New Log In Security Procedure Now In Place For MileagePlus Accounts — But…

E ffective as of today, United Airlines has finally implemented its new log in security procedures for access to the accounts of members of the MileagePlus frequent flier loyalty program — but some members complain that the procedures are too secure.

New Log In Security Procedure Now In Place For MileagePlus Accounts — But…

As part of its section of frequently asked questions pertaining to the aforementioned new security procedures, United Airlines has included the following text:

“In August 2016, we’ll also add two-factor authentication to the sign-in process. You’ll be asked to answer your security questions the first time you sign in on a web browser and device that we don’t recognize. Examples of web browsers include Google Chrome, Internet Explorer, Safari and Mozilla Firefox. If you sign in from a new browser, you’ll be asked your security questions even if you’ve signed in from the same device before.”

Two-factor authentication supposedly ensures that your MileagePlus account is even more secure. When you attempt to sign in to your MileagePlus account, “we’ll check if you’ve signed in from the same browser and device before and if not, you’ll just need to answer your security questions.”

This is to prevent someone else to easily sign into your MileagePlus account — even if he or she was somehow able to obtain your MileagePlus frequent flier loyalty program number and password…

…but might it work too well?

The Challenge of Logging In

You cannot log into your MileagePlus account with your e-mail address; so you must remember your MileagePlus frequent flier loyalty program account number. Fortunately, I have mine memorized from when I was a member of the OnePass frequent flier loyalty program of Continental Airlines; and my OnePass account number is now used for my MileagePlus account since 2012.

I already encountered my first challenge when logging into my MileagePlus account; and even though I have logged in to it in the past with my laptop computer, my device was not recognized. Fortunately, I had no problem or issue answering two of the security questions for which I previously supplied information, as I actually remembered the answers.

MileagePlus secure log in

Click to enlarge this screen shot of accessing a MileagePlus frequent flier loyalty program account.

The option of remembering a device is available. How well it will work in the future remains to be seen…

…but not everyone experienced accessing their MileagePlus accounts without issues.

“Using my iPad and accessing via United’s app: challenged, answered where I was told that ‘something went wrong’ and to try again”, FlyerTalk member goalie reported. “Tried again with the same result. Tapped the home icon on the app and to my surprise that even after being told that ‘something went wrong’, I was logged in and able to access my account, reservations and etc”

FlyerTalk member Markie — who hails from the United Kingdom and is also known as Mark Beattie of Miles From Blighty — was frustrated. “I got mine this morning — forgot answers — the questions are so US centric — no one in the rest of the world teaches ‘Band’!”

Why You Cannot Customize Security Questions and Answers

Saying that “.bomb is so screwed up that I frequently have to clear cookies to make a booking. You can tell it uses cookies in that it often remembers a previous search you did. Symptom is you are booking a rt and after selecting the outbound flight you get a meaningless error” and anticipating potential problems and issues in the future, FlyerTalk member MojaveFlyer asked, “So I suppose every time I do that I’ll have to pull up my file that lists the answers (because I certainly can’t remember my answers to someone else’s questions) and verify again?”

That question was in reference to the questions not being customized enough for users to be able to input their preferences so that answers would be easier to remember — and yet still secure. I personally do not care for the idea of mashed potatoes as a favorite topping for my pizza, as I would much prefer anchovies — as apparently would FlyerTalk member Syzygies. “Anchovies weren’t even a choice. Huh?”

United Airlines has apparently “conducted a lot of research into the security issues our customers face and found that the majority of issues can be traced to computer viruses that record typing” known as keystroke logging. “We purposely chose to use predefined answers to protect your account against this type of intrusion.”

Additionally, United Airlines used to allow people write their own questions and answers — and “many users struggled to come up with secure options. For example, their security ‘question’ would just be their password written out. Implementing the new security questions and answers has helped decrease account security issues significantly.”

United Airlines addresses the concern that you do not believe that you will be able to remember the answers to the questions: “We tried to create questions that have memorable, unique answers, but if you really don’t think you can remember your answers, it’s perfectly fine to save them to a password manager. We hope you can find questions that you’ll remember, though – we’re working on adding more of them. You can go back and change your questions and answers to add the new ones, if you want. Please keep in mind that you’ll have to change all of your questions, not just one or two.”

What a great solution. Thanks.

The “Remember this device” option uses cookies, which are small bits of information stored on your computer in your browser. If your browser is set up to remove cookies regularly, the “Remember this device” option will not work — which seems to be the reason for the concern expressed by MojaveFlyer.

Calling In Via Telephone: You Will Need Your Password

If you contact United Airlines via telephone, you will be asked for your password when using the automated system or for your security answers when you speak to a representative of United Airlines. “For security purposes, if you’re asked for your password you will only need to share the first five characters.”

I have not tried this as of yet; but I certainly hope that one option of submitting a password will be using the keypad on the telephone and not having to audibly voice the first five characters of a password. I am no security expert and I may likely be incorrect; but that just does not sound very secure to me.

Summary

With the increase of the breaching of the accounts of frequent travel loyalty programs, security does need to be increased — I was not happy whatsoever when my Starwood Preferred Guest account was compromised and wiped out of my points, which I eventually recovered — but not to a point where it significantly inconveniences the members of those accounts.

I advocated why logging into a MileagePlus account should require an actual password and not simply a personal identification number of only four digits; and at least United Airlines listened

…but United Airline went too far with the two-factor authentication method of accessing an account. Surely there are easier ways for members to access their MileagePlus accounts while still keeping them secure?

Photograph ©2013 by Brian Cohen.

3 thoughts on “New Log In Security Procedure Now In Place For MileagePlus Accounts — But…”

  1. r hirsch says:

    i logged in via safari browser and clicked the “remember this device” option. then, i wondered what would happen if i used chrome. i did. and i had to go through the security questions again. apparently it’s more of a “remember this browser on this device” option.

  2. Mike says:

    I registered so long ago I can’t remember what my MileagePlus security questions were. Just to be contrary, I answered truthfully. It worked.

  3. Annoyed 1K says:

    Wow, united.com has just become the laughing stock of the black hat community.

    Claiming pre-selected questions and answers to be Two-factor is a bit like claiming your obese mother-in-law sleeping in the attic is a home-security system.

Leave a Reply

Your email address will not be published. Required fields are marked *