UA initiates Account Security Update (Security Q&A authentication added 2016)

Reply Subscribe

Thread Tools

Search this Thread

Aug 22, 16, 8:37 pm

#481

greg99

Join Date: Sep 1999

Location: SF Bay Area

Programs: UA 1K MM, Accor Plat, Htz PC, Natl ExEm, other random status

Posts: 2,875

Quote:

Originally Posted by ssh

Why not just jump on the Google authenticator bandwagon and be done with it?

Totally agree - UA management would never make a strategically incompetent decision just to save some money on license fees...cough...SHARES...cough...

Aug 22, 16, 8:52 pm

#482

unavaca

Join Date: Jun 2007

Location: YVR SFO EOF

Programs: UA 1K, VX S

Posts: 4,864

Quote:

Originally Posted by WineCountryUA

Does it work in China?

How are remote locations in the world handled?

Yes. Google Authenticator is totally offline with no Internet or cellular connection needed. Since it's implementing an open standard (TOTP), there exist clients even for countries that don't have access to the Google Play or Apple iTunes store.

Quote:

Originally Posted by greg99

Totally agree - UA management would never make a strategically incompetent decision just to save some money on license fees...cough...SHARES...cough...

It's a free and open standard. There's no license cost to use, implement, or maintain. UA chose not to do it.

Aug 22, 16, 8:55 pm

#483

ssh

Join Date: Jun 2007

Location: Boulder, Colorado

Programs: UA 1K (MM), MR Plat Prem, Hertz Pres

Posts: 1,164

Quote:

Originally Posted by unavaca

It's a free and open standard. There's no license cost to use, implement, or maintain. UA chose not to do it.

Or, perhaps more likely, didn't know about it or didn't pursue the option. Using it with 1password makes my life infinitely easier for many parts of the Internet, but, unfortunately, United followed the path of many weak financial authentication approaches and didn't go with 2 factors. Frankly, it's ridiculous. If consultants did this, demand the fees back. If internal staff, get more knowledgeable security staff.

Aug 23, 16, 6:12 pm

#484

elynchking

Join Date: Jun 2009

Location: LAX

Programs: UA 1K/MM, Marriott Gold

Posts: 132

I just need to vent about the stupidity of these United "security" questions. For some reason my phone logged me out and then when asked what flavor ice cream I like I chose Peanut Butter Chocolate. Who knows what I chose 6 months ago?? This is the only website that I can think of that thinks this method of security questions is effective. Then it took me 3 tries to get a reset email as the first expired, the second was all wonky and then 3rd time's the charm. Ask me what street I grew up on not a question that is going to change depending on my mood or the time of year.

Aug 24, 16, 11:01 am

#485

PanAmOneTwo

Join Date: Aug 2013

Programs: UA 1K

Posts: 47

Brian Krebs, an IT security reporter and expert, with a piece on this here:

http://krebsonsecurity.com/2016/08/u...r-on-security/

Critical, especially on keylogger defense, because form-grabbers are bundled as part of those malware kits too. But concedes the alternatives create other problems. Nevertheless, a bit more understanding than I would've thought.

Aug 24, 16, 12:37 pm

#486

Kmxu

Join Date: May 2012

Location: ORF, RIC

Programs: UA LT 1K, 3 MM; Marriott Titanium; IHG Platinum

Posts: 6,119

Quote:

Originally Posted by elynchking

This is much better than interacting with an agent on phone. I could not give a chosen answer to a question that this agent read to me. The agent just did not want to help me, for example, by choosing another question. I just hanged up and went to website to complete the RPU request myself.

Good job, United.

Aug 28, 16, 4:19 pm

#487

ssh

Join Date: Jun 2007

Location: Boulder, Colorado

Programs: UA 1K (MM), MR Plat Prem, Hertz Pres

Posts: 1,164

Is the website ever going to remember that I have "updated my security" and don't need to see the blasted banner or calls to update? ARGH!

Aug 28, 16, 4:53 pm

#488

Silver Fox

FlyerTalk Evangelist

Join Date: Apr 2009

Location: Blair and Brown's Broken Britain

Programs: Lifetime Gold, Global Entry, Hertz PC, and my wallet

Posts: 19,751

No. Can we have a harder question next time please?

Aug 28, 16, 5:00 pm

#489

TomMM

FlyerTalk Evangelist

Join Date: Mar 2014

Location: 4éme

Posts: 10,858

Quote:

Originally Posted by Silver Fox

No. Can we have a harder question next time please?

How much security is really needed for a FFP account?

Aug 28, 16, 5:24 pm

#490

Bonehead

FlyerTalk Evangelist

Join Date: Jun 2003

Location: DEN

Programs: UA MM Plat; AA MM Gold; HHonors Diamond

Posts: 15,813

Quote:

Originally Posted by PanAmOneTwo

Brian Krebs, an IT security reporter and expert, with a piece on this here...

Something for the naysayers to at least consider...

“At the scale that United faces, we felt this approach was really optimal to fix this problem for our customers,” Vaughn said. “We have to start with something that is universally available to our customers. We can’t sent a text message to you when you’re on an airplane or out of the country, we can’t rely on all of our customers to have a smart phone, and we didn’t feel it would be a great use of our customers’ time to send them in the mail 93 million secure ID tokens. We felt a powerful onus to do something, and the something we implemented we feel improves security greatly, especially for non-technical savvy customers.”

Arlan McMillan, United’s chief information security officer, said the basic system that the company has just rolled out is built to accommodate additional security features going forward. McMillan said United has discussed rolling out some type of app-based time-based one-time password (TOTP) systems (Google Authenticator is one popular TOTP example).

“It is our intent to provide additional capabilities to our customers, and to even bring in additional security controls if [customers] choose to,” McMillan said. “We set the minimum bar here, and we think that’s a higher bar than you’re going to find at most of our competitors. And we’re going to do more, but we had to get this far first.”

Aug 28, 16, 6:20 pm

#491

ssh

Join Date: Jun 2007

Location: Boulder, Colorado

Programs: UA 1K (MM), MR Plat Prem, Hertz Pres

Posts: 1,164

Quote:

Originally Posted by Silver Fox

No. Can we have a harder question next time please?

Ok, ok. I'll try harder next time!

Aug 28, 16, 7:21 pm

#492

goodeats21

Join Date: Mar 2010

Location: DAY

Programs: UA 1K 1MM; Marriott LT Plat Premier (+AMB); Amex MR; Chase UR; Hertz PC; Global Entry

Posts: 9,234

Interesting that I just saw some info from the Social Security Administration that they are temporarily rolling back the requirement to use OTP to access account. It was only sent via SMS.

Quote from an email:

Quote:

However, multifactor authentication inconvenienced or restricted access to some of our account holders. We’re listening to your concerns and are responding by temporarily rolling back this mandate

I think I already mentioned up-thread, but when my credit union went to OTP, it caused big problems for me as they only had SMS option. With multiple phone numbers and SIM cards, it wasn't acceptable to me. After much escalation, I finally got them to activate the option to have the OTP sent via email.

Balance between convenience and security.

Aug 28, 16, 7:27 pm

#493

iquitos

Join Date: Sep 2009

Location: iad/dca

Programs: UA Million Mile Gold, Club, AA, Delta, Marriott, Hertz G, A/Club

Posts: 1,106

AA has adopted a similar security regime.

Tried log onto AA today and got hit with the same security question regime.

Aug 28, 16, 10:16 pm

#494

ssh

Join Date: Jun 2007

Location: Boulder, Colorado

Programs: UA 1K (MM), MR Plat Prem, Hertz Pres

Posts: 1,164

NIST has said that SMS isn't a secure method to deliver OTP. For anyone who carries a moderately current smart device, OTP software is readily available. This should be the primary method for people who carry such a device. Heck, United could even do it through the United app!