UA initiates Account Security Update (Security Q&A authentication added 2016)
#662
FlyerTalk Evangelist
Join Date: Dec 2006
Location: Pacific Northwest
Programs: UA Gold 1MM, AS 75k, AA Plat, Bonvoyed Gold, Honors Dia, Hyatt Explorer, IHG Plat, ...
Posts: 16,857
I have hundreds of accounts, and know not a single password for any site anymore.
#663
FlyerTalk Evangelist
Join Date: Oct 2001
Location: Austin, TX
Posts: 21,417
They have what is laughingly called "2FA," yes. It's frustrating for regular users and will do nothing to dissuade an actual hacker.
As soon as you allow access via email, you've lost the battle.
Actual 2FA would require a token -- hard token or soft token -- that you received during a physical interaction with a United security specialist wherein you showed ID. And if you lose your token / get a new phone / etc., you can't use your account until you trek back to the airport and repeat the process. The vast majority of 2FA online is security theatre: if you can reset your "2FA" online, it's not 2FA.
Somebody's United account is, for the most part, a low-value target. Even people who keep millions of frequent flyer miles in your account -- Don't! Use them! -- don't really have much at risk. As the OP showed, if there's a breach, the impact is... you fly without status for a day.
As soon as you allow access via email, you've lost the battle.
Actual 2FA would require a token -- hard token or soft token -- that you received during a physical interaction with a United security specialist wherein you showed ID. And if you lose your token / get a new phone / etc., you can't use your account until you trek back to the airport and repeat the process. The vast majority of 2FA online is security theatre: if you can reset your "2FA" online, it's not 2FA.
Somebody's United account is, for the most part, a low-value target. Even people who keep millions of frequent flyer miles in your account -- Don't! Use them! -- don't really have much at risk. As the OP showed, if there's a breach, the impact is... you fly without status for a day.
#664
So you used the password on multiple sites? Never a good idea. I am not saying that 2FA isn’t a good thing to have for many sites, but the most basic measure of protection that you yourself can implement is to use a random (generated!) and unique complex password for every site you care about. Have your password manage generate and store the password.
I have hundreds of accounts, and know not a single password for any site anymore.
I have hundreds of accounts, and know not a single password for any site anymore.
They have what is laughingly called "2FA," yes. It's frustrating for regular users and will do nothing to dissuade an actual hacker.
As soon as you allow access via email, you've lost the battle.
Actual 2FA would require a token -- hard token or soft token -- that you received during a physical interaction with a United security specialist wherein you showed ID. And if you lose your token / get a new phone / etc., you can't use your account until you trek back to the airport and repeat the process. The vast majority of 2FA online is security theatre: if you can reset your "2FA" online, it's not 2FA.
Somebody's United account is, for the most part, a low-value target. Even people who keep millions of frequent flyer miles in your account -- Don't! Use them! -- don't really have much at risk. As the OP showed, if there's a breach, the impact is... you fly without status for a day.
As soon as you allow access via email, you've lost the battle.
Actual 2FA would require a token -- hard token or soft token -- that you received during a physical interaction with a United security specialist wherein you showed ID. And if you lose your token / get a new phone / etc., you can't use your account until you trek back to the airport and repeat the process. The vast majority of 2FA online is security theatre: if you can reset your "2FA" online, it's not 2FA.
Somebody's United account is, for the most part, a low-value target. Even people who keep millions of frequent flyer miles in your account -- Don't! Use them! -- don't really have much at risk. As the OP showed, if there's a breach, the impact is... you fly without status for a day.
We get a laugh at work that concur now requires authentication (we only use expense), that’s a place where someone can gladly break in to submit my expense report for me.
#665
FlyerTalk Evangelist
Join Date: Mar 2002
Location: Saipan, MP 96950 USA (Commonwealth of the Northern Mariana Islands = the CNMI)
Programs: UA Silver, Hilton Silver. Life: UA .57 MM, United & Admirals Clubs (spousal), Marriott Platinum
Posts: 15,058
For example, "Every Good Boy Does Fine!" (Egbdf!). Then add the year you changed the password. (Egbdf24!). Then add the first and last letters of the relevant business or website. E.g., United Airlines (us) or United (ud) (Egbdf24us!). Or you can advance the initial letter by one in the alphabet. E.g., United Airlines (vs) (Egbdf24vs!).
Since there are 26 letters in the alphabet, 26 x 26 = 676 potential passwords. Not all "unique" of course, but better than reusing a handful. For high risk transactions, one can also add special characters, and remind oneself in your bookmarks: (A) = (Alg.) = (Algorithm) Putting (A#) at the end of your United Airlines would mean the password was Egbdf24vs!# .
If you have a good system (algorithm), it can be easy to remember.
Last edited by SPN Lifer; Mar 6, 2024 at 11:29 pm
#666
Join Date: Jul 2003
Location: SFO
Programs: COdbaUA Platinum 2MM
Posts: 5,532
Every time I log out of my own account and log into my spouse's UA account, it prompts me to answer two stored questions. After logging out of my spouse's account and log into my own account, again, it prompts me to answer two stored questions.
#667
FlyerTalk Evangelist
Join Date: Dec 2006
Location: Pacific Northwest
Programs: UA Gold 1MM, AS 75k, AA Plat, Bonvoyed Gold, Honors Dia, Hyatt Explorer, IHG Plat, ...
Posts: 16,857
You are asking UA to do more to protect your account when you yourself haven’t followed the most basic password hygiene standards. That makes no sense to me and looks like you are shifting the blame for your inconvenience.
Yeah, that is not really 2FA. It’s effectively two additional passwords that you cant’t freely choose. A second factor (in addition to a password you know) is something that you have, not more things you know.
#668
Join Date: Jan 2024
Posts: 76
I’m assuming it’s only a matter of time before they add passkey support as most major websites are headed in that direction if not already implemented. The problem with anything login-related is that you have to get people to adopt the new method. I don’t see companies *forcing* passkeys and getting rid of username/password logins anytime in the near future. If someone insists on still using their same username/password across all of their accounts, having the most secure login option in the world won’t make an ounce of difference.
#669
But why not for your UA account?
You are asking UA to do more to protect your account when you yourself haven’t followed the most basic password hygiene standards. That makes no sense to me and looks like you are shifting the blame for your inconvenience.
Yeah, that is not really 2FA. It’s effectively two additional passwords that you cant’t freely choose. A second factor (in addition to a password you know) is something that you have, not more things you know.
You are asking UA to do more to protect your account when you yourself haven’t followed the most basic password hygiene standards. That makes no sense to me and looks like you are shifting the blame for your inconvenience.
Yeah, that is not really 2FA. It’s effectively two additional passwords that you cant’t freely choose. A second factor (in addition to a password you know) is something that you have, not more things you know.
Call it what you want, but things like this are similar to me as people stealing my credit card number. Just things that happen in this day and age. It’s a nuisance, but everything is now back to normal with my account.
And nowhere am I demanding that United install 2fa. Merely a suggestion based off what I see in my day-to-day life. I will keep flying United even without it.
#670
Join Date: Aug 2008
Location: PHL
Programs: UA 1K 1MM, Marriott Gold, IHG Platinum, Raddison Platinum, Avis Presidents Club
Posts: 5,271
Also, be very careful about where one discards used baggage tags. I often bring mine home to shred.
It is easy to remember hundreds of unique passwords through a personal algorithm.
For example, "Every Good Boy Does Fine!" (Egbdf!). Then add the year you changed the password. (Egbdf24!). Then add the first and last letters of the relevant business or website. E.g., United Airlines (us) or United (ud) (Egbdf24us!). Or you can advance the initial letter by one in the alphabet. E.g., United Airlines (vs) (Egbdf24vs!).
Since there are 26 letters in the alphabet, 26 x 26 = 676 potential passwords. Not all "unique" of course, but better than reusing a handful. For high risk transactions, one can also add special characters, and remind oneself in your bookmarks: (A) = (Alg.) = (Algorithm) Putting (A#) at the end of your United Airlines would mean the password was Egbdf24vs!# .
If you have a good system (algorithm), it can be easy to remember.
It is easy to remember hundreds of unique passwords through a personal algorithm.
For example, "Every Good Boy Does Fine!" (Egbdf!). Then add the year you changed the password. (Egbdf24!). Then add the first and last letters of the relevant business or website. E.g., United Airlines (us) or United (ud) (Egbdf24us!). Or you can advance the initial letter by one in the alphabet. E.g., United Airlines (vs) (Egbdf24vs!).
Since there are 26 letters in the alphabet, 26 x 26 = 676 potential passwords. Not all "unique" of course, but better than reusing a handful. For high risk transactions, one can also add special characters, and remind oneself in your bookmarks: (A) = (Alg.) = (Algorithm) Putting (A#) at the end of your United Airlines would mean the password was Egbdf24vs!# .
If you have a good system (algorithm), it can be easy to remember.
And what is the danger of someone getting your baggage tag?
I’m assuming it’s only a matter of time before they add passkey support as most major websites are headed in that direction if not already implemented. The problem with anything login-related is that you have to get people to adopt the new method. I don’t see companies *forcing* passkeys and getting rid of username/password logins anytime in the near future. If someone insists on still using their same username/password across all of their accounts, having the most secure login option in the world won’t make an ounce of difference.
Bottom line, your accounts are only as safe as the weakest access method. For most, it's the "forgot password" feature which no company will remove.
#671
Join Date: Oct 2015
Location: SAN
Programs: 1K (since 2008), *G (since 1990), 1MM
Posts: 3,219
I haven’t blamed anyone for what happened. If you notice in my OP, I was strictly outlining my experience with what happened.
Call it what you want, but things like this are similar to me as people stealing my credit card number. Just things that happen in this day and age. It’s a nuisance, but everything is now back to normal with my account.
And nowhere am I demanding that United install 2fa. Merely a suggestion based off what I see in my day-to-day life. I will keep flying United even without it.
Call it what you want, but things like this are similar to me as people stealing my credit card number. Just things that happen in this day and age. It’s a nuisance, but everything is now back to normal with my account.
And nowhere am I demanding that United install 2fa. Merely a suggestion based off what I see in my day-to-day life. I will keep flying United even without it.
As you say you can live without the "benefits" of the status for a trip, United can refund fees used to obtain the status items, refind miles fraudulently taken from your account
My concern is the amount or personal data stored in my personal profile and someone could easily access the information using the standard questions that United has - it is not even personalized it is one of a stock answer. The lack of security is astounding and 2FA would make it a little stronger.
I agree you were not requesting 2FA but I piggybacked off your post, as did others, as seeing this as an improvement over the current system United uses.
My 86 year old father does not like 2FA as he does not have a cellphone but he is a unicorn. [He actively manages his online accounts with voice recognition/personal calls to a landline.]
#672
A FlyerTalk Posting Legend
Join Date: Apr 2004
Location: GVA (Greater Vancouver Area)
Programs: DREAD Gold; UA 1.035MM; Bonvoy Au-197; PCC Elite+; CCC Elite+; MSC C-12; CWC Au-197; WoH Dis
Posts: 52,140
#674
A FlyerTalk Posting Legend
Join Date: Apr 2004
Location: GVA (Greater Vancouver Area)
Programs: DREAD Gold; UA 1.035MM; Bonvoy Au-197; PCC Elite+; CCC Elite+; MSC C-12; CWC Au-197; WoH Dis
Posts: 52,140
#675
Moderator: United Airlines
Join Date: Jun 2007
Location: SFO
Programs: UA Plat 1.997MM, Hyatt Discoverist, Marriott Plat/LT Gold, Hilton Silver, IHG Plat
Posts: 66,859
Just looked at BA forum and it appears to be new and not very popular
SMS in flight is a problem and requires local phone service which many prefer not to purchase even if available.
2FA via the app is hilarious, I am using the app and the app is going to give me the code -- that is not 2FA. Not a second method. That's like calling UA to do amd the agent tells you the need answers to the security code.
While UA does provide some messaging service for free in flight, they are few select proprietary providers and many don't use them. But UA does provide united.com access for free.
This are typical issues for 2FA for the international traveler.
SMS in flight is a problem and requires local phone service which many prefer not to purchase even if available.
2FA via the app is hilarious, I am using the app and the app is going to give me the code -- that is not 2FA. Not a second method. That's like calling UA to do amd the agent tells you the need answers to the security code.
While UA does provide some messaging service for free in flight, they are few select proprietary providers and many don't use them. But UA does provide united.com access for free.
This are typical issues for 2FA for the international traveler.