RNE

No, you're not being fair; you cherry picked the bank example. Let's look at the others you conveniently overlooked. To wit, I'm never on the premises of Google or Apple, or T. Rowe Price, or TurboTax, or UTC, or Geico, or the U.S. Treasury, etc., yet I might want to access any of their websites while aboard a flight and be unable to -- which I'm fine with. I nevertheless want 2FA all the other time. What's really "unfair," as you put it, is trying to excuse United's lack of 2FA because of some hours spent inflight versus the 8760 hours in every year. But do keep trying.

jsloan

You still seem to think that 2FA is useful. In most cases, it's security theatre. That said, if UA wants 2FA, they will need 2FA that works in the air. There's no cherry-picking here; they are an airline. They cannot, with a straight face, launch a security system that would prohibit you from doing business with them while you are actively doing business with them.

And 2FA that works in the air is not difficult; you use a OTP system to generate a soft token, as described.

I'm not "excus[ing] United's lack fo 2FA because of some hours spent inflight." I'm excusing it because 2FA is (a) pointless in the travel industry and (b) pointless if not taken seriously. I'm willing to bet that most, if not all, of those other companies don't take 2FA seriously. The closest might be Apple, because at least they do a push notification to your other devices, instead of something that goes to the device you're currently using.

If a company sends you an SMS code, they're not taking 2FA seriously.
If a company lets you call their customer service to change your phone number, they're not taking 2FA seriously.
If a company lets you download your soft token, they're not taking 2FA seriously.

Anyway, I think this topic has been beaten to death. I don't like 2FA; I don't have any need to "secure" my UA account. If other people want to use it, fine; if they require it, it will be slightly irritating but I"ll get over it. Feel free to write to UA and complain about how they're not taking security seriously by not having 2FA.

HNLbasedFlyer

What exactly are you worried about? Hacking the corporate loyalty database is far more lucrative than hacking an individual airline app.

You could always skip the app and website and use the phone.

Doppy

I have definitely needed to get into my account to make changes or chat with an agent inflight to deal with IRROPS. If you're likely to miss a connection, for example, waiting until you land and hoping for the best is not my strategy.

Xyzzy

The chat feature of the app actually wrks quite well nowadays. (When UA first initiated such a thing I was told that they couldn't handle me because I needed to talk to a Premier agent -- and at the time I had no other way to communicate)

jpezaris

And it protects you from a generic keylogger on your desktop (or phone) that steals your password, or any of a myriad of other circumstances under which your password is unintentionally leaked.

I don't know about anyone else, but beyond the personal information which is important, there's a fair bit of value held in my MP account. There's enough that were someone to steal it, it would be a problem. For example, my family's summer vacations are predicated on my earning enough miles to pay for airline tickets. I think the questions are silly (we should be able to make up our own), but having them is most definitely better than just passwords for security.

WineCountryUA

And if that happened UA will replace them. SInce this is UA currency, UA has knowledge how used and you just state they were stolen and not used by you. UA knows who flew and given the id requirement, it makes this hard to be anonymous. UA will cancel the tickets if reported quick enough.

The risk is low and the consequences lower.

Lux Flyer

Not to mention the security questions provide another layer and while the answers to those can be social engineered, requiring the account to lockout relatively quickly with incorrect responses, thus voiding the current set of questions/responses, makes the MP accounts a less attractive target relative to the effort required to gain access. The name of the game for UA with this implementation is deterrence to hackers by making MP accounts an unattractive target while making it as minimally inconvenient for the actual traveler as possible given the unique needs facing the airline industry (other people being able to manage reservations on passenger behalf, making changes in flight or in areas with limited/no internet access, etc). Which apparently the security question implementation has done great at: the reports of MP account hacking/mileage pilferage has dropped dramatically.

Ultimately if someone is going to go through the effort to of keylogging/determining someone's leaked password and social engineering the response to the person's security questions, hopefully getting the right answers before the account gets locked out, I think there are more bountiful yields to be had from that level of effort by targeting other industries rather than gaining access to an account with airline specific currency that can still be easily traced to the actual traveler.

mahasamatman

Only if someone makes the mistake of actually providing correct responses to the questions.

phkc070408

Just remember, in a few years we won't even be using passwords. We'll be using Passkeys.

Dublin_rfk

As someone who is challenged in the use of opposable digits I find the chat feature frustratingly challenging. Between autocorrection features and having difficulty walking and focusing on a handheld device I’m helpless. When I need to talk with an agent I need to talk.

RNE

You don't like it. I do. Fair enough. Now, please call off your dogs.

kb1992

I hate 2FA.

SQ uses OTP and it's makes me crazy.

prestonh

how will the passkey be authenticated as a valid user?

phkc070408

Being a layman on the topic, I get the impression that you'll register one device with each service and can then share the passkey among your devices. Again, I'm by far an expert on this.