Another Update... at the end of the iforgot process, Apple is supposed to send you an update within 24 hours as to what the disposition of your password reset request will be. In the past, if you opt not to receive a PIN via a registered iProduct, I've seen them say "we're going to wait 30 days and then allow you to reset your password." I imagine this is to discourage "bad actors" from launching massive efforts of password resetting. If a bad guy was able to convince Apple that they were the TRUE owner of an account, maybe that would give them an advantage in stealing services or user data. So sure, introducing a waiting time is not the worst idea in the world.
About 15 hours ago, I went through the process again and the response was (and I paraphrase) "tsk. tsk. do not annoy us with your password reset attempts. we're going to tell you more about how to recover in 15 hours." Again... annoying, but not horrible. If we're trying to make things difficult for bad actors, this isn't that big of an annoyance.
But at the end of the 24 hour waiting period, I still hadn't received an email from Apple at either of the email accounts I had used while trying to reset my AppleId. (The first is the one the AppleId was explicitly tied to and the second was an alt I use mostly for newsletters and subscribing to web site updates I'm halfway interested in. I used that because I couldn't remember if I had ever told Apple about that address.) And that seemed frustrating. You told me you were going to send me info about resetting my password, but you've welched on the deal.
And then I had a disturbing thought... Several years ago I created an AppleId with my work phone and a completely different throw-away gmail address. After digging up the password for that account, I logged in and sure enough... there's the email from Apple.
The only thing I can think is Apple tied my IP Address or location to all three email addresses involved and somehow conflated them together. I send a reset request from me@not-a-gmail-domain.com and get a response on havent_used_this_address_in_a_year@gmail.com. That is very, very weird.
But the good news is Apple says I only have to wait 7 days to reset the password on this account.
I've been thinking about getting back into writing code for the PinePhone I bought a few years ago. Maybe I will get a pre-paid t-mob or mint sim and try to create a new AppleId at a coffee shop on the far side of town.
I can't say this has filled me with a great deal of optimism. Obviously this isn't happening very often and I'm a corner case. Otherwise we would surely have heard from thousands of people saying "I can't log into my Apple account!" I'm also sure that when the Apple people were thinking through the process flows, they didn't assume I might try to reset my password while in the 24 hour iForgot wait state.
I had been a registered Apple Developer since the late 80s, though the email address in question was only attached to my dev account since around 2006. AppleIds as we know them have gone through changes... 2FA... removing questions... adding the ability to reset from an iProduct. My guess is my id was generated shortly after AppleIds became a thing. Then I stopped using it for a while and they changed the schema of the database holding AppleID details and maybe I didn't log in during some critical time frame. Then I tried to log in and got marked as a bad guy trying to attack the security of Apple's user credential integrity. I'm not... but of course, if I was I wouldn't admit it.
In any event, I'm sure my original AppleId is hopelessly horked. And that id was tied to the mobile number I've had since 1998. I suspect if I try to use that number again, apple will take a look at my IP geolocation, match it to previous attempts to recover the password and assume I'm again a bad guy trying to do bad things. If this hypothesis is correct, maybe my neighbors will have problems registering iProducts.
Apple can, of course, do whatever the heck it wants. I suspect they don't care enough to modify their processes because the number of people wedged in this state are vanishingly small. Millions (billions?) of AppleIds have been registered. Who cares if some dude from Seattle can't ever access Apple services with email or phone identifiers they want to use.
I suspect the answer to this is going to be:
a) spin up an entirely new email address. I don't think apple will have a problem with me using gmail as I'm sure they have millions of customers that already use it.
b) get a new phone number. Like I said, I was thinking about doing some coding on my PinePhonePro, so that's not a completely bad idea.
c) go across town to a coffee shop (or maybe the Apple store, do they have free wifi there?) and register a new AppleId.
d) NEVER FORGET THE PASSWORD I USED.
e) NEVER USE THAT AppleId AT MY HOME.
This is probably overkill, but Apple has successfully hidden the details of their user credential processes and I have to imply state and state transitions from their public behaviour. I really don't want to spent too much more time on this. (Now that I think about it... the problems we had with our dev certificate a few years back absolutely had the same "actual state is hidden behind an opaque wall of process" characteristic.)
All these problems are, I'm sure, Apple's way of limiting the effectiveness of social engineering attacks. And that's something I can respect. But if you're the by-catch of Apple's dragnet, it's absolutely annoying.
About 15 hours ago, I went through the process again and the response was (and I paraphrase) "tsk. tsk. do not annoy us with your password reset attempts. we're going to tell you more about how to recover in 15 hours." Again... annoying, but not horrible. If we're trying to make things difficult for bad actors, this isn't that big of an annoyance.
But at the end of the 24 hour waiting period, I still hadn't received an email from Apple at either of the email accounts I had used while trying to reset my AppleId. (The first is the one the AppleId was explicitly tied to and the second was an alt I use mostly for newsletters and subscribing to web site updates I'm halfway interested in. I used that because I couldn't remember if I had ever told Apple about that address.) And that seemed frustrating. You told me you were going to send me info about resetting my password, but you've welched on the deal.
And then I had a disturbing thought... Several years ago I created an AppleId with my work phone and a completely different throw-away gmail address. After digging up the password for that account, I logged in and sure enough... there's the email from Apple.
The only thing I can think is Apple tied my IP Address or location to all three email addresses involved and somehow conflated them together. I send a reset request from me@not-a-gmail-domain.com and get a response on havent_used_this_address_in_a_year@gmail.com. That is very, very weird.
But the good news is Apple says I only have to wait 7 days to reset the password on this account.
I've been thinking about getting back into writing code for the PinePhone I bought a few years ago. Maybe I will get a pre-paid t-mob or mint sim and try to create a new AppleId at a coffee shop on the far side of town.
I can't say this has filled me with a great deal of optimism. Obviously this isn't happening very often and I'm a corner case. Otherwise we would surely have heard from thousands of people saying "I can't log into my Apple account!" I'm also sure that when the Apple people were thinking through the process flows, they didn't assume I might try to reset my password while in the 24 hour iForgot wait state.
I had been a registered Apple Developer since the late 80s, though the email address in question was only attached to my dev account since around 2006. AppleIds as we know them have gone through changes... 2FA... removing questions... adding the ability to reset from an iProduct. My guess is my id was generated shortly after AppleIds became a thing. Then I stopped using it for a while and they changed the schema of the database holding AppleID details and maybe I didn't log in during some critical time frame. Then I tried to log in and got marked as a bad guy trying to attack the security of Apple's user credential integrity. I'm not... but of course, if I was I wouldn't admit it.
In any event, I'm sure my original AppleId is hopelessly horked. And that id was tied to the mobile number I've had since 1998. I suspect if I try to use that number again, apple will take a look at my IP geolocation, match it to previous attempts to recover the password and assume I'm again a bad guy trying to do bad things. If this hypothesis is correct, maybe my neighbors will have problems registering iProducts.
Apple can, of course, do whatever the heck it wants. I suspect they don't care enough to modify their processes because the number of people wedged in this state are vanishingly small. Millions (billions?) of AppleIds have been registered. Who cares if some dude from Seattle can't ever access Apple services with email or phone identifiers they want to use.
I suspect the answer to this is going to be:
a) spin up an entirely new email address. I don't think apple will have a problem with me using gmail as I'm sure they have millions of customers that already use it.
b) get a new phone number. Like I said, I was thinking about doing some coding on my PinePhonePro, so that's not a completely bad idea.
c) go across town to a coffee shop (or maybe the Apple store, do they have free wifi there?) and register a new AppleId.
d) NEVER FORGET THE PASSWORD I USED.
e) NEVER USE THAT AppleId AT MY HOME.
This is probably overkill, but Apple has successfully hidden the details of their user credential processes and I have to imply state and state transitions from their public behaviour. I really don't want to spent too much more time on this. (Now that I think about it... the problems we had with our dev certificate a few years back absolutely had the same "actual state is hidden behind an opaque wall of process" characteristic.)
All these problems are, I'm sure, Apple's way of limiting the effectiveness of social engineering attacks. And that's something I can respect. But if you're the by-catch of Apple's dragnet, it's absolutely annoying.