Skip to main content

...and sometimes, they don't

I had a slightly disappointing experience with Apple support today.

I've been an Apple user for many years. I created an Apple ID back when they introduced the iTunes music store. I've used it ever since.

A few years ago, when Apple was getting a lot of bad press because people's Apple IDs were getting hacked, Apple introduced 2-step verification for Apple IDs. When you switched to 2-step, you're given a recovery key (an RK) -- a long password-like string. They warn you at the time that you must store your RK in a safe place. I thought that I stored it in a known, safe place.

Back in mid-May, after returning from overseas travel, I decided to change the password on my Apple ID. Something went wrong. Neither my old password nor my new password worked any more.

It turns out that if this happens, you eventually end up at this Apple support page. Short version: you must have either your password or your RK. Lose both, and you're screwed.

So, I went to get my RK, and it wasn't where I thought it was. It wasn't in the other place where it could have been, either. Uh, oh. There's a remote chance that it's in a storage locker on another continent, but it's probably gone.

Now, I don't use my Apple ID for much any more, but I do have a Macbook with the "Find My Mac" feature enabled. With this feature, in theory, if my computer is stolen, I can use "Find My Mac" to locate it. When I changed my password, my Macbook lost its mind. I was getting constant pop-up messages warning me that there was a problem with my Apple ID. A new message would appear the second I closed the old one. Because of "Find My Mac", the computer wouldn't let me disable the Apple ID without entering my password.

I'd been procrastinating, but today, I finally called Apple Support. They offered three languages: German, French, and Italian. Fortunately, I chose German and the support agent spoke English. We spent a long time on the phone. She kept insisting that their system showed no record of me changing my password, so my old password should work. Eventually, she pushed me to someone else with a lovely Irish accent. I started over, and the new agent quickly told me that without either a RK or password, the account was gone. 

"Okay," I said, "I can live with that. How, though, do I disable the warnings on my Macbook?"

It turns out that there's a trick: You create a new administrator account with another Apple ID. You turn on "Find My Mac" on the new ID. When you do this, you get a warning that "Find My Mac" can't be used on two different accounts from one machine at once. Then, it asks if you'd like to disable the service on the other account. If you choose "Yes", it doesn't prompt you for the other account's password. It just disables it. Having done that, I was able to remove both old and new Apple IDs from the machine.

Upside: my Macbook is usable again. Downside: 10 years worth of iTunes songs gone. A few photos from iPhone 4 days gone (fortunately, I have backups of most of them). A curious security gap in the "Find My Mac" service discovered. Oh, and well over an hour on the phone wasted.

Lesson learned: don't touch ANYTHING with an Apple ID unless you know where the Recovery Key is.

Comments

Post a Comment

Popular posts from this blog

The Chromecast conceptual model

Google makes a device called Chromecast . It's a relatively inexpensive way to turn any TV into a "Smart" TV capable of playing movies or music. It's a clever bit of engineering, but I've run into a few people who have trouble understanding how they work. The key thing to understand is that the Chromecast is the device that's actually receiving and playing the movie (or whatever), and your phone is just the remote. Here's how the process works at a high level: You start watching a video on Youtube 30 seconds in, you decide that you'd like to watch the rest on your TV, so you press the "Cast" button. Your phone stops playing and tells the Chromecast "Get this video directly from Youtube and start playing at the 0:30 mark"  When your phone initially asks the Chromecast to start playing, it also specifies a "default thing" to do when the Chromecast is finished. If the Chromecast is playing a Youtube video, it might...
Post a Comment
Read more

The Virus By the Numbers

I'm writing this because there's some really insane stuff that's being said by people who should really know better, and I'm sick of discussing it one post or email at a time. So, this is my One Big Post that I'll point people toward rather than bringing it up again and again. In case you haven't noticed, we're in the middle of a pandemic. Just so that we're all using the same terminology:  The virus is Severe acute respiratory syndrome Coronavirus 2 . It's usually abbreviated SARS-CoV-2. It's a brand new kind of Coronavirus, so for a while, before it had this awkward name, people were calling it "novel coronavirus". (For the non-English speakers and D students, "novel" is another word for "new".) The disease that the virus causes is called Coronavirus Disease 2019 , and it's usually abbreviated COVID-19. It's called that because it was discovered in 2019. This came out of nowhere in China in late ...
Post a Comment
Read more

Separate Addresses and Have I Been Pwned

Many years ago, I started giving out a different email address to every places that asked for one. To do this, I had to own a domain and set up email hosting. When I first set this up, I accepted email addressed to any address at my domain. Since then, email security has improved a lot. To use security features like DMARC , I had to stop accepting all addresses and had to only accept mail from a list of valid addresses. A few years ago, a guy by the name of Troy Hunt started collecting the lists of compromised databases and passwords that were floating around the internet. He put together a site called Have I Been Pwned  (HIBP) and after proving your ownership of a domain, you can request a list of all of the accounts at that domain that have been compromised. You can also do the same thing for a single email address if you don't own a domain. It's important to remember that this isn't a list of ALL compromised accounts -- only the ones that have made their way to ...
Post a Comment
Read more