UA initiates Account Security Update (Security Q&A authentication added 2016)
#631
Join Date: Jun 2004
Posts: 684
We can argue about the first assertion, but the second is most definitely false. I've had my credentials stolen (from another site that had an IT breach) and identity used illegally elsewhere after that. It was not a low-impact event to correct. While the theft of information in that case would not have been prevented by 2FA, the results were the same. The costs were substantial in terms of time and financial consequences.
#632
Join Date: Jan 2007
Location: Bellingham/Gainesville
Programs: UA-G MM, Priority Club Platinum, Avis First, Hertz 5*, Red Lion
Posts: 2,808
it still needs an authentication of the passkey, so the authentication (password/pin etc) moves from the site level to the device level. really does not change the need for a password/login security just where authentication happens.
#633
Moderator, Omni, Omni/PR, Omni/Games, FlyerTalk Posting Legend
Join Date: Oct 2004
Location: Between DCA and IAD
Programs: UA 1K MM; Hilton Diamond
Posts: 67,011
The thing I really dislike about 2FA (and MFA) is that not everyone has a cell phone at their side every moment. When I'm at the office, logging into any MFA site means rushing out to the phone lockers, bringing phone out of airplane mode, grabbing the code, then rushing back and hoping I jotted the code down correctly and that it hasn't been too long. Or if I'm on a plane using wifi and for some reason my web browser decides it needs to re-authenticate and only offers a voice call or text message for 2FA. Then the MFA authenticator apps also have their own issues, as I found when I upgraded my phone and had major issues moving Duo to the new phone for a couple of the sites & apps I use it for--one I essentially had to de-register the authenticator, then go through the rigmarole of adding it anew.
I get that I don't want to have to deal with the issues of someone stealing my miles, my Plus Points, messing with my existing reservations, etc., but the hassle of 2/MFA is too much for me.
I get that I don't want to have to deal with the issues of someone stealing my miles, my Plus Points, messing with my existing reservations, etc., but the hassle of 2/MFA is too much for me.
#634
FlyerTalk Evangelist
Join Date: Jul 2003
Location: BOS, PVG
Programs: United 1K and 1MM, Marriott Ambassador
Posts: 10,000
The thing I really dislike about 2FA (and MFA) is that not everyone has a cell phone at their side every moment. When I'm at the office, logging into any MFA site means rushing out to the phone lockers, bringing phone out of airplane mode, grabbing the code, then rushing back and hoping I jotted the code down correctly and that it hasn't been too long. Or if I'm on a plane using wifi and for some reason my web browser decides it needs to re-authenticate and only offers a voice call or text message for 2FA. Then the MFA authenticator apps also have their own issues, as I found when I upgraded my phone and had major issues moving Duo to the new phone for a couple of the sites & apps I use it for--one I essentially had to de-register the authenticator, then go through the rigmarole of adding it anew.
I get that I don't want to have to deal with the issues of someone stealing my miles, my Plus Points, messing with my existing reservations, etc., but the hassle of 2/MFA is too much for me.
I get that I don't want to have to deal with the issues of someone stealing my miles, my Plus Points, messing with my existing reservations, etc., but the hassle of 2/MFA is too much for me.
Other than SQ, is any airline using 2FA?
#635
Join Date: Sep 2006
Location: HNL
Programs: UA GS4MM, MR LT Plat, Hilton Gold
Posts: 6,447
We can argue about the first assertion, but the second is most definitely false. I've had my credentials stolen (from another site that had an IT breach) and identity used illegally elsewhere after that. It was not a low-impact event to correct. While the theft of information in that case would not have been prevented by 2FA, the results were the same. The costs were substantial in terms of time and financial consequences.
#636
Moderator: United Airlines
Join Date: Jun 2007
Location: SFO
Programs: UA Plat 1.99MM, Hyatt Discoverist, Marriott Plat/LT Gold, Hilton Silver, IHG Plat
Posts: 66,577
We can argue about the first assertion, but the second is most definitely false. I've had my credentials stolen (from another site that had an IT breach) and identity used illegally elsewhere after that. It was not a low-impact event to correct. While the theft of information in that case would not have been prevented by 2FA, the results were the same. The costs were substantial in terms of time and financial consequences.
Identity theft is a major, major pain, I handled my wife's incident, her issue likely came from one of the credit rating agencies breaches). But your UA profile will not be the source of that. I standby the comment of low consequences.
UA implemented the security questions less to protect you and more to protect UA from users' poor password habits -- and UA having to restore hacked miles.
#637
FlyerTalk Evangelist
Join Date: Sep 2002
Location: Between AUS, EWR, and YTO In a little twisty maze of airline seats, all alike...
Programs: CO, NW, & UA forum moderator emeritus
Posts: 35,339
As someone who is challenged in the use of opposable digits I find the chat feature frustratingly challenging. Between autocorrection features and having difficulty walking and focusing on a handheld device Im helpless. When I need to talk with an agent I need to talk.
#638
Join Date: Sep 2006
Location: HNL
Programs: UA GS4MM, MR LT Plat, Hilton Gold
Posts: 6,447
The amount of amount PI accessible from your UA account of use to identity theft is low, Name, birthday and residence is about the limit and all those are fairly available on the web with a google search (hence should be insufficient to open a damaging account).
I standby the comment of low consequences.
I standby the comment of low consequences.
If you could steal an identity based on United info we'd have all had our identities stolen long ago as the information is so easily found without hacking the United site.
#639
A FlyerTalk Posting Legend
Join Date: Apr 2004
Location: GVA (Greater Vancouver Area)
Programs: DREAD Gold; UA 1.035MM; Bonvoy Au-197; PCC Elite+; CCC Elite+; MSC C-12; CWC Au-197; WoH Dis
Posts: 52,110
#641
Join Date: Sep 2006
Location: HNL
Programs: UA GS4MM, MR LT Plat, Hilton Gold
Posts: 6,447
#642
Join Date: Nov 2007
Location: Washington DC
Programs: Former 1k, Lifetime UA Gold, Starwood Gold; Avis Preferred; Hertz Gold
Posts: 1,728
UA Account Hacked - Two Factor Authentication Question
I just wrestled control of my United account from some hackers in China. Pretty scary actually.
Got an email from United that my account had been updated. I couldn't log in on my laptop b/c the security questions had been changed. Managed to log into my mobile app and change the password. Saw they had changed my address to China. Fortunately reset the secuirty questions and nothing had been taken out of my account yet.
There is some mention in the site that you can enable 2 factor authentication - but I can't seem to locate how to turn this on.
I was so annoyed by Marriot's default 2 factor authentication - now I can't imagine not having 2 factor enabled. Time to update all of my passwords. Gosh.
Got an email from United that my account had been updated. I couldn't log in on my laptop b/c the security questions had been changed. Managed to log into my mobile app and change the password. Saw they had changed my address to China. Fortunately reset the secuirty questions and nothing had been taken out of my account yet.
There is some mention in the site that you can enable 2 factor authentication - but I can't seem to locate how to turn this on.
I was so annoyed by Marriot's default 2 factor authentication - now I can't imagine not having 2 factor enabled. Time to update all of my passwords. Gosh.
#643
A FlyerTalk Posting Legend
Join Date: Apr 2013
Location: PHX
Programs: AS 75K; UA 1MM; Hyatt Globalist; Marriott LTP; Hilton Diamond (Aspire)
Posts: 56,299
Glad to hear they weren't able to steal your miles!
#644
Join Date: Aug 2010
Location: Morris County, NJ
Programs: UA 1K/*G, Avis Pres, Marriott Plat
Posts: 2,296
I just wrestled control of my United account from some hackers in China. Pretty scary actually.
Got an email from United that my account had been updated. I couldn't log in on my laptop b/c the security questions had been changed. Managed to log into my mobile app and change the password. Saw they had changed my address to China. Fortunately reset the secuirty questions and nothing had been taken out of my account yet.
There is some mention in the site that you can enable 2 factor authentication - but I can't seem to locate how to turn this on.
I was so annoyed by Marriot's default 2 factor authentication - now I can't imagine not having 2 factor enabled. Time to update all of my passwords. Gosh.
Got an email from United that my account had been updated. I couldn't log in on my laptop b/c the security questions had been changed. Managed to log into my mobile app and change the password. Saw they had changed my address to China. Fortunately reset the secuirty questions and nothing had been taken out of my account yet.
There is some mention in the site that you can enable 2 factor authentication - but I can't seem to locate how to turn this on.
I was so annoyed by Marriot's default 2 factor authentication - now I can't imagine not having 2 factor enabled. Time to update all of my passwords. Gosh.
A true password manager (ala 1Password or whatever your preferred tool is) + completely randomized passwords + two-factor authentication is key. So glad you were able to wrestle control back from the bad guys - sadly that stuff happens WAY too often.
I do prefer non-SMS based TFA which is what irks me about Marriott, but otherwise agree - it's a good idea.
#645
Join Date: Mar 2014
Location: PWM
Programs: AA Plat
Posts: 1,332
How on earth were they able to get in without knowing your favorite car? I'm genuinely curious.
My AA acct was hacked this year and they have 2FA. Huge pain to fix. Of course, they only ask about 2% of the time so the odds of catching criminals is slim. I changed ALL my crummy passwords (yes I reuse them) but didn't bother with UA due to the security questions.
My AA acct was hacked this year and they have 2FA. Huge pain to fix. Of course, they only ask about 2% of the time so the odds of catching criminals is slim. I changed ALL my crummy passwords (yes I reuse them) but didn't bother with UA due to the security questions.