Delta Air Lines operates their main website at https://www.delta.com. To the best of my recollection, for a long time the only way to login to delta.com (and before that, delta-air.com) was using a SkyMiles number and its corresponding 4-digit PIN (so you used SkyMiles number + 4-digit PIN). At a certain point, this changed such that the corresponding last name was also required (so you used SkyMiles number + 4-digit PIN + last name); presumably the reason for the change is that it was determined SkyMiles number + 4-digit PIN is too easy to crack using brute force methods and so it made sense in that situation to require providing also another piece of identification information. So that's all good.
But now using a 4-digit PIN to login has been eliminated completely; a password now must always be used when logging in. In addition, email address and user name have been added as alternatives to SkyMiles number for use when logging in. But what's strange is that while last name is not required when logging in with SkyMiles, last name is required when logging in using the 2 alternatives to SkyMiles number (so you can use SkyMiles number + password or you can use user name + password + last name or you can use email address + password + last name). I don't understand this: this implies that there is less security when using a user name or email address than there is when using a SkyMiles number and I feel that if anything, the opposite is true since a valid SkyMiles number is by definition easier to guess given that there are only 10,000,000,000 possible valid SkyMiles numbers whereas there are an infinite number of possible valid user names and email addresses. Of course, a legitimate concern is that an attacker wouldn't be guessing but rather would be using information he/she knew: an attacker may acquire information from another source (website, database, etc.) and that information may work as credential information on delta.com (users commonly reuse passwords on multiple websites). It seems that Delta can envision a situation where an attacker could gain access to user name/email address + password and not gain access to last name yet Delta cannot envision a situation where an attacker could gain access to SkyMiles number + password and not gain access to last name (if they could envision this latter scenario, they would surely require last name as a means of thwarting attackers, just as they do as a means of thwarting attackers in the former scenario). I suspect they are correct that the former scenario is more likely but the latter scenario is at least possible and since they're already asking for last name with a user name/email address and since SkyMiles number is by definition easier to guess than user name/email address, I just don't understand why, if they're ever going to ask for last name, they don't consistently ask for it. I'm loathe to call it arbitrary but it's certainly at the very least difficult logic to follow.