There is a new section under Profile > Security Settings that lets you add e-mail, phone and devices and verify them. However it does not seem to challenge every time you log in.

Decided to go log in and check my profile for that info... and got this during log in process:
After entering the code, I was then prompted to set up account recovery info via the fly delta app or text message. Selecting the fly delta app, it presented a QR code to scan and verify the app on my phone.

Confirmed that MFA is now an option under My Profile -> Password and Security Settings. And its not just email MFA, looks like there is proper push via app as well as text. I only enabled the email MFA so far, and can also confirm it does not challenge every time like one would expect. Haven't tried the push notification via App yet, as the whole login / password configuration on the Delta web site is very picky and likely broken. Every time I try to change my password, I get the error that cant use same password as last 2 when clearly I am not.

https://cimg4.ibsrv.net/gimg/www.fly...07a7c10ded.png

Logged into my account tonight on the full website and got the prompt asking if I’d like to verify my email for recovery purposes, two factor auth, etc. (don’t recall the exact verbiage). Fortunately there was a skip or set up later option. I chose that as I don’t want to enable 2FA until absolutely required for the following reasons:

1. This is DL IT we are talking about. I can imagine one getting locked out and it becoming a major hassle to get things resolved.

2. I manage several family member’s skymiles accounts and reservations. I login usually weekly to check on possible schedule changes and 2FA would be a major pain.

3. I can imagine the app logging you out and requiring 2FA at a super inconvenient time (such as boarding or monitoring the UG list).

4. Lastly, this isn’t my bank account. I understand for high yielding corporate accounts it could be a consideration, but for
my personal leisure travel, no thanks.

Just my two cents. Nice to see it as an option for the folks who want it, but hope it doesn’t become the norm. So many more areas DL could improve on IT wise before this.

if your decision making process is just "I can imagine nightmare scenario X" how do you ever even leave the house? For #2, you can control which devices/phone numbers/email addresses are used for 2fa, so even if you're managing your family's accounts, you can have the texts go to you or them.

Oh I leave the house plenty. Heading to HNL in a few hours. I just don’t care to place anymore trust or reliability into DL IT than I have to - based on decades of experience with DL IT being buggy and frankly not working as it should. These “enhancements” are rarely customer friendly and I’ll opt out as long as I can.

right, that was sort of my point, I was assuming you do actually leave the house

this is actually one of the best arguments in favor of using 2FA. It gives you more protection if a lapse at DL leads to a compromise of your password (which is in reality how must data breaches occur).

I can see your point, and do understand the overall premise of using 2FA for appropriate accounts - in fact I have benefited from it in the past when I've received notification someone was trying to sign into one of my email accounts. But when it comes to DL, I just can't get behind their ability to make 2FA actually work. They can't reissue a ticket easily, nor have RUCs actually work as intended, JV ops can be a mess when connecting to partners and the ticketing process, and the elephant in the room - the Crowdstrike recovery. For now, 2FA with DL is something I will prefer to avoid until they prove themselves more reliable in the IT department. I did log on to the full website again this afternoon and no push to enable it.

Being in risk management and cybersecurity, over 90% of password incidents are re-used passwords NOT originating at the organization at which the compromised password is actually used.
i.e. someone's healthcare or Amazon or UPS password is used in a corporate attack. Or Delta.

It's called "credential stuffing", and has been part of many incidents, most notably in my 2024 life helping a client recover from Sisense (https://krebsonsecurity.com/2024/04/...ch-at-sisense/).

Yes, this is related to Delta, as it's one reason they're going to 2FA.

Yes, again, all of that incompetence is exactly why you should be using 2FA. Imagine thinking "this bunch of morons has my data, I would really prefer if they had only the most basic security possible."

When dealing with an incompetent IT organization, you are better off with 2FA, even if they are bad at implementing it, than without it. Them incompetently implementing it is (almost) never going to make you worse off (it's possible that it could but they'd have to screw up in particular ways that you honestly would almost need to be an expert to pull off). Worst case, you're essentially as bad off as you were but even poorly skilled teams implementing 2FA will improve things more often than not.

There is nothing indicating that 2FA in general is leading to any fewer data breaches. Put up a wall, the bad guys get a longer ladder. <shrugs>

2FA isn't going to stop breaches, it's about containing the damage if a breach occurs.