Grade

50/100

F

Grade Breakdown

Username and Password Limitations

Alaska Airlines users log in with their custom user ID (may or may not be their email address) or Mileage Plan number, and password. Alaska Airlines has the following password requirements:

• 8 or more characters
• 1 upper-case letter
• 1 lower-case letter
• 1 number

5/5

Multi-factor Authentication

Alaska Airlines has no way to configure login MFA.

0/5

"Forgot Login" Flows

Alaska Airlines has separate but similar flows for forgotten user ID and forgotten password.

The forgotten user ID flow asks for the user's full name, birthday, and email address. If everything is entered correctly, the user requests a verification code either via email or SMS (obscured versions of the email address and phone number are shown: e.g. "d*****n@gmail.com", "******5555"). After the correct code is entered, the user ID is displayed and the user can try logging in again.

A lookup error occurs if any of the personal information is incorrectly entered, including the email address.

The forgotten password flow is almost the same, except that either the email address, user ID, or Mileage Plan number can be used in the first step.

In short: an attacker would have to intercept a user's email or SMS messages in order to break into their account using these flows. They could glean a little bit of information about which email address and phone number is associated with the account, but these are not used for logging in.

5/5

Account Change Notification

Alaska Airlines does not send any external notification if the account's email address or password is changed, meaning that if an attacker managed to log in, they could take over the account without the user knowing at all.

Changing the email address seemed too easy.

0/5