American Airlines Rolling Out Required Multifactor Authentication To Access AAdvantage Accounts

American Airlines is slowly rolling out multi-factor authentication for AAdvantage account login. This started with a small number of customers on June 13, and more customers are being added to this requirement weekly.

American will not tell you in advance that this change affects you. Instead, you’ll be challenged with mutli-factor authentication when you login to your account. Make sure that the e-mail address AAdvantage has for you is current to save yourself hassle. (If your email address is not up to date in your account and you don’t have access to your account, you’ll need to be connected with the Technical Support desk to update it.)

  • This process will use e-mail, not text messaging
  • Which makes sense, since you can’t receive texts inflight
  • And of course American never made good on its September 2017 announcement that they were offering free inflight messaging either.

The code will expire after 15 minutes or 3 unsuccessful attempts to enter it, but there is no limit to the number of times you can request a code.

This is an additional barrier to logging into your AAdvantage account, made more cumbersome already by cutting off account access to Award Wallet. That makes American’s marketing and communications with customers more difficult. But it is one measure to help prevent account takeovers, where malicious actors drain miles from your account. Eventually the airline usually makes good to members when their miles are stolen, but it’s a big cost to the airline.

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community InsideFlyer.com, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »

Pingbacks

Comments

  1. I’m surprised this hasn’t happened sooner. Hopefully they will allow device profiles to be saved so the prompt doesn’t happen on each login attempt. It would also be nice to see ‘Authenticator’ options which are much more secure than e-mail/SMS 2FA.

  2. “Which makes sense, since you can’t receive texts inflight”

    You also can’t receive email inflight, not unless you shell out $10+ for a wifi pass or subscription.

  3. AF has rolled this out, but it has been glitchy – the prompts do not always go out immediately. Could be an issue if you are in a hurry.

  4. I’m all for this. Working in IT, people are the biggest threat to their own data and accounts. Though maybe they allow an opt out in exchange for zero liability for dictionary attacks or weak passwords.

  5. This is fine for me (maybe even preferred) but I’m the designated “travel agent” for my wife, kids (in early 20’s, not at home), parents, in-laws, etc. and this will be a royal pain to deal with.

  6. I don’t hate this, I have added MFA to a number of my personal accounts, especially those with credit cards attached. I think this should be done by all companies, as hackers and fraud continues to rise.

  7. Since I lost my AA number earlier this year due to an account takeover, I very much welcome this move. I was up at 5am for a flight and got an email that my account info had changed, so was able to get in and retake my account by using my security questions before it got drained. AA security was helpful to remedy the process, but losing my number of 31 years was an unexpectedly severe blow from a nostalgic point of view.

  8. This is a bummer for in-flight where I often use the app but don’t want to pay for in-flight wifi. It’s too bad they don’t support 2fac apps like Google Auth that don’t require an internet connection.

  9. I’m reasonably convinced there was a data breach that hasn’t been disclosed. Ben obviously wrote about his experience having this Advantage account locked proactively by AA and a new Advantage number assigned. The same thing happened to me. It was clear someone changed my email by one character along with changing the password. Since I use a non-browser password manager (and not lastpass), it’s unlikely it was my side that was compromised.

    Also, far and away better than what UA implemented, since it’s not MFA and they know it.

  10. If American were serious about TFA, they’d implement it using a hardware token such as a Yubikey.

    Hardware tokens work anywhere in the world, require no power source, don’t rely on a cellphone (major theft target in developing countries and common fail point) or easily comprised systems such as e-mail or messaging, are effectively indestructible, and most people don’t even know what they are so not a theft target.

    Of course, American saying it’s implementing TFA looks great to the uninformed and to the unsophisticated, so let’s run with it.

  11. So how are you going to us an iPad to watch their in-flight entertainment? Have to pay for Wi-Fi?

  12. Yeah, another OW airline, QR, does this. I think that it’s too much. Anyway, that’s the trending security measure.

  13. @ Gary — I think that if you access the in-flight wi-fi using T-Mobile complimentary access that you do receive text messages in-flight. Someone please correct me if I am wrong.

  14. @Jeff Winter – You don’t need to have an AA account to watch in flight entertainment.

    @Gene – You get data access, which includes iMessage and WhatsApp, but not pure text messages (SMS).

    IMO this isn’t a big deal if it actually remembers your browser. However, if you have to do this every . . . single . . . time . . . it could get annoying.

  15. 2FA is great, but as others have mentioned, they need to support authenticator apps and/or security keys like Yubikey, both of which work offline.

    I recently upgraded to 2FA on all my “Tier 1” accounts (all financial accounts and Gmail/Google Voice, which I use as my 2FA SMS phone number for the lame companies that consider SMS a “secure” second factor).

  16. This seems like it will be an issue when trying to log in while on a flight but I’m sure it will work out. Unfortunately, MFA is a minimum requirement with cybercrime these days. I’m a little worried that AA’s IT can handle it when they can’t seem to handle simple online tasks.

  17. I am able to send/receive SMS inflight when all I’ve done is connect to the WiFi because i use Google Voice. It doesn’t push notifications but i can get simple texts to go through and be received without paying for WiFi or logging in via T-Mobile.

  18. Does that mean you can now have an AA.com login without a AA FF#? That was sadly not the case last time I tried.

  19. The major advantage of MFA is another method of making your customers do your work instead of investing in secure systems.

  20. @Young Jack – “he major advantage of MFA is another method of making your customers do your work instead of investing in secure systems.”

    What is a better alternative than MFA/2FA when users want to use and reuse the shortest, most easy to remember password…and then increment by N if forced to change it? 20 character passphrases? Specific IP address access?

    Skeptical…but curious.

  21. @Jack the Lad:

    No, that’s not correct. It’s possible to build an ultra secure system without relying on TFA, but most end-users won’t put up with the discipline of using it because they’re lazy and really don’t care about their computing security.

    When using technology, it’s foolish to rely solely on a service provider for the security of one’s valuable digital assets, whether it be one’s AA account or, for example, one’s cryptocurrency holdings. Very few crypto holders bother with an off-line wallet, such as a Trezor, to hold their crypto and instead rely solely on an on-line exchange to secure them, with predictable results.

    Implementing TFA using a hardware token makes an online account pretty much beyond being compromised because access to the account requires something one knows (login credentials) with something one has, in this case, an OTP (One-Time PIN) generated by a hardware token physically under the control of the user.

    If most users gave a damn about their computing security and gave hardware tokens a try, they’d find out that it’s very easy and requires no more than a couple of seconds each time they logged into a service or a device.

    Companies like AA really aren’t doing anyone a favor by doing it the lazy way by implementing TFA using non-secure methods like e-mail or SMS (text messaging) and, inevitably, compromised accounts will still follow.

  22. @mdtravel:

    Specific IP address is an excellent way to build a very secure system but it’s very cumbersome for the service provider because they must associate a specific IP address with each user account, which is problematic for most users because their IP address is constantly changing (most users have a dynamic IP address for home service and would never spring for a static address), especially when travelling.

    Longer passwords or passphrases, no matter how long or complex, won’t solve the problem because it’s something one knows and most end-users inevitably re-use them even though most probably know that they shouldn’t and it’s next to impossible to get most end-users to use a good password manger (I know because I’ve spent a lot of time explaining them to end-users for their personal use).

    As long as logins rely solely on something one knows (password or passphrase), which essentially puts one’s computer security solely in the hands of the service provider, there’s always a good chance of compromise because anything a user knows can be known by someone else each time a user is forced to disclose it (such as a login).

    Using a security method that also requires something one has, such as an OTP (One-Time PIN) generated by a hardware token in a user’s physical possession pretty much eliminates a compromise due to login credentials because only one person can posses the token at a time.

  23. This will be a PITA for me since my spouse does not make the reservations, check on them, check in, pick seats , nothing. I had to force him to install the app on his cell . I have to sign him him for tsa, and make the renewal

    This is will only work if there is an administrator who gets all the codes also. Like the super parent who also gets notices for all the Brady Family kids etc.

    THIS HAS TO WORK WHEN IN THE AIR ALSO.

  24. Ridiculous! This is not top secret FBI information. They do the same thing to their employees. Make you have about 10 different passwords and make the password requirements burdensome and force you to change them often.

  25. Well….. this is brilliant. I stopped using AA years ago due to a series of unfortunate and unresolved screw-ups. Anyway, AA moved from top of the list, to the very bottom. They are now an airline of last resort.

    Well, they have one of the few direct flights that I want and so I tried to logon today. The 2FA code was sent to an email account for a domain I retired long ago, and so have no access because it no longer exists…. Of course, there is not another way to contact me with 2FA (text or voice), so I suppose I will just add this to the list of unfortunate and unresolved screw-up and use another airline.

  26. @Mick,

    It sounds as if you’re blaming AA for your screw-up.

    You could always contact AA technical support for help in resolving the problem OR if the domain name is still available, buy the domain name for a couple of bucks and set up the e-mail address; not a lot of work and won’t take long.

    A few pro tips:

    ALWAYS use an e-mail address at a top-shelf free e-mail provider like GMail for e-mail OTPs; one way to do it so you have redundancy is to set up an e-mail account only for TFA codes and create a rule to forward any e-mail received from AA to your main e-mail address – then your TFAs will exist in two places and it’s very unlikely you’d lose access to both e-mail accounts, especially if they’re GMail accounts. GMail isn’t going anywhere and nobody does basic e-mail better than Google.

    Of course, don’t be stingy with your time or lazy and spend a few minutes to take advantage of the very sophisticated and very robust account recovery options that GMail provides.

    For SMS TFA, use a tool like Tasker to create a task to forward the OTPs to your TFA GMail account and create a rule so that those OTPs are forwarded to your main e-mail address; then you’ll have the more problematic SMS OTPs existing in three places.

  27. No, this is complete garbage, since it’s mandatory on every login, even from the same device.

    At least they could have provided a clickable link in the e-mail so I wouldn’t need to manually type the code.

  28. I am eating crow: I hadn’t checked the “Remember me” box to avoid the repeated passcode entries from the same device. Sorry AA.com.

Comments are closed.