Apple has long had trouble with truly basic concepts of authentication, but lately they've gone off the rails.
It's not just the new and quite demanding Apple ID password requirements that will lead most customers to put them into iPhone Notes -- since it must be entered each time you buy something.
It's not just the bug in their password instructions; when they say "no more than 3" repeating characters they mean "no more than 2" repeating characters (test it yourself).
It's not just that Apple prevents one from seeing the ugly and unmemorable Apple ID that we have to type in -- while also disallowing copy/paste into the password field (take that password manager!).
It's not just that Apple's Apple ID maintenance UI wants me to change my primary email address to match my .mac ID -- which doesn't have email.
No, it's even worse than all that. The big problems are the proliferation of Apple IDs, and a bug that hit my very old Apple ID.
By trial and error I've discovered I have no less than four distinct Apple IDs.
I have an Apple ID that matches an old MobileMe account I abandoned years ago.
I have an Apple ID that matches my current MobileMe account. When I changed its password I also changed my MobileMe account password.
I even found an old developer account that is now an Apple ID too. (Apple merged these databases). So that's #4. It has yet another email address of mine and so I verified that.
Lastly I have the Apple ID that is associated with hundreds of dollars of purchases. That's the one I care about -- and that one has two email addresses associated with it. That's critical for password security. One of the email addresses is my personal Gmail address.
Except ... neither of them are "validated". That's bad.
Apple won't let me validate them either. It claims both are associated with other Apple IDs.
One of them is my current MobileMe email. Since I've discovered that account morphed into yet another Apple ID, that makes sense. I removed that one and added a new email that I was able to verify (I own my own domains, so it's easy to make email redirects).
Then I tried removing the Gmail address and adding it back in. Uh-Oh, that's no longer allowed. It's been orphaned.
I check each Apple ID in turn, including my mother's and the kids. The Gmail address is not associated with any of them. So is there a fifth AppleID somewhere? Is there a bug? Is there a security breech?
There's more. After I changed the email address and password for my mac.com Apple ID, Apple enrolled me in iCloud for that account! So now it has an email address too?
I'm beginning to understand why Apple's share price is relatively low. If they can't manage something this basic, they're in trouble.
Apple, if you need a clue, here's a few:
- We need a way to delete Apple IDs. Unwanted IDs are a security risk.
- Or we need a way to merge Apple IDs!
- You need to fix my gmail bug Apple. If #2 is not a bug, you need a way to reclaim that address (does someone else have it as "unverified"? Is that part of how iTunes accounts are hacked?
- Apple's messed up Apple ID system: what are they smoking?! 7/2008 (!)
- Apple's identity and account system is screwed up. Again. 10/2008
- Apple is again messing with Apple IDs – pay attention! 6/2009
Update: I've figured out the bug. It arose as a side-effect of changes to the way Apple IDs work, and it only impacts people who are still on MobileMe accounts and who have the same email address associated with two Apple accounts prior to the time Apple made that illegal. In brief:
- The Gmail address was a validated 'send as' forwarding address in Mobile Me Mail.
- The Gmail address was the primary email on my mac.com Apple ID.
- Then Apple created an Apple ID for Mobile Me email. Somewhere in Apple's databases the Gmail 'send as' address became an alternate email for the new Apple ID. HOWEVER, it was already a primary email for another Apple ID. So it didn't display in the AppleID maintenance screens for my Mobile Me account.
- Since it existed in the database, however, it couldn't be validated in my .Mac account.
- When I removed it from my .Mac account I wasn't allowed to add it back, since it was associated with my MobileMe account -- but in a partial state there.
- It couldn't be located using my First and Last name in the Apple ID locator page because it wasn't properly associated with the MobileMe account. However, Apple's 2nd tier phone support was able to see it there.
- I went to the MobileMe account and added the email manually. It suddenly appeared -- as verified! I removed it, but Apple Support confirmed it didn't remove completely. So I left it "verified" with the MobileMe account. Now I know where it is.
Apple is closing MobileMe, so there's no way they'll ever fix this bug. I'm glad I seem to have fixed it however, it might have screwed up my iCloud migration. I think before I go to iCloud I'll remove that forwarding email address.
Postscript: Apple's Support Profile is supposed to show the products associated with my Apple ID. I think it used to. I don't see them any more. It says my home number is associated with a different Apple ID...