jpezaris

We can argue about the first assertion, but the second is most definitely false. I've had my credentials stolen (from another site that had an IT breach) and identity used illegally elsewhere after that. It was not a low-impact event to correct. While the theft of information in that case would not have been prevented by 2FA, the results were the same. The costs were substantial in terms of time and financial consequences.

prestonh

it still needs an authentication of the passkey, so the authentication (password/pin etc) moves from the site level to the device level. really does not change the need for a password/login security just where authentication happens.

exerda

The thing I really dislike about 2FA (and MFA) is that not everyone has a cell phone at their side every moment. When I'm at the office, logging into any MFA site means rushing out to the phone lockers, bringing phone out of airplane mode, grabbing the code, then rushing back and hoping I jotted the code down correctly and that it hasn't been too long. Or if I'm on a plane using wifi and for some reason my web browser decides it needs to re-authenticate and only offers a voice call or text message for 2FA. Then the MFA authenticator apps also have their own issues, as I found when I upgraded my phone and had major issues moving Duo to the new phone for a couple of the sites & apps I use it for--one I essentially had to de-register the authenticator, then go through the rigmarole of adding it anew.

I get that I don't want to have to deal with the issues of someone stealing my miles, my Plus Points, messing with my existing reservations, etc., but the hassle of 2/MFA is too much for me.

kb1992

Totally agreed.

Other than SQ, is any airline using 2FA?

HNLbasedFlyer

An airline site?

WineCountryUA

The amount of amount PI accessible from your UA account of use to identity theft is low, Name, birthday and residence is about the limit and all those are fairly available on the web with a google search (hence should be insufficient to open a damaging account). Credit card data is just last four digits and security code is not retain in your profile, Neither is Social Security id or account password. Identity theft is generally not done by hacking an individual profile but rather hacking the central database that is not properly encrypted.

Identity theft is a major, major pain, I handled my wife's incident, her issue likely came from one of the credit rating agencies breaches). But your UA profile will not be the source of that. I standby the comment of low consequences.

UA implemented the security questions less to protect you and more to protect UA from users' poor password habits -- and UA having to restore hacked miles.

Xyzzy

h - I absolutely agree that it's not perfect. But sometimes I don't have 30min to wait on hold or I'm on an airplane and can't call. The chat feature has been remarkably useful then (though the agents seem incapable of actually reading my requests sometimes, like "Put person X in E+ seat YYn near me but do not move my seat at all.")

HNLbasedFlyer

And that only scratches the surface of what is publicly available on the web - siblings/spouse/past spouses/children, employer information, education, court records, and on and on are easily found on practically everyone unless you've gone deep deep underground - and if you are that deep underground you probably shouldn't be using practically anything on the web or any app.

If you could steal an identity based on United info we'd have all had our identities stolen long ago as the information is so easily found without hacking the United site.

mahasamatman

AC uses a form of 2FA.

cbchicago

When your account is hacked for 6 Home Depot Gift Cards ([email protected],000) you will appreciate any increased security measures. :

HNLbasedFlyer

Details and resolution?