American Airlines

aa.com

Last update: February 2024

 

Grade

62/100

D-

 

Grade Breakdown

Username and Password Limitations

American Airlines users log in with their custom username or AAdvantage number, last name, and password. American Airlines has the following password requirements:

  • Between 6 and 16 characters

Minus 1 point for the 6-character password minimum, which is extremely weak and shouldn't be allowed. Minus 2 points for the 16-character maximum, which pushes the limit of easiness to crack.

2/5

 

Multi-factor Authentication

American Airlines does email MFA for every login.

4/5

 

"Forgot Login" Flows

American Airlines has different flows for recovering the AAdvantage number and resetting the password.

The "Forgot my AAdvantage number" flow asks for the user's full name and email address, and then sends the AAdvantage number to that address if it's associated with the account. The message that is displayed after that is the same whether or not the correct email address was entered, meaning this flow can't be used to look up if a certain email address is associated with an account.

The "Forgot my password" flow asks for the user's full name, and either username or AAdvantage number. It then provides the option of answering 3 security questions or sending a new temporary password by email. The former option leads directly to a password reset screen. The latter option directly sends an email without asking for an address. This displays a message that mostly obscures the email address (just the last character of the local-part and the domain, e.g. "******n@gmail.com"). This also resets the password to this temporary password, making the old password invalid. This means if an attacker knows a user's username or AAdvantage number, they could use this flow just to be disruptive if not break in.

In short: an attacker would have to have access to a user's email in order to leverage these flows to access their account. However, the forgotten password flow can be used to disrupt the user with less information.

4/5

 

Account Change Notification

American Airlines sends a notification of what changed via email, and notifies the old email address if that is what changed.

5/5

 

View Login History and Remote Logout

American Airlines does not have a login history or remote logout feature.

0/5