MFA (Multi-Factor Authentication) - Finally Coming to AA
Jun 21, 2023 | 5:28 am
#1
Original Poster
Join Date: Jan 2011
Location: Philadelphia, PA
Programs: AAdvantage Exec Platinum, Hertz #1 Club Gold Five Star, IHG Platinum, Marriott Gold, HHonors Silver
Posts: 2,125
MFA (Multi-Factor Authentication) - Finally Coming to AA
Looks like MFA is finally coming to AA...It's about time! Welcome to 2010 AA IT!
https://viewfromthewing.com/american...tage-accounts/
https://viewfromthewing.com/american...tage-accounts/
Jun 21, 2023 | 5:43 am
#2
Join Date: Feb 2003
Location: Washington, DC
Programs: AA Executive Platinum/Million Miler, Marriott Titanium Elite-Lifetime, Hilton Gold
Posts: 3,425
Ugh. Being in IT, I know MFA is better, but god I'm so sick of having to do this on everything, especially sites (not saying this is AA) where my security isn't all that important. (Like, why do I need MFA on a website to order litter for my cat?!)
But, this is long overdue regardless of how annoying it might be.
One clarification to the article is that one can receive texts and even calls inflight. I don't answer the calls of course. However, if one has wifi calling enabled on their phone, the phone works like normal if you're in the air and connected to the plane's wifi.
But, this is long overdue regardless of how annoying it might be.
One clarification to the article is that one can receive texts and even calls inflight. I don't answer the calls of course. However, if one has wifi calling enabled on their phone, the phone works like normal if you're in the air and connected to the plane's wifi.
Last edited by USFlyerUS; Jun 21, 2023 at 5:53 am
Jun 21, 2023 | 6:44 am
#4
Join Date: Sep 2000
Location: DCA/IAD
Programs: AA EXP; 1W Emerald; HHonors Diamond; Marriott Gold; UA dirt
Posts: 8,083
Well if they offer it via text, you won't be doing it on any aircraft unless you have two wifi accounts or switch off one device, switch on the other device, then revert back to the old device. Correct?
Jun 21, 2023 | 6:44 am
#5
Join Date: Jan 2009
Location: OKC
Programs: IHG Spire, National Exec, AA Plat
Posts: 2,326
Authenticator app or nothing at this point.
SMS sometimes works in the air - if you have wifi access - but calls are a no-go at least from a legal standpoint. Also, many when travelling do not have access to SMS if they are roaming globally.
SMS sometimes works in the air - if you have wifi access - but calls are a no-go at least from a legal standpoint. Also, many when travelling do not have access to SMS if they are roaming globally.
Jun 21, 2023 | 7:05 am
#6
Join Date: Feb 2003
Location: Washington, DC
Programs: AA Executive Platinum/Million Miler, Marriott Titanium Elite-Lifetime, Hilton Gold
Posts: 3,425
However, I don't think they would implement an SMS option, as technically cell phones aren't supposed to work when in the air. Enabling wifi calling is a loophole of sorts.
Jun 21, 2023 | 7:10 am
#7
FlyerTalk Evangelist
Join Date: Aug 2012
Location: KHOU/KIAH
Programs: AA EXP | Marriott LT Plat | Hyatt Discoverist
Posts: 11,728
Depends. I buy the "two device" plan, so I have my laptop and cell connected at the same time. I used to do the flipping back and forth but got sick of the pain associated with that. However, your point is valid in that if you connect with your laptop with a one device option, you'd have to switch back and forth.
Jun 21, 2023 | 10:27 am
#9
Join Date: Aug 2022
Programs: AA Executive Platinum (Oneworld Emerald)
Posts: 135
While long overdue, I agree with others in this thread that email (or text, or TOTP for that matter) MFA gets annoying real quick. Hopefully this will only be used on new/untrusted device logins.
Jun 21, 2023 | 1:36 pm
#10
Join Date: Jun 2001
Location: New York, NY
Posts: 3,703
Given that it's now 2023, they should be supporting passkeys or at least hardware keys since (a) those technologies would let you login to aa.com on a plane without access to your e-mail provider, and (b) are actually phishing resistant. But I know it's AA we're talking about here, so unsurprising this is implemented poorly.
Jun 21, 2023 | 1:41 pm
#11
Suspended
Join Date: Sep 2019
Posts: 2,094
Looks like MFA is finally coming to AA...It's about time! Welcome to 2010 AA IT!
https://viewfromthewing.com/american...tage-accounts/
https://viewfromthewing.com/american...tage-accounts/
Jun 21, 2023 | 1:45 pm
#12
FlyerTalk Evangelist
Join Date: Aug 2012
Location: KHOU/KIAH
Programs: AA EXP | Marriott LT Plat | Hyatt Discoverist
Posts: 11,728
From the VFTW article it sounds like it will only support e-mail, so the OP "welcome to 2010" was pretty on point.
Given that it's now 2023, they should be supporting passkeys or at least hardware keys since (a) those technologies would let you login to aa.com on a plane without access to your e-mail provider, and (b) are actually phishing resistant. But I know it's AA we're talking about here, so unsurprising this is implemented poorly.
Given that it's now 2023, they should be supporting passkeys or at least hardware keys since (a) those technologies would let you login to aa.com on a plane without access to your e-mail provider, and (b) are actually phishing resistant. But I know it's AA we're talking about here, so unsurprising this is implemented poorly.
Jun 21, 2023 | 2:38 pm
#13
Join Date: Nov 2007
Location: Los Angeles
Programs: AA LT Gold
Posts: 3,715
Ugh.
+1
Hate MFA.
Even more so when it is SMS and it is a website or app that I need to use when I am abroad.
SMS and cellphone reception can be terrible, particularly in foreign cities where construction is mostly concrete and bricks and mortar. I have to go out to the street or near a window facing the outside out to receive the verification SMS.
+1
Hate MFA.
Even more so when it is SMS and it is a website or app that I need to use when I am abroad.
SMS and cellphone reception can be terrible, particularly in foreign cities where construction is mostly concrete and bricks and mortar. I have to go out to the street or near a window facing the outside out to receive the verification SMS.
Jun 21, 2023 | 6:43 pm
#15
Join Date: Mar 2012
Posts: 152
I think it is necessary, but only for "risky" operations. Normal login should not require MFA. I agree that would be ridiculous. But such things as redeeming miles for somebody else, changing password or email, etc, these should require MFA confirmation.