United Airlines’ so-called online security (2016)

(Even if you use SMS, which you probably shouldn’t, because SS7 flaws, etc.) Two-factor authentication is not “enter your password, then answer stupid arbitrarily / externally chosen security questions.” So, just to summarize, United has:

Compromised its users’ security by adopting a terminally stupid threat model (keystroke loggers), and …

in response to that threat model, implemented infuriatingly counterintuitive, hard-to-use security questions, rather than…

something which actually would address that threat; two-factor authentication! Instead they…

…doubled down on their stupid security questions and called that two-factor authentication.

Source: techcrunch.com