It's entirely their prerogative as to whether or not they provide a decent level of security, and it's entirely up to consumers to choose whether or not to work with them.<p>The vast majority of people do not know what 2fa is, and sure as hell don't care to know, so the only people irked by their misleading messaging are IT professionals, who, again, can fly with someone else.<p>Essentially, there is clearly no incentive for them to improve their security unless it hurts their bottom line - and there's no point from their perspective in investing in something which makes no money.<p>Of course, if they have a major hack there will be some brief PR damage (none of the high profile hacks of major companies seem to have inflicted <i>any</i> reputational damage - instead the public blame the "terrorist hackers" the media parade), and their insurers will cover any direct losses, including those as a result of a class action, which they're probably indemnified against anyway.<p>In short, they have no reason to change, so probably won't. If anything, they'll be upheld as the golden standard, because legislators will buy into their PR, not being in any way technical themselves. Perception is reality.
In all fairness to United, it's probably pretty difficult to implement real 2FA in COBOL.<p>(In passing jest to: <a href="https://news.ycombinator.com/item?id=12246490" rel="nofollow">https://news.ycombinator.com/item?id=12246490</a> )
To be fair, all UA say is:<p>> Your security questions will also be used as part of upcoming two-factor authentication to further protect your account<p>The stupid nature of the 'enum answers' aside, this doesn't necessarily mean they're not implementing 2FA properly. They <i>might</i> have 2F set up as securely as the very best practitioners, then have this security question crap layered on top. We need to know for sure that they think the security question is one of the two factors before tearing them a new one.
The dropdowns are hilarious for non-security reasons, you have to choose your favorite artist... from a list of about 12 artists. I suppose it could be an improvement on the misogynist, homophobic, and Facebook-able "mother's maiden name".<p>I'm almost disappointed that they're not having their phone staff ask for your actual password - I'd love to have the experience of reading my 1Password-generated password to them.
The author seems to use authorization and authentication interchangeably multiple times in the text. They may be right about the point they are making, but it leaves a bad taste.
security questions as a recovery mechanism are fucking terrible.<p>most people are going to fill in the same response for their security q/a over multiple sites so pretty much any bad actor in any organization could possibly look at the security q/a, guess that their question/answers are the same on other sites and exploit that avenue.<p>also fuck remembering all of that.<p>but i think hsbc was even worse than what united is asking for. for their online banking you had to enter in your password then enter in another password using a browser based keyboard (AVOIDS KEYLOGGING!) and then answer a security question or something like that. i must have asked for a new passcode to reset everything every couple of months (they mail these to you via snail-mail).<p>of course the problem with the system was (and i forgot exactly how) there was a way sometimes to reset all these systems so you didn't have to remember your answer for each security measure. i was pretty sure it was a bug with the system but fuck if i want to endure the hell in trying to explain to a website with terrible security that you've found a bug in their terrible system and please don't put me in jail and what do you mean, 'what is a hash function?'
Providing account authentication as a service seems like a no-brainer.<p>Does no company in this space know how to sell to conservative IT organizations like air lines?
Apple also uses security questions like this for Apple ID accounts. I don't like it, but where's the outrage? Is there is a way to do this correctly, other than the user asking their own question?
Can we start by shaming Techcrunch.com's mobile layout?<p><a href="https://s4.postimg.org/5er0ol93h/Screenshot_2016_08_14_17_59_56.png" rel="nofollow">https://s4.postimg.org/5er0ol93h/Screenshot_2016_08_14_17_59...</a>