If I have to do a password update, I'd rather have it be an incidental update after I have gone directly to the marriott.com site on my own instead of being directed there by an emailed link.

The cat and mouse game continues -- in large part because of government and corporate practices, but also because of consumer laziness. This won't put a stop to the cat and mouse games.

I doubt that such an approach would be upheld as legal in all the markets where Marriott operates -- not that Marriott will go to such an anti-consumer extreme as you suggest and let it get to the point of being tested. ;)

Well there was a reason your company moved to that; too bad they didn't do it sooner (sorry, couldn't resist :D)

Agree.

Agree with most of the above, except the United part. I've only ever used a password with UA, not a PIN.

I think it has a length requirement & perhaps a symbol or character, but it still accepts lower case on the letters. Last year I switched my password to 14 numbers/letters (no symbol & no caps) & it still works.

Cheers.

Depending on how it is implemented, it can be quite a problem. When my credit union went to enhanced security, they required a phone number to send SMS code...no other option presented. Well for those of us that are global, that is a ridiculous requirement. My phone number changes quite often, depending on where in the world I am and what SIM card(s) are in my phone. They finally relented and allowed the use of an email account instead of a phone number, but it was a pain to get that exception.

I am quite supportive of enhanced security, but design it to work for everyone.

Agree.

Ouch. :D

But at least it makes the transition to Marriott's 2-factor authentication an easy one.

Where it tends to get tricky is when you are using inflight wifi, and can only use one device at a time. If you want to log into Marriott's site through your laptop, and you have no mechanism for receiving a text on your laptop, you are hosed. I had to have our I.T. department set me up with a special token on my iPhone to enable me to get the code in an off-line environment on my phone, so that I could type it into my laptop while it was connected to the inflight wifi.

I don't have a problem with requiring 2FA, depending on how it's implemented.

Whether you use it or not, your UA account has a 4 digit PIN associated to.
All of them do, even if you didn't set it.
That 4 digit number and your MP # are all it takes to get in to your account.

I got a headache reading that.

Cheers.

The real issue (and I get this problem with banks often) is that you have to give a phone number to receive an voice or text code in order to proceed. Now the entity has your cell phone number and some how it get passed to marketers and abused, no matter what your "privacy" preferences are. So I only give out a number I don't care about (which causes more problems...)

I have used the enhanced method on PayPal, Chase and Citi and they always give you the option to have it texted or emailed.
Also on PayPal you can actually bypass it by answering a couple of security questions (only works once before having to use the code).

The code can be emailed as well if it is like the ones I posted above.

Times thousands of customers a day, times 365 days a tear, times the growing number of companies going to multi-factor, with minimum password lengths of 14 or 18 characters, upper and lower case required, special characters required, can't be one of your last 24 passwords, must change quarterly, or monthly, or weekly...

The net result is far less productivity, AND far less security, as people go back to the Post-It method of password "security."

Shame on Marriott and other companies for foisting IT security off on its customers.

I find part of the e-mail laughable -- When I'm cracking passwords at my job (fun job), uppercase, numbers, and keyboard symbols are already part of the rainbow tables we use and in our brute-force algorithms in the server farm. I've not run a brute-force with only lowercase characters in over 10 years, probably longer than that.

Length, not complexity, is what stops hackers. In my office we now have a 16-character minimum, but we use pass phrases instead of passwords.

My gripe is that most 2-factor auths are done via SMS(Text message for the Yanks). Nice if I'm in my home country, but if I'm abroad I usually have yanked the SIM on my mobile and am using a local SIM instead. Also, depending on what I'm working on, my mobile phone might not be allowed to be carried with me.

THIS is exactly why I encourage everyone to have the longest pass phrase their e-mail system will allow. Once you get into someone's e-mail, you have their entire life. Just start entering their e-mail addy into various sites, click Forgot Password, and get a fresh one e-mailed to you.

So true, Grate advice!

This is what I have now, but as I stated up-thread, it was not offered at program inception. I had to escalate several levels at the Credit Union to get the email option.

At the outset, it was a phone number for an SMS...or nothing.

This. Exactly true.