Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > United Airlines | MileagePlus
Reload this Page >

UA initiates Account Security Update (Security Q&A authentication added 2016)

UA initiates Account Security Update (Security Q&A authentication added 2016)

Old Jan 26, 23, 10:25 am
  #601  
RNE
 
Join Date: Sep 2005
Location: JZRO
Posts: 9,111
Originally Posted by Repooc17
Let's say UA had MFA, how would it be enabled while someone is in the air?...
That squabble applies to any 2FA site. How would I access my bank in the air? How would I access my employee benefits? My Google account? My medical records? My investment portfolio? My tax preparer site? My Apple account? My retirement benefits? My Steam account? My insurance account? My treasury account? And on and on.

I guess we should get rid of 2FA on all sites just because it may not work in the air.
RNE is offline  
Old Jan 26, 23, 11:07 am
  #602  
Moderator: United Airlines; FlyerTalk Evangelist
 
Join Date: Jun 2007
Location: SFO
Programs: UA Plat 1.9MM, Hyatt Discoverist, Marriott Plat/LT Gold, Hilton Silver, IHG Plat
Posts: 63,138
To start, I use 2FA when available.

But as a consumer travel provider site, UA (and other consumer travel sites) have some real challenges with 2FA, as has been discussed. And the security measures needs to be proportional to the threat.

Using FT as a proxy, the amount of hacked accounts has drop for UA dramatically with the challenge questions. Only UA has the data, but if FT is a measure, it may not be worth the complexity and travel barriers of more secure systems.

What actual problem is being address that warranty the limitations of other approaches?

Originally Posted by jsloan
Yes. They could do what they'd do if they took it seriously, which is hand out hard tokens to passengers after verifying their ID. ...
?? Millions of tokens just for elites and loss of token rate is ??? Again is the cost of the problem worth the cost of the solution.
Originally Posted by jsloan
More realistically, they could use one of several available token generators, e.g., Google Authenticator. ,,,
For a worldwide solution???

Originally Posted by jsloan
. So, the process is that you set up the soft token ahead of time -- this would generally involve logging in and downloading a payload, probably via a link from the app -- and then accessing it later. ...
We are talking consumers, not high tech professionals

Originally Posted by RNE
That squabble applies to any 2FA site. How would I access my bank in the air? How would I access my employee benefits? My Google account? My medical records? My investment portfolio? My tax preparer site? My Apple account? My retirement benefits? My Steam account? My insurance account? My treasury account? And on and on.

I guess we should get rid of 2FA on all sites just because it may not work in the air.
Which site is a UA traveler most going to need immediate access to in the air? or internationally? Which of those sites could more likely wait until you are in situation of better connectivity?

The user model for UA is very different those other sites

Yes the challenge question is not the most sophisticated solution, but given the challenges of a consumer / international travel provider, what evidence is there that it isn't an effective solution with the fewest problems.

Most may not remember, UA did discuss using SMS 2FA after the a different travel site was hacked for passwords, which were re-used by many on UA. But after investigation dismissed it for some of the problems discussed.

Last edited by WineCountryUA; Jan 26, 23 at 11:15 am Reason: more
WineCountryUA is offline  
Old Jan 26, 23, 11:09 am
  #603  
FlyerTalk Evangelist
 
Join Date: Oct 2001
Location: Austin, TX
Posts: 18,803
Originally Posted by RNE
That squabble applies to any 2FA site. How would I access my bank in the air?
I mean, you're not really being fair. United is an airline. You probably wouldn't use a bank's authentication system that didn't work while you were actually on the bank premises.

Originally Posted by WineCountryUA
?? Millions of tokens just for elites and loss of token rate is ??? Again is the cost of the problem worth the cost of the solution
Oh, agree 100%. It's completely infeasible. I was trying to make the same point.

Originally Posted by WineCountryUA
For a worldwide solution???
UA is all-in on the smartphone app, and these soft token apps run on the same phones that the UA app does. I have Google Authenticator on my iPhone, and I can promise you it also works on Android.

Originally Posted by WineCountryUA
We are talking consumers, not high professionals
Eh, hundreds of thousands, if not millions, of UA customers log into similar systems. It'd be opt-in anyway. If UA really wants 2FA, this is the way to do it. It's a lot better than the SMS codes, which dmurphynj rightly points out are a joke.

Last edited by jsloan; Jan 26, 23 at 11:14 am
jsloan is offline  
Old Jan 26, 23, 11:24 am
  #604  
Moderator: United Airlines; FlyerTalk Evangelist
 
Join Date: Jun 2007
Location: SFO
Programs: UA Plat 1.9MM, Hyatt Discoverist, Marriott Plat/LT Gold, Hilton Silver, IHG Plat
Posts: 63,138
Originally Posted by jsloan
...
UA is all-in on the smartphone app, and these soft token apps run on the same phones that the UA app does. I have Google Authenticator on my iPhone, and I can promise you it also works on Android. ...
works in China? and all countries in the world. And do you risk using your normal work / personal phone in all countries in the world? Believe some corporations do not allow their phones to be used in all countries.

And again, no one has address that the challenge questions is an insufficient solution for UA.

I understand why government / corporate organizations have a higher threshold as the user has access more sensitive, more valuable information. But hacking a UA MP account, the risk is far, far lower and UA restore losses at a relative low cost to UA.

Proportionate measures
WineCountryUA is offline  
Old Jan 26, 23, 11:30 am
  #605  
FlyerTalk Evangelist
 
Join Date: Sep 2002
Location: Between AUS, EWR, and YTO In a little twisty maze of airline seats, all alike...
Programs: CO, NW, & UA forum moderator emeritus
Posts: 33,805
Originally Posted by WineCountryUA
works in China? and all countries in the world. And do you risk using your normal work / personal phone in all countries in the world? Believe some corporations do not allow their phones to be used in all countries.

And again, no one has address that the challenge questions is an insufficient solution for UA.

I understand why government / corporate organizations have a higher threshold as the user has access more sensitive, more valuable information. But hacking a UA MP account, the risk is far, far lower and UA restore losses at a relative low cost to UA.

Proportionate measures
The authenticator apps (like Google Authenticator) do not require data access or a data connection. They generate ID tokens (the codes that they display) on a timed basis. nce set up they just work with nothing to do other than grabbing a code when asked for one. I wish UA had that as an optional way to secure my account instead of the dumb questions about sports, movies, and pizza toppings. That I may have no opinion on but am forced to answer.
jsloan, SPN Lifer, wpcoe and 1 others like this.
Xyzzy is offline  
Old Jan 26, 23, 11:37 am
  #606  
Moderator: United Airlines; FlyerTalk Evangelist
 
Join Date: Jun 2007
Location: SFO
Programs: UA Plat 1.9MM, Hyatt Discoverist, Marriott Plat/LT Gold, Hilton Silver, IHG Plat
Posts: 63,138
Originally Posted by Xyzzy
... I wish UA had that as an optional way to secure my account instead of the dumb questions about sports, movies, and pizza toppings. That I may have no opinion on but am forced to answer.
Other than not being a sophisticate solution but one that seems to work. Why not? It certainty is an easier solution for most.

KISS is the best answer when dealing with a large consumer base.
LAXOGG and Dublin_rfk like this.
WineCountryUA is offline  
Old Jan 26, 23, 11:49 am
  #607  
 
Join Date: Sep 2006
Location: HNL
Programs: UA GS4MM, MR LT Plat, Hilton Gold
Posts: 6,212
Originally Posted by Xyzzy
I wish UA had that as an optional way to secure my account instead of the dumb questions about sports, movies, and pizza toppings. That I may have no opinion on but am forced to answer.
Secure your account from what?

If a UA database gets hacked and somehow bad actors got credit card numbers/account numbers/etc (which I'm confident UA has great security) 2FA won't help you.

If you misplaced your phone and somehow left it unlocked - a bad actor still needs to log into your account to get information.

I mean this seriously, what are people worried about? I do assume UA systems are secure - and I take personal responsibility that my Apps/PC is also secure.
HNLbasedFlyer is offline  
Old Jan 26, 23, 12:10 pm
  #608  
 
Join Date: Dec 2002
Location: Central New Jersey
Posts: 1,117
Yeah, 2FA protects you from brute-force attacks and from yourself if you use the same password everywhere. The silly questions actually provide some protection from these two risks as well. And you can also protect yourself from one of these by not reusing the same password for multiple entities.
jonu is offline  
Old Jan 26, 23, 1:40 pm
  #609  
FlyerTalk Evangelist
 
Join Date: Oct 2001
Location: Austin, TX
Posts: 18,803
Originally Posted by Xyzzy
The authenticator apps (like Google Authenticator) do not require data access or a data connection.
Thank you; I thought that was well-known but it obviously was not. Sorry.
jsloan is offline  
Old Jan 26, 23, 8:29 pm
  #610  
FlyerTalk Evangelist
 
Join Date: May 2000
Location: أمريكا
Posts: 26,569
Originally Posted by Xyzzy
The authenticator apps (like Google Authenticator) do not require data access or a data connection.
I was under the impression that the Google Play Store was blocked in China, so wouldn't that make it impossible to get Authenticator in the first place? (And by impossible I mean directly using legal means.)
Doppy is offline  
Old Jan 26, 23, 9:30 pm
  #611  
 
Join Date: Aug 2010
Location: Morris County, NJ
Programs: UA 1K/*G, Avis Pres, Marriott Plat
Posts: 2,161
Originally Posted by Doppy
I was under the impression that the Google Play Store was blocked in China, so wouldn't that make it impossible to get Authenticator in the first place? (And by impossible I mean directly using legal means.)
It would be trivial for United to build a TOTP generator into the United app itself, eliminating the need for a separate app. But, clearly, they don't want to (and why would they?) restrict access to just app users or smartphone holders.

Optional? Sure, I could see that. But frankly, the security question bit probably solves for about 90-95% of the concerns. Real authentication would involve something you know + something you have (or something you are) - but that's a lot more complex to develop.
dmurphynj is offline  
Old Jan 26, 23, 9:35 pm
  #612  
FlyerTalk Evangelist
 
Join Date: Oct 2001
Location: Austin, TX
Posts: 18,803
Originally Posted by Doppy
I was under the impression that the Google Play Store was blocked in China, so wouldn't that make it impossible to get Authenticator in the first place? (And by impossible I mean directly using legal means.)
There are other competitors; that was just one option.

Originally Posted by dmurphynj
It would be trivial for United to build a TOTP generator into the United app itself, eliminating the need for a separate app. But, clearly, they don't want to (and why would they?) restrict access to just app users or smartphone holders.
A OTP built into the app you're currently using is kind of pointless.
jsloan is offline  
Old Jan 26, 23, 10:13 pm
  #613  
 
Join Date: Aug 2010
Location: Morris County, NJ
Programs: UA 1K/*G, Avis Pres, Marriott Plat
Posts: 2,161
Originally Posted by jsloan
A OTP built into the app you're currently using is kind of pointless.
Is it, though?

What's the difference, realistically, from having an OTP token in, say, Google's authenticator app, and the generator built into the United app? It'd still do the over-the-wire authentication, which is the important part.

What's the security advantage of flipping back and forth between the authenticator app and the United app at login?

Now --- in theory, SHOULD you be using an OTP token on the same physical device you're authenticating? Not really, no. But that's - in practicality - what happens.

So what's the advantage?
dmurphynj is offline  
Old Jan 27, 23, 12:32 am
  #614  
FlyerTalk Evangelist
 
Join Date: Oct 2001
Location: Austin, TX
Posts: 18,803
Originally Posted by dmurphynj
Is it, though?

What's the difference, realistically, from having an OTP token in, say, Google's authenticator app, and the generator built into the United app? It'd still do the over-the-wire authentication, which is the important part.

What's the security advantage of flipping back and forth between the authenticator app and the United app at login?

Now --- in theory, SHOULD you be using an OTP token on the same physical device you're authenticating? Not really, no. But that's - in practicality - what happens.

So what's the advantage?
At least with the separate app, you could, in theory, be logging into the website on a different device than you're using for communication. When it's part of the same app, there's no chance of it at all, and then it's completely pointless. Anyone who can access the app can also access the OTP.
jsloan is offline  
Old Jan 27, 23, 2:49 am
  #615  
FlyerTalk Evangelist
 
Join Date: Mar 2002
Location: Saipan, MP 96950 USA (Commonwealth of the Northern Mariana Islands = the CNMI)
Programs: UA Silver, Hilton Silver. Life: UA .56 MM, United & Admirals Clubs, Marriott Platinum
Posts: 13,278
OTP = one-time password
SPN Lifer is online now  

Thread Tools
Search this Thread