For the past 9 years, logging into an American AAdvantage account has required entering an account number, password, and last name. In the past few days, American dropped the requirement to type your last name in order to access your AAdvantage account.
American Airlines tells me,
We recently updated our backend login security platform. Our enhanced security platform no longer requires a customer’s last name to be entered during authentication, which was previously used to distinguish between loyalty members of American Airlines and US Airways. This change has been reflected when customers log in on aa.com, and will soon be reflected in our mobile app.
When the US Airways Dividend Miles program was folded into American AAdvantage there were about 10 million people that were members of both programs – and 1 million identical account numbers between the two programs. It was possible that two members had the same account numbers (one in Dividend Miles, one in AAdvantage) and passwords and the US Airways member might use their old US Airways account number and wind up accessing someone else’s account.
To make sure someone didn’t log into the wrong account in error with just account number and password they added a last name check.
- Before US Airways was taken over by America West, it used Sabre, and had 7 alphanumeric characters for Dividend Miles frequent flyer accounts just like American does.
- After the takeover America West’s SHARES put zeros in front of those old account numbers.
- So legacy US Airways accounts that were over a decade old when merged into AAdvantage in some cases conflicted with American accounts. Anyone who had signed up for Dividend Miles after Team Tempe took over and converted to SHARES wouldn’t have had an issue.
I covered this when the last name requirement was implemented nine years ago! Everything goes full circle.
Another interesting tidbit about AAdvantage account security is that last summer the airline began gradually rolling out a requirement to use two-factor authentication when logging in. This process uses e-mail, not text messaging (you can’t get a true text inflight) and the code you receive expires after 15 minutes or 3 unsuccessful attempts to enter it, but there is no limit to the number of times you can request a code.
I understand that this did not become a universal requirement – I’ve only been asked to use it once – but it’s still something that the use in some cases.
I do have one ask for the AA.com UI team, though: would it be too much to ask to put the ability to log in onto the home page, instead of having to click to another page to enter account number and password? They used to do it that way and it was so much easier.
So, what changed to allow them to implement this change? Presumably the worry about identical AA and USAir numbers hasn’t gone away…
If AA IT stumbles on this comment, can you please add arrows to switch origin and destination when searching for flights on the website? The AA app and pretty much every other travel app in the world has it, however, the AA website does not. Thank you.
This was not the reason they implemented it, but it did make security marginally better. Everything else in the world has generally required only a username/password combo. Recently, many companies have been layering on MFA (whether email, SMS, one-time tokens, etc.).
Just having that slightly different login page (username/password/last name) + extra bit of knowledge (which last name is associated with which username) has probably stopped a large number of attacks on AA accounts. Without that protection, I now expect a large number of *successful* attacks on AA accounts, and for AA to blame customers for having a unique, 30-character password that was randomly generated and used only on AA.com.
We’ll see how well this works out, but AA IT does not strike me as generally getting the implementation 100% on the first try in past projects (though they actually are notably better than many of their competitors!). Would love to be wrong on this one and have their new MFA program be much safer than single-factor auth!
So the explanation of the two mileage programs and that as the rationale for last name entry makes sense, and I know airline mergers take forever, but NINE years later??!!
Also, why don’t they get with the times (like decades) of using a username instead of mileage plan number? Especially for AA (who everyone knows is there worst legacy carrier), whose plan “numbers” include random letters in the middle, making recall challenging.
How about doing Face ID? Would make it much easier to log in.
Full circle, eh? Now do IFE!
Could Hyatt get with the program too
All great comments so far! I didn’t quite understand Gary’s explanation, but I had noticed the lack of the name box. I second the log in on home screen request.
Also compliment AA for slow removal of Flagship First as I fly next month DCA-JFK-LAX-SYD with meals in Chelsea and Qantas First lounge with a transcontinental nap inbetween. Swivel Seat to downunder all for 75,000 AA Miles Sweet AA
“So, what changed to allow them to implement this change?”
My guess: more complex password requirements and forced password changes over time have made it pretty much impossible at this point that two accounts share the same password.
Thank you, Gary, for clarifying this. I also appreciate all your updates on FA strike negotiations. I have randomly spoken to FAs about it, and they are serious. I pray that something can be worked out with management. I am not making AA reservations for late July to mid-August, just in case.
USAirways/America West combination was a merger not a takeover.
Now, if Delta would do the same. (the initial login doesn’t ask for last name until you enter your userid, and then it expands to show the “last name” field that’s required).
@Steve Letwin – they do not have more complex password requirements and they have not forced password changes either. It does seem exceedingly unlikely that 9 years on someone is going to use their own US Airways frequent flyer number that hasn’t worked in so long?
I agree 100% with what @jamesb2147 said here. The addition of a third piece of PII in the login actually made it less likely to be compromised, and it was something I appreciated with the AA login (sans not making readily available from the homepage). It would seem to me that 2FA or MFA options must be implemented now as a matter of BMPs rather than not.
@Gary Leff – you’re tight, those are not their current IT security practices, and I hate forced password changed, so that’s why I say 2FA/MFA and biometric logins across the board – app, website, etc. Email is notoriously unreliable in terms of timing of delivery because of the infinite variation of the different providers and server configurations. An authenticator/token and biometrics in a Secure Enclave setting would be nice to have.