United’s New “Two-Factor Authentication” is Not

In a recent post at TechCrunch, columnist and engineer Jon Evans lays into United Airlines’ oddly antiquated concept of “two-factor authentication” on their MileagePlus® web and mobile properties. Hilarity ensues.

In the piece, Evans eviscerates the enormous carrier’s security strategy, noting the inherently inane decision to replace user-generated password security questions with drop-down selections such as “favorite pizza topping”. For their part, United cites the threat of keylogging malware as the justification for this security practice, which it terms “two-factor authentication”. Of course, it is nothing of the sort.

 

United Authentication

 

Evans makes the point that “…you don’t make your systems more secure by making them hard to use.” The issue is that consumers react to difficult authentication processes with “workarounds” that undermine the basic principles of the solution. In the case of predefined drop-down questions, users may simply pick the first selection for each instance. Likewise, frequent requests to change passwords — besides contributing to a lousy customer experience — can result in weaker passwords over time that may then end up being written down in multiple places for convenience sake.

Ultimately, the story highlights the disjointed state of digital strategy for many large enterprises. United Airlines — a Fortune 100 company — is a perfect example of a customer service-focused enterprise that is, ironically, lagging badly in the area of digital customer experience. With newer airlines such as Southwest, Virgin and other digitally savvy players gaining traction in the crowded market, this is not something United can afford to get wrong for much longer.

Being in the business of Customer Identity Management, we at Gigya have been proudly voicing our opinion that traditional password processes will soon go the way of the dodo. In the meantime, however, security chiefs and their teams have an obligation to keep their eye on the ball when devising password-driven authentication flows. Friction does not equal security. In fact the opposite is true, and worse, it hurts the customer experience. For United, as with many other big players across every industry, this kind of bad decision-making in the back office is costing them customers and, more importantly, reputation.

To learn more about how poor authentication may be undermining your digital strategy, please see our data sheet: Is Your Authentication Solution Costing You Business?

By David Kerin