Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > United Airlines | MileagePlus
Reload this Page >

UA initiates Account Security Update (Security Q&A authentication added 2016)

UA initiates Account Security Update (Security Q&A authentication added 2016)

Old Feb 19, 16, 4:10 pm
  #241  
 
Join Date: Jul 2001
Programs: Hilton Lifetime Diamond
Posts: 1,255
Originally Posted by UA Insider
"Why aren't you applying Two Factor Authentication (TFA)?"
-We plan to. Two Factor Authentication will be coming this year.
Oh no
milesmilesmiles is offline  
Old Feb 19, 16, 4:55 pm
  #242  
 
Join Date: Jan 2016
Location: Ex-MSP
Programs: UA: Plat, Marriott: Annual Ambassador, Lifetime Grandfather
Posts: 293
Originally Posted by goodeats21
[...]but I think the point was United was able to look at an EXISTING (stored) password and know if it met the "strong" criteria. If so, they were not forcing the user to enter a new password.
Unfortunately, that's not really the case. My password is secure (30+ characters, multiple numbers, letters of both case, and special characters) and I'm still getting prompted to change my password every time I login. I'm currently delaying that for the second round of live-beta-testing to happen.
mvitale is offline  
Old Feb 19, 16, 4:56 pm
  #243  
Marriott 5+ BadgeHyatt Contributor Badge
 
Join Date: Jan 2011
Location: HKG • Ex SFO, NYC
Programs: UA 1K, AA EXP; Marriott Amb; Hyatt Globalist; Shangri-la Diamond; IHG SpireAmb; Hilton D; Accor G
Posts: 3,313
Originally Posted by goodeats21
I know next to nothing about password web stuff, but I think the point was United was able to look at an EXISTING (stored) password and know if it met the "strong" criteria. If so, they were not forcing the user to enter a new password.

It was not referencing anything about transmitting the new password.
My point was precisely that that doesn't have to be the case.

When you log in, you send UA your current password. UA can at this time test it and determine whether it needs to be updated, without ever storing a cleartext or decryptable version of it.

This functionality does not require there to be a way for UA to look at stored passwords at all.
helvetic is offline  
Old Feb 19, 16, 6:24 pm
  #244  
 
Join Date: Feb 2013
Location: ANC
Programs: AS; Hyatt; Bonvoy
Posts: 1,718
Originally Posted by UA Insider

"Why can't I type my own answer?"

-We purposely chose to use preregistered answers as our first form of enhanced authentication to protect against this keystroke logging. We need to ensure that all of our customers have a high degree of security and our research also indicated that some customers had self-entered security answers that would be very easy to guess.

-Not all customers are asked the same questions, and not all customers receive the same potential answers to each question. This randomization is on purpose and designed for your safety and security.

So not everyone gets a security question about their favorite breed of dog with a list of answers that includes - I'm not making this up - "Kuvasz," "Vizsla," and "Xoloitzcuintli" among others?

Seriously, were the people who came up with the questions and answers high on crack?

AKCuisine is offline  
Old Feb 19, 16, 6:30 pm
  #245  
 
Join Date: Mar 2010
Location: DAY
Programs: UA 1K 1MM; Marriott LT Titanium; Amex MR; Chase UR; Hertz PC; Global Entry
Posts: 9,400
Originally Posted by helvetic
My point was precisely that that doesn't have to be the case.

When you log in, you send UA your current password. UA can at this time test it and determine whether it needs to be updated, without ever storing a cleartext or decryptable version of it.

This functionality does not require there to be a way for UA to look at stored passwords at all.
I haven't been through the process yet (thank you to all the early adapters for testing it out ), but I believe that there is no point at which you are required to submit your existing password to United for them to make that determination.

As I understand the flow, you can log in with PIN and establish your security questions/answers. At that point, United will either ask you to establish a new password (if you don't have one or if it determines your existing password is "weak")...or will simply bypass the password part if your existing password is "strong" (already meets new criteria).

I am sure that if I am misunderstanding this, someone will be along shortly to correct me. As I mentioned, this is not at all my area of expertise. I just found it interesting as a curiosity since United Insider provided the detail that they evaluate existing passwords somehow.

It is comfortingly consistent for United to roll out this whole thing with all the glitches and warts, but at least we are getting rid of the PIN for on-line access to our accounts. Baby Steps...with some trips and falls...but progress.
goodeats21 is offline  
Old Feb 19, 16, 9:58 pm
  #246  
Moderator: Budget Travel forum & Credit Card Programs, FlyerTalk Evangelist
 
Join Date: Aug 2002
Location: YYJ/YVR but currently stuck in Texas
Programs: UA lifetime MM / *A Gold
Posts: 14,177
Originally Posted by goodeats21
As I understand the flow, you can log in with PIN and establish your security questions/answers. At that point, United will either ask you to establish a new password (if you don't have one or if it determines your existing password is "weak")...or will simply bypass the password part if your existing password is "strong" (already meets new criteria).
I was unable to log in AT ALL via new .bomb, but in the end I was able to navigate to one of PMCO pages and log in with my Pin.

Established 5 stupid questions and answers, but at no time was I asked to update my (what most websites report as ) WEAKpassword
EmailKid is offline  
Old Feb 19, 16, 10:26 pm
  #247  
A FlyerTalk Posting Legend
 
Join Date: Apr 2004
Location: GVA (Greater Vancouver Area)
Programs: DREAD Gold; UA 1.034MM; Bonvoy Au-197; PCC Elite+; CCC Elite+; MSC C-12; CWC Au-197; WoH Dis
Posts: 51,470
Originally Posted by helvetic
When you log in, you send UA your current password.
Not if it's done correctly. If it's done correctly, they never get your current password. They only get an encrypted version.
mahasamatman is offline  
Old Feb 20, 16, 3:38 am
  #248  
Aman 5+ BadgeFour Seasons Contributor Badge
 
Join Date: Feb 2003
Programs: UA1K, *G & Wife of UA1K MM
Posts: 3,346
For what it's worth....I just got through the process for both myself and my son without issue on the website (ipad). The system asked me for passwords after the security questions. I was able to log out and log back in again with the new passwords.
Ericka is offline  
Old Feb 20, 16, 5:43 am
  #249  
 
Join Date: Oct 2004
Location: Anywhere but home
Programs: UA 1K/MM, DL SM/MM, AA Gold, HH Dia, PC Plat, ALL Gold, MR Gold
Posts: 4,500
Likely related to this "enhanced" security - can log into my account but log in doesn't stick when trying to search for fares. Can't select the option to search for SWU-able fares nor will it show fare class inventory.
FlytheTail is offline  
Old Feb 20, 16, 3:39 pm
  #250  
 
Join Date: Mar 2011
Location: Texas
Programs: AA Gold, Starwood Gold
Posts: 125
The website forced me to update so I did (and I had not been using a PIN, but a password). So, now I can log on, but every time I try to check my reservation or do a search for a trip it "forgets" that I am logged on and I have to do it again. So, my new username and password work, sort of. Does not matter what browser I use, the same situation happens (Win 8).

Originally Posted by FlytheTail
Likely related to this "enhanced" security - can log into my account but log in doesn't stick when trying to search for fares. Can't select the option to search for SWU-able fares nor will it show fare class inventory.
TravelTexan is offline  
Old Feb 20, 16, 9:42 pm
  #251  
 
Join Date: Oct 2007
Location: BOS
Programs: UA MM
Posts: 1,538
It is simply astounding to me that a company that so much wants us to use online systems (so they can employ fewer humans of course) to the extent that we are charged $$ to reserve by phone, can botch up their online system so much. I'm going to hold off doing this as long as possible. My time is too valuable.
MojaveFlyer is offline  
Old Feb 21, 16, 9:22 pm
  #252  
 
Join Date: Sep 1999
Location: SF Bay Area
Programs: UA 1K MM, Accor Plat, Htz PC, Natl ExEm, other random status
Posts: 2,875
Originally Posted by AKCuisine
So not everyone gets a security question about their favorite breed of dog with a list of answers that includes - I'm not making this up - "Kuvasz," "Vizsla," and "Xoloitzcuintli" among others?

Seriously, were the people who came up with the questions and answers high on crack?

Apparently.

I seriously don't know the answers to some of the questions (including what month my wife and I met - I know when we first started dating, but not when we met), and the answer lists to some of the questions don't include the correct answer (e.g., the make of my first car).

I understand the rationale for not wanting people to type the answer, but there weren't actually 5 questions to which I can reliably remember the answers, so I'm going to have to write them down and leave copies in places where I can find them.

Which sort of defeats the purpose, huh?

Greg
greg99 is offline  
Old Feb 21, 16, 10:56 pm
  #253  
 
Join Date: May 2010
Location: AVP & PEK
Programs: UA 1K 1.7MM, AVIS PC
Posts: 5,163
Exactly! The answers to the posed questions were simply impossible for me to determine, especially with the limited answer selection. I simply chose the first option to each question. My favourite fruit was APPLES growing up and my LEAST favourite fruit was also APPLES.

Oy vey!
narvik is online now  
Old Feb 25, 16, 2:57 pm
  #254  
IMH
 
Join Date: Jul 2007
Location: Berlin
Programs: BA Silver; Accor Plat; IHG Diamond; Meli & HH & Marriott Gold
Posts: 5,230
Originally Posted by greg99
I seriously don't know the answers to some of the questions
You're not alone. Also, many people just won't have answers to some questions (I never wanted to be anything when I grew up, for instance).

For now, I've changed passwords without adding 'security' questions. Let's see what happens next.
IMH is offline  
Old Feb 26, 16, 4:09 pm
  #255  
 
Join Date: Dec 2011
Location: DSM
Programs: UA 1K, AA EP, DL PL, HH Dia, Marriott Gld, National Exp
Posts: 714
I updated my account login info last week without incident (so far). Today I called in to ask for ORC and the agent asked me for my "PIN or password."

I was surprised she added the "or password" since I thought with all the new security changes the PIN was gonna be exactly for when call in so password would stay confidential.
dorisrpas is offline  

Thread Tools
Search this Thread