Something You Know And… Something You Know

The email said:

To better protect your United MileagePlus┬« account, later this week, we’ll no longer allow the use of PINs and implement two-factor authentication.

This is united.com’s idea of two-factor authentication:

united.com screenshot asking two security questions because my device is unknown

It doesn’t count as proper “Something You Have”, if you can bootstrap any new device into “Something You Have” with some more “Something You Know”.

2 thoughts on “Something You Know And… Something You Know

  1. Halifax / Lloyds banking group in the UK still do this. To log in to your e-banking, you need firstly your password, and then secondly ….. wait for it … 3 characters from your second password.

  2. Sigh… by that logic, having both a username and a password would count as two-factor. What’s the point in even trying?