jsloan

You still seem to think that 2FA is useful. In most cases, it's security theatre. That said, if UA wants 2FA, they will need 2FA that works in the air. There's no cherry-picking here; they are an airline. They cannot, with a straight face, launch a security system that would prohibit you from doing business with them while you are actively doing business with them.

And 2FA that works in the air is not difficult; you use a OTP system to generate a soft token, as described.

I'm not "excus[ing] United's lack fo 2FA because of some hours spent inflight." I'm excusing it because 2FA is (a) pointless in the travel industry and (b) pointless if not taken seriously. I'm willing to bet that most, if not all, of those other companies don't take 2FA seriously. The closest might be Apple, because at least they do a push notification to your other devices, instead of something that goes to the device you're currently using.

If a company sends you an SMS code, they're not taking 2FA seriously.
If a company lets you call their customer service to change your phone number, they're not taking 2FA seriously.
If a company lets you download your soft token, they're not taking 2FA seriously.

Anyway, I think this topic has been beaten to death. I don't like 2FA; I don't have any need to "secure" my UA account. If other people want to use it, fine; if they require it, it will be slightly irritating but I"ll get over it. Feel free to write to UA and complain about how they're not taking security seriously by not having 2FA.