UA initiates Account Security Update (Security Q&A authentication added 2016)
#346
Join Date: Apr 2012
Location: SFO
Programs: AS MVP Gold 75K, UA Gold, Marriott LTT, Avis President's Club
Posts: 1,539
United PIN and Password FAQ
Went to .bomb and saw a banner saying
Clicked the link and was taken to the "PIN and Password FAQ". Didn't actually see any changes that haven't already happened. The FAQ was citing the Feb 2016 changes
Looking through the FAQs to see if I missed something and noticed this tidbit
Little easter egg there to put a smile on your face (when you're delayed at EWR)
Thought I'd share
The MileagePlus sign-in process is changing. Learn about our updates to account security.
As of February 11, 2016, we require all MileagePlus accounts to have a strong password and new security questions. Please sign in and update your account if you haven't already.
Are mashed potatoes a real pizza topping?
Thought I'd share
#347
FlyerTalk Evangelist
Join Date: Sep 2002
Location: Between AUS, EWR, and YTO In a little twisty maze of airline seats, all alike.. but I wanna go home with the armadillo
Programs: CO, NW, & UA forum moderator emeritus
Posts: 35,432
Selecting the first in the dropdown may nt work. The new FAQ claims that they're busy adding additional questions and answers.
#348
Join Date: Nov 2008
Location: DFW
Programs: UA peon (+decades 1K), AA Exec Plt
Posts: 1,117
While skepticism on information security use is healthy, UA does say this
Does not appear UA is using cookies for 2-factor authentication. Seems the cookies are used to determine if it is a new device or not, 2-factor authentication is then used if determined you are using a new device.
This is a common approach to avoid having to do 2-factor authentication every time.
Does not appear UA is using cookies for 2-factor authentication. Seems the cookies are used to determine if it is a new device or not, 2-factor authentication is then used if determined you are using a new device.
This is a common approach to avoid having to do 2-factor authentication every time.
Two factor authentication is when every time you log in you are asked for some unique and time expiring piece of information from some different device.
Using two factor authentication sometimes is like wearing your seat belt sometimes.
#349
Moderator: United Airlines
Join Date: Jun 2007
Location: SFO
Programs: UA Plat 1.995MM, Hyatt Discoverist, Marriott Plat/LT Gold, Hilton Silver, IHG Plat
Posts: 66,856
No denying true, full 2-factor is more secure but it creates a major usability barrier especially in a system that is accessed on a worldwide basis.
#350
Senior Moderator
Join Date: Oct 2001
Location: San Francisco, CA
Programs: UA Plat/2MM [23-yr. 1K, now emeritus] clawing way back to WN-A List; MR LT Titanium; HY Whateverist.
Posts: 12,396
...and by the same user on many different platforms, such as desktop at the office, laptop at home, mobile to-from-at airport; tablet on board; hotel computer at destination, different device at destination work site, reverse, rinse, permutate, repeat.
#351
FlyerTalk Evangelist
Join Date: May 2007
Location: Houston
Programs: UA Plat, Marriott Gold
Posts: 12,693
Two factor authentication tries to eliminate the 'man in the middle attack'. Cookie authentication is defeated by MIM. When you forget your password or use a new login device and you reset your cookies via a two factor authentication you are not securing your login with two factor authentication because you are just setting a new cookie which MIM (and others) defeat. The cookie author is just more confident that the machine it is talking to is being used by you.
They could offer it without requiring it.
#352
Moderator: United Airlines
Join Date: Jun 2007
Location: SFO
Programs: UA Plat 1.995MM, Hyatt Discoverist, Marriott Plat/LT Gold, Hilton Silver, IHG Plat
Posts: 66,856
Block / delete the cookie and you will have it. Or use a private / anonymous session.
#353
Join Date: Aug 2008
Location: DCA, IAD (not BWI if I can help it)
Programs: UA 1MM 1K, Marriott Gold, Hyatt Explorist, status-free on AA, AS, B6, DL, WN, Amtrak, etc.
Posts: 1,481
Two-step verification done right - Google, Facebook, Twitter, etc. - only comes into play with logins from a new device, a strange location, or an unusual IP address. That's the only way to make it work in a mass-market context.
Two-step verification also normally relies on one-time codes sent to a phone via text or computed by an app like Google Authenticator (or, more recently, push notifications sent to an app). Security questions are a sub-par form of verification, since at worst an adversary can guess them and at best they take more time than typing in a few numbers. UA would be smart to move this function to its own app, since that would also drive adoption of it.
Two-step verification also normally relies on one-time codes sent to a phone via text or computed by an app like Google Authenticator (or, more recently, push notifications sent to an app). Security questions are a sub-par form of verification, since at worst an adversary can guess them and at best they take more time than typing in a few numbers. UA would be smart to move this function to its own app, since that would also drive adoption of it.
#354
Join Date: Jan 2016
Location: Ex-MSP
Programs: UA: Plat, Marriott: Annual Ambassador, Lifetime Grandfather
Posts: 293
If I have to get a text from United -- or an email, or some other 2FA mechanism -- every time I want to login to United, I might just quit using United. Websites that keep my login active even when I don't visit for days at a time have been around for years, so long as I am using the same device. The timeout on United's site is ridiculously short -- 20 or 30 minutes, though I haven't sat around with a stopwatch checking it.
Even though I use 1Password and the same browser every time I want to login, the fact that I get the darkened screen telling me that I've been logged out, and that I have to refresh the page so that I can then hit Cmd-\ to send my secure password...It's annoying enough already. An additional 2FA step every time would be even worse.
Even though I use 1Password and the same browser every time I want to login, the fact that I get the darkened screen telling me that I've been logged out, and that I have to refresh the page so that I can then hit Cmd-\ to send my secure password...It's annoying enough already. An additional 2FA step every time would be even worse.
#355
Join Date: Nov 2008
Location: DFW
Programs: UA peon (+decades 1K), AA Exec Plt
Posts: 1,117
And if UA required true 2-factor authentication on every log-in, there would be a a total riot in this forum and by most users.
No denying true, full 2-factor is more secure but it creates a major usability barrier especially in a system that is accessed on a worldwide basis.
No denying true, full 2-factor is more secure but it creates a major usability barrier especially in a system that is accessed on a worldwide basis.
The rub would be United being almost instantaneous.
Two-step verification also normally relies on one-time codes sent to a phone via text or computed by an app like Google Authenticator (or, more recently, push notifications sent to an app). Security questions are a sub-par form of verification, since at worst an adversary can guess them and at best they take more time than typing in a few numbers. UA would be smart to move this function to its own app, since that would also drive adoption of it.
If United were to use a technology such as VIP Access then
1) Could use that constantly changing number instead of a PIN for phone verification
2) No need to have to be texted or emailed in places connectivity challenged (cut and paste or memorize).
But any change will generate problems if for nothing else for its shininess.
#356
FlyerTalk Evangelist
Join Date: Jul 1999
Location: Ewa Beach, Hawaii
Posts: 10,909
And if UA required true 2-factor authentication on every log-in, there would be a a total riot in this forum and by most users.
No denying true, full 2-factor is more secure but it creates a major usability barrier especially in a system that is accessed on a worldwide basis.
No denying true, full 2-factor is more secure but it creates a major usability barrier especially in a system that is accessed on a worldwide basis.
#357
FlyerTalk Evangelist
Join Date: Mar 2014
Location: 4éme
Posts: 12,043
Two-step verification also normally relies on one-time codes sent to a phone via text or computed by an app like Google Authenticator (or, more recently, push notifications sent to an app). Security questions are a sub-par form of verification, since at worst an adversary can guess them and at best they take more time than typing in a few numbers. UA would be smart to move this function to its own app, since that would also drive adoption of it.
#359
Join Date: Feb 2005
Location: So Cal
Programs: UA Gold/0.744MM, WN AL, Hyatt Diamond, MR Scum, Hertz PC, National Exec, Avis PC
Posts: 5,561
From the FAQ:
Are you getting rid of PINs? Or do I still need one?
Once you update your account with a secure password and security questions, you'll no longer be able to use your PIN.
What happens now when I call the contact center?
If you contact United by phone, you'll be asked for your password when using the automated system or for your security answers when you speak to a United representative. For security purposes, if you're asked for your password you will only need to share the first five characters.
Once you update your account with a secure password and security questions, you'll no longer be able to use your PIN.
What happens now when I call the contact center?
If you contact United by phone, you'll be asked for your password when using the automated system or for your security answers when you speak to a United representative. For security purposes, if you're asked for your password you will only need to share the first five characters.
#360
FlyerTalk Evangelist
Join Date: Sep 2002
Location: Between AUS, EWR, and YTO In a little twisty maze of airline seats, all alike.. but I wanna go home with the armadillo
Programs: CO, NW, & UA forum moderator emeritus
Posts: 35,432