We were told the primary verification is based on password strength. If your password was not easily hackable, then you can use email verification and login to change your password.
That did not happen, why?
Was your password easily hackable?
Maybe this is the key point. My previous password was 24 characters, alphanumeric, and might have had some special characters in there.
Perhaps their definition of "not easily hackable" requires more than 20 characters, or something else unintuitive.