism was effectively like leaving a key under a hypothetical doormat. OP’s description is that Apple placed a new lock inside the door they can already enter, demanding OP produce a key Apple left under that doormat as a matter or convenience in case the previous key was lost. If you told me that one day I might need a former convenience I don’t use and didn’t ask for to enter my home, well… it’s my home. If my home is a rental, I’d have the right to recover my belongings (and to complete the term of my lease, but this is where the abstraction breaks down because digital services have very few consumer protections).
OP certainly isn’t entitled to any further service from Apple. But they’re certainly entitled to the goods they’ve already purchased. Even if the terms of service (almost certainly derived from or similar to the butt of joke iTunes tos) disagree. Apple can’t morally just put a lock inside your door and claim it owns what’s behind that.
I’ve intentionally buried this disclaimer: I like Apple products and have been a customer since the 1990s. I expect more of them than this. I left this til last because I think the above is pretty straightforward and my loyalties to a brand should not influence that.
Apple's primary technical support issue is people who are locked out of their Apple ID/iCloud/iTunes/etc. accounts for various reasons. It's tricky because another big issue is scammers trying to steal or break into other people's accounts.
It's also why Apple veers away from privacy by encouraging key escrow for iCloud - otherwise users will lock themselves out with no recourse.
In this case it sounds like it is Apple's fault and they should be able to fix it.
If you still own an Apple device (presumably you do if you care about the App Store) usually it can be registered (Apple may have to do this if you can't) and used for 2FA.
Since you own the payment method for your purchases, that should help as well.
Cold comfort now, but... don't do that.
Try to keep escalating the issue. Maybe go in person to an Apple store?
If you answer security questions honestly, you're very vulnerable to account takeover. Most of the answers are public information about a person (where did you grow up kind of thing), or so arbitrary I wouldn't remember what I answered anyway (what's your favorite movie/food/etc).
The best strategy I've found is to answer them with random passphrases, and store the answer in my password manager.
Passphrases are important because you want it to be words you can speak over the phone. It's often customer-service who will ask.
They're either public info, arbitrary, or some combination of the two.
If you answer them honestly you're very vulnerable to account takeover. Many places treat them as a strict override of the password instead of something additional to a password.
The only sensible way to treat them, as a user, is as backup passwords, which ends up making quite little sense.
