[pseudonym]

Is it still a social engineering hack if a well-known celebrity with their personal info broadcasted all over the internet decides to use that personal info to secure their account? Or rather, is that a social engineering hack on Apple, or the celebrity themselves?

And what should Apple do, in this situation? If your names show up in tabloids, don't allow you to answer certain security questions? Require 2FA if your name is mentioned on Google more than a certain number of times?

I don't feel this is an Apple problem any more than it would be if someone created their iCloud password and then posted it on their Twitter.

[smacktoward]

"Require 2FA for everybody, full stop" would do the trick.

The proposed solutions you outline all assume that "password + security question" is only an insecure system for celebrities. But we have enough experience by now to know it's an insecure system for everyone.

[enraged_camel]

>>"Require 2FA for everybody, full stop" would do the trick.

How do you require 2FA for the Find My iPhone application when the only context for using that application is one in which your phone is lost?

[aganders3]

Most 2FA schemes give you some backup codes. I'm sure people use Find My iPhone differently, but it's not unreasonable to suspect them to be used rarely. Once your device is back in-hand you could generate a few new backup codes.

[sixothree]

Allowing people to create their own security question/answer pair would be an excellent start.