MFA (Multi-Factor Authentication) - Finally Coming to AA
 

Looks like MFA is finally coming to AA...It's about time! Welcome to 2010 AA IT!

https://viewfromthewing.com/american...tage-accounts/

Ugh. Being in IT, I know MFA is better, but god I'm so sick of having to do this on everything, especially sites (not saying this is AA) where my security isn't all that important. (Like, why do I need MFA on a website to order litter for my cat?!)

But, this is long overdue regardless of how annoying it might be.

One clarification to the article is that one can receive texts and even calls inflight. I don't answer the calls of course. However, if one has wifi calling enabled on their phone, the phone works like normal if you're in the air and connected to the plane's wifi.

I really hate email MFA. I hope they offer SMS and/or TOTP.

Well if they offer it via text, you won't be doing it on any aircraft unless you have two wifi accounts or switch off one device, switch on the other device, then revert back to the old device. Correct?

Authenticator app or nothing at this point.

SMS sometimes works in the air - if you have wifi access - but calls are a no-go at least from a legal standpoint. Also, many when travelling do not have access to SMS if they are roaming globally.

Depends. I buy the "two device" plan, so I have my laptop and cell connected at the same time. I used to do the flipping back and forth but got sick of the pain associated with that. However, your point is valid in that if you connect with your laptop with a one device option, you'd have to switch back and forth.

However, I don't think they would implement an SMS option, as technically cell phones aren't supposed to work when in the air. Enabling wifi calling is a loophole of sorts.

You can also tether your device and share the connection. :cool:

Good point!

While long overdue, I agree with others in this thread that email (or text, or TOTP for that matter) MFA gets annoying real quick. Hopefully this will only be used on new/untrusted device logins.

From the VFTW article it sounds like it will only support e-mail, so the OP "welcome to 2010" was pretty on point.

Given that it's now 2023, they should be supporting passkeys or at least hardware keys since (a) those technologies would let you login to aa.com on a plane without access to your e-mail provider, and (b) are actually phishing resistant. But I know it's AA we're talking about here, so unsurprising this is implemented poorly.

Great, so every senior citizen will have one more additional hassle to deal with, requiring assistance from another person.

Yup. Email OTP is also not solving the issue of compromised accounts. If you can request a password reset and confirm it and the OTP from the same compromised email account, nothing has changed.

Ugh.
+1
Hate MFA.
Even more so when it is SMS and it is a website or app that I need to use when I am abroad.

SMS and cellphone reception can be terrible, particularly in foreign cities where construction is mostly concrete and bricks and mortar. I have to go out to the street or near a window facing the outside out to receive the verification SMS.

Mark me in the camp that thinks this is unnecessary. Brokerage accounts, yes. Bank accounts, yes. HIPAA-protected data, yes. Frequent flyer accounts, really?

I think it is necessary, but only for "risky" operations. Normal login should not require MFA. I agree that would be ridiculous. But such things as redeeming miles for somebody else, changing password or email, etc, these should require MFA confirmation.