SMS 2FA on United.com -- experiences / issues
 

I couldn't find any mention of this before, but I just logged into my MP account and instead of the usual "2FA" security questions I go a SMS 2FA code. I don't remember opting into this but this is a big improvement IMO (unless I'm in the air and for some reason wifi works but the sms doesn't go through, however rare that might be). Anyone else getting this?

https://cimg9.ibsrv.net/gimg/www.fly...ef2b9db75b.png

Must be selective testing, as I get (on a desktop)https://cimg6.ibsrv.net/gimg/www.fly...41d8d56556.png

Yep, definitely selective. Doesn't show up for any family members accounts either. A positive step though!

The "try a different way" lets me pick SMS, phone call, or email for code.

I don't get the old security question on my smart phone using the app

With access inflight free (when it is working) for united.com, UA gets around the inflight issue. But down internet will be an issue.

Depends on how sticky a trusted device is.

I got it online (Mac, Safari) yesterday. However, the situation was odd. I signed on as usual with 2FA, did a search, then hit Back to modify the search. Hitting Back apparently buggered something since all further search attempts failed, showing a "UA can't do this, please call" message. I quit the app, cleared cache, and attempted to sign onto the website again. When logging on again, I got the SMS code form. After entering the code, login was successful.

One additional detail. I had the same problem (failed searches following a Back) a few days ago. In that case - signing out, quitting, clearing cache - resulted in my not being able to log back in at all; the log-on page would merely blink on hitting Submit. Half-an-hour later, I was able to sign on. I repeated the Search, Back, Failure sequence and, again, after quitting I was not able to sign back on. I sent a note to CC noting a "bug" requesting that it be forwarded to the Web Desk. Maybe they were working on the SMS installation and things weren't quite in place?

Give us TOTP 2FA (Google Authenticator, Authy, etc.) and we'll be in business!

And by "positive step," you mean "complete waste of time that provides security theater but no actual security."

The biggest effect of so-called internet 2FA is that it's harder for you to regain control of your account after it's been hacked, as the hackers are better at breaching "2FA" systems than you are.

Your point is well taken that much of 2FA has holes in it. For me the primary point of 2FA is that I don't need to outrun the tiger, just the other runners. As long as my account is more difficult to hack, it is less interesting.

Yes, I know that my information has been, can be, and will be stolen time and time again without any involvement with me or any of my authentication factors, but I still turn on 2/MFA every chance I get and I vastly prefer authenticator apps and physical tokens to sms codes or challenge questions.

An authenticator app is an improvement over SMS, and a physical token better still. However, keep in mind that the airline industry is intentionally insecure, because there people whose job responsibility consists. almost solely, of managing others' travel plans. And any process that starts online, without an offline interaction of some kind, is never secure -- the "2FA" depends upon their single-factor identification of you the first time.

Just tried. I got the security questions, but I have noticed lately I have had UA ask me more often. I recently had to reconfirm my account, for example. I am mostly an AA flyer, so I don't use my UA account a lot, but have an active credit card and miles, and have been asked in some way to verify I am me more in the past month than any time in the past few years. Also, that is fine. Miles are worth a lot of money (sometimes ;)).

When I first read the thread title, I thought you could now send SMS messages to Flight Attendants.

So did I! I thought this was part of the "push button for champagne" idea bantered about for Polaris Plus!

I don't disagree there are better options than SMS. I'd love a world where we can use passkeys and hardware tokens, but how many of us have family members that would never do that and use the same password for everything across the internet?

And how many of us have family members who have been hacked and had money or identity stolen from them? :(

Annual subscriber signin asked for SMS code while inflight???
 

Just flew DSM-DEN and couldn't get onto internet with my annual subscription, on my laptop. Subscriber sign-in took me to united.com, I put in my credentials, and then it asked me for the 6-digit code it just sent as text to my phone ... which of course I couldn't access at 30,000 feet. Onboard wifi entertainment worked fine. Flight attendant suggested chat (had no idea that was option inflight) and chat guy had no idea what the problem could be but did send me an access code for "free" session for that flight - which did work.

Now at Club in DEN, called Mileage Plus Web support and the nice guy and everyone he asked had not heard of this problem. He had me sign into my UA.com and I got the same SMS code request (yesterday I still had the questions). He said "that is something IT is working on but I didn't think it was live yet." He suggested I stay logged into my UA account on my laptop and see if I can get on on my next flight here shortly.