Easy method to reset password for Apple Account

FR98 wrote:

That is a great story that they are waiting 7 days to make it hard for someone to impersonate me. That when I walk into the Apple Store to show myself in person, that is not enough, even with supporting IDs. Showing up as a real person is not enough. You would think that a company like Apple should be a little smarter than this. Or at least a little more human.

The delay is to ensure no other usage activity is happening, and any other active devices can extend or can block the reset.

This delay because, well, people lie about many things, lies which can include forgetting a password as a means to access an account of another; social engineering; hacking accounts.

If you want full control of the password reset, you can enable a recovery key, That disables the ability of Apple to reset the password, but allows you — with the inclusion of the recovery key — to reset a forgotten Apple Account password immediately.

The tradeoff between expediency and security is not an easy balance. But for most, hopefully forgetting a password is not a common event.

Account recovery for my Google account took 3 weeks. 🤷‍♀️ Friend’s phone would have given you the same results.

Set up an account recovery contact - Apple Support

Account recovery is a two phase process once started. Phase 1 is the evaluation period, usually 24-72 hours. This phase says Apple is evaluating your info and you’ll get emailed an update after the posted time is over (people mistakenly think it means they’ll be able to reset the password immediately after this first phase.)

Once phase 1 is done it enters phase 2 where https://iforgot.apple.com/ will give you the final amount of days (can be weeks) you’ll wait. On that final day you’ll get a text/call, follow that text/call immediately. If you don’t receive the text or call, once the period specified in the original email is over, you can still go directly to apple.com/recover. Follow the instructions to regain access to your Apple Account.

During the wait period make sure you are carefully following “After you start account recovery“ at How to use account recovery when you can’t reset your Apple Account password - Apple Support 

FR98 wrote:

A lot of actions today do not need a password to log into my account. For this forum Face ID is fine. For web, I can use my phone. Only on occasion is actual password is needed and you should occasionally change yours. I suppose more people are using password managers but that is something else to be hacked. Still, being in person with proper id should mean something but I guess being real person interacting with another human is not as trusted as what a computer believes.

Biometrics do not and cannot replace passwords preferably with two-factor authentication, or to passkeys. If (when) those biometrics fail, it’ll all fall back to passwords and two-factor or passkeys, too. More than a few people have lost access to their secured notes because they added a password, linked it to biometrics, and then biometrics somehow failed them. No password, no data access.

That you are not using a password manager can mean an exceedingly good memory, a notebook of passwords (works fine if your storage is secure), very few passwords, or (and this goes from easy to complete disaster just as soon as one copy leaks, and that happens on the attackers’ schedule) password re-use. Among other benefits, a password manager won’t auto-fill a phishing site. (Oh, and websites can read input fields before submission.)

In recent years, we are one of the weakest points in security, if not the weakest. We get phished. We get scammed. We lie. We get bribed or compromised. We get tired or busy and careless. We re-use passwords. We try to socially engineer access to others’ accounts. Whatever. And at a scale of billions, that then means checklists and consistent procedures and automation get implemented and used, too.

Your current password management approach failed. You were luckily able to recover access here, though that recovery required more time than would have preferred.

In the future, if you get phished, or if your credentials get re-used and credential-stuffed (and with either no two-factor, or otherwise compromised, or with some two-factor exhaustion or bypass attack), you will not be able to recover.

What can be done? Set up a legacy contact as appropriate, set up a recovery contact as appropriate, set up two-factor authentication, set up a notification address if you can, and use a password manager to generate robust and unique passwords, or to manage passkeys. (info: Better Securing Your Data, and Apple Account - Apple Community)

That’s the security feature of 2 factor authentication. This is not just an Apple thing, it’s used by banks, Google, etc.

You have not set up options available to help yourself in these situations. A recovery contact, adding a second trusted number, etc.

Apple isn't trying to make things hard for you. They are trying to make it hard for somebody pretending to be you and asking them oh so sweetly can't Apple give them access to "their" account? A shoeluvr13 outlined, there are things you can set up to get around this kind of situation, you just have to do them in advance of forgetting your password.

Yes there are security issues. Those are people who cannot prove they are the true owners of accounts and who try to get into accounts, many of whom are therefore indistinguishable from scam artists. That's what is generating all this security stuff.

“Just think if I was customer service at a bank. A customer walks in and tries to access their account.”

These are not comparable situations at all.

“That when I walk into the Apple Store to show myself in person, that is not enough, even with supporting IDs. Showing up as a real person is not enough. You would think that a company like Apple should be a little smarter than this. Or at least a little more human. “

Users have been in full control of their accounts for at least 3 years now because of social engineering and scammers. If you want to go with a less secure alternative that’s your choice. Yet again you could have prevented this by using options available to you. This is the direction many companies are going with account security so make sure you keep aware of feature’s and requirements when you do change.