RNE

That squabble applies to any 2FA site. How would I access my bank in the air? How would I access my employee benefits? My Google account? My medical records? My investment portfolio? My tax preparer site? My Apple account? My retirement benefits? My Steam account? My insurance account? My treasury account? And on and on.

I guess we should get rid of 2FA on all sites just because it may not work in the air.

WineCountryUA

To start, I use 2FA when available.

But as a consumer travel provider site, UA (and other consumer travel sites) have some real challenges with 2FA, as has been discussed. And the security measures needs to be proportional to the threat.

Using FT as a proxy, the amount of hacked accounts has drop for UA dramatically with the challenge questions. Only UA has the data, but if FT is a measure, it may not be worth the complexity and travel barriers of more secure systems.

What actual problem is being address that warranty the limitations of other approaches?

?? Millions of tokens just for elites and loss of token rate is ??? Again is the cost of the problem worth the cost of the solution.
For a worldwide solution???

We are talking consumers, not high tech professionals

Which site is a UA traveler most going to need immediate access to in the air? or internationally? Which of those sites could more likely wait until you are in situation of better connectivity?

The user model for UA is very different those other sites

Yes the challenge question is not the most sophisticated solution, but given the challenges of a consumer / international travel provider, what evidence is there that it isn't an effective solution with the fewest problems.

Most may not remember, UA did discuss using SMS 2FA after the a different travel site was hacked for passwords, which were re-used by many on UA. But after investigation dismissed it for some of the problems discussed.

jsloan

I mean, you're not really being fair. United is an airline. You probably wouldn't use a bank's authentication system that didn't work while you were actually on the bank premises.

Oh, agree 100%. It's completely infeasible. I was trying to make the same point.

UA is all-in on the smartphone app, and these soft token apps run on the same phones that the UA app does. I have Google Authenticator on my iPhone, and I can promise you it also works on Android.

Eh, hundreds of thousands, if not millions, of UA customers log into similar systems. It'd be opt-in anyway. If UA really wants 2FA, this is the way to do it. It's a lot better than the SMS codes, which dmurphynj rightly points out are a joke.

WineCountryUA

works in China? and all countries in the world. And do you risk using your normal work / personal phone in all countries in the world? Believe some corporations do not allow their phones to be used in all countries.

And again, no one has address that the challenge questions is an insufficient solution for UA.

I understand why government / corporate organizations have a higher threshold as the user has access more sensitive, more valuable information. But hacking a UA MP account, the risk is far, far lower and UA restore losses at a relative low cost to UA.

Proportionate measures

Xyzzy

The authenticator apps (like Google Authenticator) do not require data access or a data connection. They generate ID tokens (the codes that they display) on a timed basis. nce set up they just work with nothing to do other than grabbing a code when asked for one. I wish UA had that as an optional way to secure my account instead of the dumb questions about sports, movies, and pizza toppings. That I may have no opinion on but am forced to answer.

WineCountryUA

Other than not being a sophisticate solution but one that seems to work. Why not? It certainty is an easier solution for most.

KISS is the best answer when dealing with a large consumer base.

HNLbasedFlyer

Secure your account from what?

If a UA database gets hacked and somehow bad actors got credit card numbers/account numbers/etc (which I'm confident UA has great security) 2FA won't help you.

If you misplaced your phone and somehow left it unlocked - a bad actor still needs to log into your account to get information.

I mean this seriously, what are people worried about? I do assume UA systems are secure - and I take personal responsibility that my Apps/PC is also secure.

jonu

Yeah, 2FA protects you from brute-force attacks and from yourself if you use the same password everywhere. The silly questions actually provide some protection from these two risks as well. And you can also protect yourself from one of these by not reusing the same password for multiple entities.

jsloan

Thank you; I thought that was well-known but it obviously was not. Sorry.

Doppy

I was under the impression that the Google Play Store was blocked in China, so wouldn't that make it impossible to get Authenticator in the first place? (And by impossible I mean directly using legal means.)

dmurphynj

It would be trivial for United to build a TOTP generator into the United app itself, eliminating the need for a separate app. But, clearly, they don't want to (and why would they?) restrict access to just app users or smartphone holders.

Optional? Sure, I could see that. But frankly, the security question bit probably solves for about 90-95% of the concerns. Real authentication would involve something you know + something you have (or something you are) - but that's a lot more complex to develop.

jsloan

There are other competitors; that was just one option.

A OTP built into the app you're currently using is… kind of pointless.

dmurphynj

Is it, though?

What's the difference, realistically, from having an OTP token in, say, Google's authenticator app, and the generator built into the United app? It'd still do the over-the-wire authentication, which is the important part.

What's the security advantage of flipping back and forth between the authenticator app and the United app at login?

Now --- in theory, SHOULD you be using an OTP token on the same physical device you're authenticating? Not really, no. But that's - in practicality - what happens.

So what's the advantage?

jsloan

At least with the separate app, you could, in theory, be logging into the website on a different device than you're using for communication. When it's part of the same app, there's no chance of it at all, and then it's completely pointless. Anyone who can access the app can also access the OTP.

SPN Lifer

OTP = one-time password