2 factor authentication
 

Has anybody been able to figure out if American Airlines' website supports 2 factor authentication

Thx

Lol.

AA.com can barely let you book flights, and the app can't even keep you logged in. 2FA is a pipe dream

Genuine question to the op? Has your aa account been comprised before?

Never but I can't recall any provider that has any value in $ or miles where I haven't turned on 2-factor

AA's idea of 2-factor authentication is entering your AAdvantage number AND your last name!

I envision in the next few years this may become a thing with sites like this that retain customer info and balances, be it money or other currently like airline points. Or, when AA gets hacked in a majorly embarrassing and expensive way. I'm guessing that the level of mileage theft is low enough that it's not a priority.

This is unfortunately true. I detest 2 factor authentication and have had nothing but trouble with some websites (e.g. Amtrak) where I can no longer log in without clearing cookies every single time (otherwise when I enter the authentication code, it simply loops back and sends me a new code, over and over). And don't get me started on the "captcha" stuff (one of many reasons why I can't imagine being a Hilton person).

^^THIS^^^

Hilton has to have one of the worst major brand travel sites in the world. Fortunately, using the iOS app doesn't have the CAPCHA problem.

Is it just me but I have no desire when I'm trying to pull the app up in the airport/AC for any number of reasons and needing to get a code text to me to do so.

My relative's account was hacked. 600k miles gone. So, I for one would prefer to have two factor authentication.

I too usually use two factor on websites that support it but for aa.com I actually wish they would implement recognized customers so that for low security things like viewing itineraries, miles, history it wouldn’t require me to log in so often and just prompt for recent authentication via password when doing something high security (eg redeeming miles for a booking, making a booking using a saved credit card, etc). I feel like I am logging in using credentials so often on aa.com.

SMS is one of the less secure and also less convenient 2nd factors. Almost as bad as email. If AA would support U2F, or TOTP apps like Google Authenticator, that would be great. I’m so tired of solving 3 captchas just to make a single Hilton reservation but it doesn’t have to be like that.

SMS isn't particularly useful for 2FA on a phone anyway. If you have access to the phone, then you'll likely have access to SMS too.

A properly built app would allow fingerprint or face id as the second authentication for devices that support it. All websites, where it matters, should support MFA, especially if they are accessed via a web browser.

Our IT training just showed how someone can even avert the push notification 2FA by directing you to a bad website, capturing the cookie data fed back after the 2FA, and then pasting it into the web browser code. Nothing is perfect.

This is why state of the art for 2FA is U2F, which is also resistant to phishing attacks. This video explains how it works:

The idea isn't that it's something you desire to do in your daily workflows, but that you desire for a hacker to be unable to do it when they somehow get hold of your password. As with many security features, they add some amount of inconvenience, but the best versions (e.g., U2F) aim to minimize that inconvenience while maximizing the security value.

I learned at 7am today that someone hacked my account when my password was failing and I saw emails from 6am that my password and account info was updated.

I was able to get back in with my security questions and found a name, address, phone and email in the UK was attached to my account. I changed my info back, updated my password and security questions.

Points were not taken and future trips were still in tact. It was at this point I searched for MFA options but, as mentioned upthread, this is not a priority for AA.

Did I catch the issue quick enough (1 hour) that the hacker didn’t have time to muck with my account? Or should I be worried they may already have info they need to call in and redeem trips over the phone?

I don't think 2FA is a big deal among airlines given that reservations can be accessed online without any authentication at all.

You should definitely call AA about this. They definitely have all the info they need. It really isn't very much info.

Mine was hacked a year or two ago — they found the guy who did it and used all the miles, but said I had to report it to local police in his jurisdiction and they wouldn’t refund the miles until something substantial happened… I had to get a new AAdvantage number and everything.

So......this happened to me this morning (07/13/23):

https://viewfromthewing.com/american...tage-accounts/

I had logged in late last night (07/12/23) (more than once) just fine, like normal.

This morning I logged in like usual on the Login page, BUT...... instead of actually logging me in it took me to a page w/ 6 small boxes asking for my verification code that it had emailed to me. I checked my email & sure enough there was an email from American Airlines.

Once I copied/pasted the code I was then in like normal (w/ my name in the light blue box up top.

No warning this was coming. I thought I'd been spammed at first. UGH, what a pain !!


https://cimg0.ibsrv.net/gimg/www.fly...705b00552a.jpg

Pain?! This is the best thing American has done for their IT in years. The amount of accounts getting hacked (that will now more easily be prevented) is huge.

Suddenly two-factor authentication is required on my AA account.

At least I was able to access my email account at the same time, which was significantly less frustrating than an experience with Target on the same day: Target required the same suddenly as I was in the process of trying to pay with my phone at a self-checkout device.

I was asked for the verification code on my most recent login. Will I be asked every time now for a new code or will it be only randomly during logins?

I'm curious how this will be implemented with the AA app and when accessing the app/web site while in-flight. Without buying in-flight wifi internet access, getting the code from an e-mail will not be possible.

Since this 1st happened to me as I posted above (07/13), it happened almost every time I logged in over those next few days. It hasn't happened to me since 07/15.

I do almost always log into AA w/ Firefox on my home computer. Maybe some cookies or something are saved. We'll see going forward.

I also always keep track of my husband's AA stuff (both our trips together & his work trips w/o me). I usually use Chrome to log into his AA acct (just so I don't have to keep re-entering our login info in Firefox every time). I just logged in as him in Chrome & it still has not asked for a verification code.

Logged in twice today. Both times I was asked for a verification code. First time it has ever happened to me. What a pain in the rear. VPN related, maybe? I hope this isn't going to happen every.single.time that I log in.

It's started for me too. Although its intermittent. 3 out of 4 maybe?