As always, the devil is in the detail.

How do you do 2FA when attempting to login to use the on-board wifi when in flight? Neither SMS nor email are going to work. OK, so maybe you choose to bypass it for that channel.

What about simply accessing the UA website whilst in flight? Again SMS isn't going to work, and nor is email if you haven't paid to access to the Wifi. So now you'd have to whitelist all onboard Wifi IP address to bypass the 2FA - possible, but certainly not trivial.

Then you've got the whole situation of travelers not having global roaming, not being able to receive SMS messages when traveling, or having their normal SIM card out of the phone and using a local SIM. These can be handled (possibly with some complexity by the traveler) by doing email-based 2FA, but the end result is still going to be unhappy customers and more calls to phone agents, which ends up costing United more. Of course, these same issues exist for other websites that do 2FA, but fundamentally it feels different to the user when it's their travel provider that is making them jump through such hoops. It's one thing for my bank website not to work well when I'm outside of my home country, but I expect my airlines website to be fully available at my destination without issues!

The simple fact is that United has countless security issues that they still need to fix. The amount of information you can get, or the actions you can take, knowing nothing more than a PNR (and not even a name) is scary...