I have always thought that the PNR/last name combination as a username/password was extremely weak, considering that it is sent in cleartext.

For example, our corporate TA blocks time in our calendars with the flight information, including the PNR. Every employee can see each other's calendar. So it would be trivial, for a prankster or a disgruntled colleague, to make a mess out of it.

I guess a sensible solution would be to allow small changes (seat selection, FQTV, OLCI) just with PNR and last name, and more substantial ones (rebooking or cancellation) with more information (birthdate or passport number).