The email said:
To better protect your United MileagePlus® account, later this week, we’ll no longer allow the use of PINs and implement two-factor authentication.
This is united.com’s idea of two-factor authentication:
It doesn’t count as proper “Something You Have”, if you can bootstrap any new device into “Something You Have” with some more “Something You Know”.
Halifax / Lloyds banking group in the UK still do this. To log in to your e-banking, you need firstly your password, and then secondly ….. wait for it … 3 characters from your second password.
Sigh… by that logic, having both a username and a password would count as two-factor. What’s the point in even trying?