[olliej]

How else do you think 2FA is meant to work? If you could simply bypass it that defeats the point of 2FA. The question should really be why you would put random gibberish in for your 2FA answers: at the very least they should be systematic responses.

[edp]

But I never set up 2FA on my Apple account, security questions were meant to be used as an account recovery procedure if you lost access to your account email. THEY set it up as 2FA and as a result I can't log in. I have accounts on numerous website and this is the first time I'm completeoy lockout. I would gladly send my ID card to Apple but apparently this is not an option.

[kadoban]

Secret questions are _barely_ 2fa or not 2fa at all, depending on the implementation, they're just about the worst idea in security.

They're either public info, arbitrary, or some combination of the two.

If you answer them honestly you're very vulnerable to account takeover. Many places treat them as a strict override of the password instead of something additional to a password.

The only sensible way to treat them, as a user, is as backup passwords, which ends up making quite little sense.