Grade

76/100

C

Grade Breakdown

Username and Password Limitations

United users log in with their MileagePlus number and password. United has the following password requirements:

• 8 to 32 characters
• 1 letter
• 1 number

5/5

Multi-factor Authentication

United supports MFA via their app, which features a verification code that changes every 30 seconds like a traditional authenticator app, as well as email and SMS. Every option is available; there is no way to disable the less secure SMS option. There is also no concept of one-time recovery codes.

3/5

"Forgot Login" Flows

United has both a flow for forgotten username and forgotten password.

To recover the username, United asks for the user's birthday and email address, and then sends it via email. A different message appears if the information is entered incorrectly, meaning that someone who knows a user's birthday can figure out which email address they are using for their account. However, the email address is not used to log in, making this less of a security issue.

A password reset requires the user's MileagePlus number, full name, and answers the security questions described above. A password reset link will then be sent to the account's email address.

In summary: an attacker would have to intercept a user's email messages to break into their account using these flows.

5/5

Account Change Notification

Any account change triggers the same vague email notification:

Minus 1 point for vague messaging.

4/5