narvik

PLEASE no!

notquiteaff

So you used the password on multiple sites? Never a good idea. I am not saying that 2FA isn’t a good thing to have for many sites, but the most basic measure of protection that you yourself can implement is to use a random (generated!) and unique complex password for every site you care about. Have your password manage generate and store the password.

I have hundreds of accounts, and know not a single password for any site anymore.

jsloan

They have what is laughingly called "2FA," yes. It's frustrating for regular users and will do nothing to dissuade an actual hacker.

As soon as you allow access via email, you've lost the battle.

Actual 2FA would require a token -- hard token or soft token -- that you received during a physical interaction with a United security specialist wherein you showed ID. And if you lose your token / get a new phone / etc., you can't use your account until you trek back to the airport and repeat the process. The vast majority of 2FA online is security theatre: if you can reset your "2FA" online, it's not 2FA.

Somebody's United account is, for the most part, a low-value target. Even people who keep millions of frequent flyer miles in your account -- Don't! Use them! -- don't really have much at risk. As the OP showed, if there's a breach, the impact is... you fly without status for a day.

United747

Of course I did. I understand the benefit of a password manager (and use one for some things).

Agree that it’s a low value target, moreso just a nuisance to get it back to functioning. But even if it’s not “real” 2fa, this would have been stopped.

We get a laugh at work that concur now requires authentication (we only use expense), that’s a place where someone can gladly break in to submit my expense report for me.

SPN Lifer

Also, be very careful about where one discards used baggage tags. I often bring mine home to shred.

It is easy to remember hundreds of unique passwords through a personal algorithm.

For example, "Every Good Boy Does Fine!" (Egbdf!). Then add the year you changed the password. (Egbdf24!). Then add the first and last letters of the relevant business or website. E.g., United Airlines (us) or United (ud) (Egbdf24us!). Or you can advance the initial letter by one in the alphabet. E.g., United Airlines (vs) (Egbdf24vs!).

Since there are 26 letters in the alphabet, 26 x 26 = 676 potential passwords. Not all "unique" of course, but better than reusing a handful. For high risk transactions, one can also add special characters, and remind oneself in your bookmarks: (A) = (Alg.) = (Algorithm) Putting (A#) at the end of your United Airlines would mean the password was Egbdf24vs!# .

If you have a good system (algorithm), it can be easy to remember.

1KChinito

Every time I log out of my own account and log into my spouse's UA account, it prompts me to answer two stored questions. After logging out of my spouse's account and log into my own account, again, it prompts me to answer two stored questions.

notquiteaff

But why not for your UA account?

You are asking UA to do more to protect your account when you yourself haven’t followed the most basic password hygiene standards. That makes no sense to me and looks like you are shifting the blame for your inconvenience.

Yeah, that is not really 2FA. It’s effectively two additional passwords that you cant’t freely choose. A second factor (in addition to a password you know) is something that you have, not more things you know.

DiminishedSeventh

I’m assuming it’s only a matter of time before they add passkey support as most major websites are headed in that direction if not already implemented. The problem with anything login-related is that you have to get people to adopt the new method. I don’t see companies *forcing* passkeys and getting rid of username/password logins anytime in the near future. If someone insists on still using their same username/password across all of their accounts, having the most secure login option in the world won’t make an ounce of difference.

United747

I haven’t blamed anyone for what happened. If you notice in my OP, I was strictly outlining my experience with what happened.

Call it what you want, but things like this are similar to me as people stealing my credit card number. Just things that happen in this day and age. It’s a nuisance, but everything is now back to normal with my account.

And nowhere am I demanding that United install 2fa. Merely a suggestion based off what I see in my day-to-day life. I will keep flying United even without it.

eng3

Although, this is better than reusing passwords, it still inherently has lower entropy password than a randomly generated one.

And what is the danger of someone getting your baggage tag?

Most companies aren't actually implementing passkeys and rather are outsourcing it. In that case, use of passkeys is often not actually any safer.
Bottom line, your accounts are only as safe as the weakest access method. For most, it's the "forgot password" feature which no company will remove.

Aussienarelle

If United did not store my card card details, passport details, and other personal information related to my idenity i would not be concerned, but even my electricity supplier requires 2FA to access my account and the account is used to pay bills - I would love someone to hack into that account and pay my bill. Similar to the internet provider.

As you say you can live without the "benefits" of the status for a trip, United can refund fees used to obtain the status items, refind miles fraudulently taken from your account

My concern is the amount or personal data stored in my personal profile and someone could easily access the information using the standard questions that United has - it is not even personalized it is one of a stock answer. The lack of security is astounding and 2FA would make it a little stronger.

I agree you were not requesting 2FA but I piggybacked off your post, as did others, as seeing this as an improvement over the current system United uses.

My 86 year old father does not like 2FA as he does not have a cellphone but he is a unicorn. [He actively manages his online accounts with voice recognition/personal calls to a landline.]

mahasamatman

I don't like 2FA using a cell phone simply because my phone is not glued to my hip like many people. I often have to go hunting for it when I need it.

TomMM

LH(Miles&More), AF, BA

mahasamatman

I don't know abot the others, but BA is the least secure of all. They have simple passwords with no additional requirements. They don't even require capital letters, numbers, or special characters.

WineCountryUA

Just looked at BA forum and it appears to be new and not very popular
SMS in flight is a problem and requires local phone service which many prefer not to purchase even if available.
2FA via the app is hilarious, I am using the app and the app is going to give me the code -- that is not 2FA. Not a second method. That's like calling UA to do amd the agent tells you the need answers to the security code.

While UA does provide some messaging service for free in flight, they are few select proprietary providers and many don't use them. But UA does provide united.com access for free.

This are typical issues for 2FA for the international traveler.