thesun

Interesting, I looked up the account security page in the Wayback Machine and it has had that text since the first time that URL was captured back in 2021: https://web.archive.org/web/20210830...-security.html

Sadly, there still isn't any 2FA option. At least not in my account. I double-checked in case I missed something but nope...

mduell

Written by confused staff since they have 2FA for their internal systems, and didn't realize customers don't have 2FA available?

jsloan

Perhaps. I won't lose any sleep over it, though. Not only is a PNR and last name enough to access any record, 2FA on public websites is rarely all that it's cracked up to be. SMS can be intercepted, and even if they use a soft token, at best they're validating that the user is has access to the same systems they had access to on the day they set up 2FA. Unless you (a) have a token that is not stored on the same device that you can use to access a site, and (b) were given that token after an in-person identity verification, it's mostly just security theater.

malgudi

Yes, they have (at least) 2 Flight Attendants

jonu

But they know my favorite pizza topping!

asovse1

United has an incredible app and great user-facing tools that I can only imagine took a large investment to build out the tech across so many pieces of their infrastructure: at the gate, at baggage, at flight ops, etc.

If they introduce 2FA, the bar is set so high that I'm fully expecting super advanced tools (that really aren't that hard to implement) like time-based keys, hardware key support, passphrase support (not really 2FA tho) atop the usual SMS/email offerings (which are still pretty insecure)

jsloan

They're actually impossible to implement, or at least to do so meaningfully. The entire travel industry is premised upon being insecure -- that's how you can have a travel agent do things on your behalf. All you need to have to cancel a reservation is a record locator and a last name, and that's very much by design.

Now, could they implement 2FA for making bookings -- sure, I guess. It's possible that somebody is stealing UA login credentials to try to book airfare for somebody illicitly. The thing is, there's not much of a market for that, because ultimately you're going to have to link it to a passenger. There's no anonymity in air travel, so there's not much of a market for fences.

jpezaris

Don't forget that there is a big difference between being able to see or modify a PNR, and being able to see, modify, or otherwise exploit the rest of the information in your account, like your home address, your saved passport information, your credit card information, KTN, any FFC or ETC you might have, any RDM balance, any TravelBank balance, etc. The PNRs are only a part of the full account, and being able to access them, like your travel agent might, does not mean you can access the rest of the information.

We have seen many, many posts here that someone's login credentials have indeed been stolen and unauthorized bookings made for third parties. So the security questions UA implemented are a step up from simple passwords from a security perspective, and 2FA would be another step up, even if they are not perfect as another poster asserted.

Doppy

The security questions are a second authentication factor, so yet, it does have 2FA.

jsloan

You may be surprised. Several of the things that you listed are available to anyone with GDS access. The only ones that wouldn't be are the UA-specific ones like ETCs, and the full payment information -- and even FFCs you could probably work out from the ticket history, although I don't know if that would allow you to use them.

Lux Flyer

No it doesn't. Security questions and passwords fall under the same factor "something you know". UA obfuscates the ability to guess the answers by process of elimination by giving you a limited rotating number of options from the entire answer pool, but it is not a MFA implementation. Two passwords don't make something 2FA, nor does password + questions. A MFA would require a distinct, separate, factor to be used such as "something you have" or "something you are".

Repooc17

Let's say UA had MFA, how would it be enabled while someone is in the air and have not purchased wifi? Is there an alternative than sending a text for validation?

jpezaris

While I wouldn't support the argument, I think the something-you-have reasoning would go along the lines of: you own a laptop / desktop / mobile device that has been validated through security questions and a token installed on it. That's the thing you have. It isn't super strong security, as has been extensively discussed, but it's better than not supporting that sort of thing.

A traditional 2FA implementation of using an SMS confirmation message on the same mobile device that's being used to access a web site doesn't strike me as substantially more secure than that, but I could well be mistaken.

WineCountryUA

A major issue for SMS or e-mail 2FA is for travelers who may or may not have access in certain parts of the world while traveling (separate from the issue of how secure those are in parts of the world.)

The weakest link in the process is the user re-using account passwords on multiple sites. Even the "silly" questions can improve the situation for those folks.

jsloan

Yes. They could do what they'd do if they took it seriously, which is hand out hard tokens to passengers after verifying their ID.
More realistically, they could use one of several available token generators, e.g., Google Authenticator. Most of these apps accept push notifications; however, if you aren't in a position where push notifications are available, you can also either (a) enter the current code from your device, or (b) do a challenge / response sequence. I have apps that do both. So, the process is that you set up the soft token ahead of time -- this would generally involve logging in and downloading a payload, probably via a link from the app -- and then accessing it later.

But, again, you're talking about storing the second factor on the same device the user is likely using to access the site in the first place, which negates the value.