They have it. Below is a screenshot from the app.

Am I the only one who questions 2FA when using an app from the iPhone? Specifically it gets my texts, calls, and emails. So how is it more secure in this context?

this isn’t account-level 2FA - it’s app-level annoyance.

I shut it off long ago after nearly missing two flights when I couldn’t get my boarding pass.

and iOS 18 offers app-specific faceID anyhow.

Explain like I�m 5. What�s the difference and can you give me a real life example where I�d have interfaced with something as you describe? Because the DL impementation is pretty much how I experience my financial institutions or Amazon.

FaceID on the app just makes using the app harder.

the newer Delta systemwide 2FA (I know who ran the program) is like banks, took 3-4 years to build out, but is unrelated and unlinked to the faceID thing which has been around for a couple years.
like someone steals your phone, you don�t have a password or you have a long screen lock delay, it prevents someone from getting into that specific app.

and - the systemwide thing crashed on me. Failed yesterday. Over and over.

You�re confusing me more. You say above DL doesn�t use 2FA but then you�re saying they do. I didn�t mention Face ID. While Face ID is in my screenshot, so is 2FA.

The scattered spider attacks have nothing to do with individual end user accounts. Identity verification and 2FA are completely irrelevant to how those attacks are carried out.

they have two things.

in summary, not sure delta can stop brute force account attempts. How would it stop these?

as per FBI warning re: scattered spider:
https://www.businessinsider.com/airl...ecurity-2025-6

https://therecord.media/hawaiian-air...k-flights-safe

You're confused because the post you're reading is conflating a bunch of different things.

The scattered spider attacks do involve a MFA social engineering attack, but it's NOT connected to consumer accounts that you would use to log into the app.

Scattered spider is targeting EMPLOYEE accounts that are used to login to backend systems, not the website or app front end. All of this discussion of this hacking group is completely 100% unrelated to this thread.

FWIW, depending on how it's implmented, faceID is not really a form of 2FA. In a true 2FA system, you need two factors. Usually this is a password and a code, the code can be generated by an an app like google authenticator, or by something like a hardware token, or it might just be texted or emailed to you. But you need both.

In most FaceID app systems, you're just substituting the FaceID for a password. A 2FA system might be used in addition, or maybe not. But you don't NEED the face to get into the account if you actually have the password. It's just a convenient option.

Passkeys are a different thing, that can be secured by faceID, but the use of FaceID in the delta app doesn't involve passkeys.

Ok got a email today that I should reset my password and it worked. Finally saw a new article about this:

https://apple.news/AeDpRD4_pTmGF3n7DGZkGcw

if needed heres the link to verify https://www.delta.com/contact-us/identity-verification

I missed this question buried in all of the noise and incorrect information.

Yes, this seems kind of dumb, but the vast majority of end-user account compromises don't involve stealing your device, it's mostly about just getting your username/password combo (most of the time, this happens because they get it through a data breach from a different site (tons of people reuse password so if site X gets breached, an attacker can buy the data and try that password on other sites). These attacks happen at scale, they aren't like stealing one phone at a time and trying to open all the apps on that phone.

In any case, SMS-based 2FA is really the worst kind of 2FA, but it's significantly better than nothing.

68,000 accounts were locked.
https://thehill.com/policy/transport...ty-issues/amp/

I got stuck in a loop. The system didn't recognize my password, so I requested a password reset. I followed the link in the email, reset the password and got, "Your password has been reset successfully. We have sent a confirmation email to your primary email address in your Delta account." I never received an email, but I tried to log in and got, "We're unable to locate an account with the login information you provided. Please confirm your information and try again. For additional account recovery options please use Login Help." I sent another password reset request, followed the link in the email, tried to reset the password to the one I just used (since the system said, "We're unable to locate an account with the login information you provided.") and got, "Whoops! We're sorry, your new password cannot be the same as your previous two passwords. Please try again." So it obviously recognized the first new password, but somehow can't recognize it when I try to log in??

So I went through the whole exercise again and didn't get an email, but tried to log in and still getting, "We're unable to locate an account with the login information you provided. Please confirm your information and try again. For additional account recovery options please use Login Help."

I confirmed my SkyMiles number (but they wouldn't be sending me a reset if it was incorrect), checked spam and checked my other email accounts in case I have multiple emails (although why a password reset would go to one and other emails would go to another I can't imagine). So I reached out in the online chat for help to me get into my account.

While the Agent was polite, they couldn't tell me what the issue was. All they said was I had to submit an Identity Verification Form, which can take up to 7 business days to review. I SHOULDN'T HAVE TO fill out a form to reset my password. And if my account is LOCKED, the site should state that, instead of making users spin their wheels. An EXTREMELY frustrating experience when I'm actually trying to give them my money.

At least I feel slightly better that it's not just me.

Welcome to Flyertalk lirimist99