Secondary Apple ID Mess and Inadvertent Password Reset
I was doing some testing with Apple Mail on my test Mac using my test iCloud account. I made a fresh macOS user account and entered the Apple ID, but Apple said it was “locked for security reasons.” Who knows why?
To unlock the account, it wanted me to verify using one of my other Apple devices. I got the notification on both my main Mac and my iPhone. I clicked the button on my Mac to open System Settings, which it did, but it didn’t show a verification button or any security information at all. So I went to the iPhone and tapped the button, which I think said Allow.
It then said I had to change my password. That was annoying because I remember the password for this account, which I frequently enter on test setups where I don’t have access to a password manager. But I picked a new password. I then got a flurry of notifications and e-mails on my Mac. It turns out that it changed the password of my main Apple ID. Why would it do that when it was unlocking the test Apple ID? And why doesn’t the password reset screen tell you which account it’s resetting?
I quickly tried to change the main Apple ID’s password back, but it wouldn’t let me because the password I wanted had been used within the last year. Yes, that was my intent. I’ve been using this password probably back to the opening of the iTunes Music Store. It’s pretty much the only one aside from the passwords for PasswordWallet and my Mac that I’ve memorized. I didn’t want to memorize something new, so I appended a “2” to the end, which I’m sure is really increasing my security.
Of course, since the wrong password got reset, my test account still needed unlocking. I went through the same path again, and again it wanted to reset my password—but this time I declined. The only way out seemed to be to tell it that I didn’t have access to any of my Macs or iOS devices. Then it would let me verify the account using SMS instead.
The verification code never arrived on my Mac, and around this same time my wife called to see why I hadn’t replied to her recent iMessages. I realized that somehow the password reset had disconnected the Messages app on my Mac. It was still logged in and could still send iMessages, but it wasn’t receiving anything. My iPhone and Apple Watch did receive her messages but never notified me, perhaps because they could see that I was active on the Mac? I signed Messages out of iCloud and signed back in, and then I was able to receive new messages, but it never synced any of the old, missed messages to the Mac, even though I have Enable Messages in iCloud checked.
I found the SMS code on the iPhone and reset the test Apple ID. I then signed into iCloud on the test Mac, but it wanted one more verification: Enter the password you use to unlock the MacBook Pro. It said the password was wrong, even though it was the same one I had just entered to log into the test account. The error message said, “Enter Password for Other MacBook Pro. Enter the password for ‘mbp19-sonoma’, which is not the password for this MacBook Pro.” Well, actually, mbp19-sonoma is this MacBook Pro. It turns out that it wanted the password for my other macOS user account on this same MacBook Pro. I guess this is because that account had signed into the same iCloud Keychain. But, as before, it was not clear because it never said which username it was referring to.
Summary: I can now access the test iCloud mail account, but both my test and main Apple ID passwords are changed, and Messages on the Mac still has a gap with messages missing. I will try to remember to always tell Apple that I’ve lost all my devices so that this doesn’t happen again.
Previously:
Update (2023-10-24): Resetting the Apple ID password also required generating new app-specific passwords (e.g. for Fantastical) and entering them on all of my devices.
Apple needs to join the real world in which people have multiple iCloud accounts, and make it easier to link devices to more than one at a time. Better yet, since we’ve all been begging for over a decade, give us a way to merge accounts.