Grade

62/100

D-

Grade Breakdown

Username and Password Limitations

United users log in with their MileagePlus number and password. United has the following password requirements:

• 8 to 32 characters
• 1 letter
• 1 number

5/5

Multi-factor Authentication

United's MFA system, which is activated when logging in from an unrecognized device, is infamously silly. Instead of one-time passcodes, they use security questions that have multiple-choice answers. This is a double whammy: not only are security questions substandard practice anyway, but the prefilled options reduce security even more by not allowing the user to set something non-guessable as the answer.

United has been criticized for this practice since 2016 and has still not changed their ways.

1/5

"Forgot Login" Flows

United has both a flow for forgotten username and forgotten password.

To recover the username, United asks for the user's birthday and email address, and then sends it via email. A different message appears if the information is entered incorrectly, meaning that someone who knows a user's birthday can figure out which email address they are using for their account. However, the email address is not used to log in, making this less of a security issue.

A password reset requires the user's MileagePlus number, full name, and answers the security questions described above. A password reset link will then be sent to the account's email address.

In summary: an attacker would have to intercept a user's email messages to break into their account using these flows.

5/5

Account Change Notification

Any account change triggers the same vague email notification:

This notification can also take some time to arrive (up to an hour in testing), which somewhat defeats the purpose if it is actually a security incident.

Minus 1 point for vague messaging. Minus 1 point for delay.

3/5