Methodology
(Version 1.3, February 2024)
The grading scale is based on the scenario of a determined person targeting a specific user and trying to break into one of their online accounts. They know at least some of the user's personal information (e.g. social security number, email address, phone number), either firsthand or by theft. They are not an expert hacker, but have some knowledge of common tools like a password cracker.
Username and Password Limitations: 30%
Can the user create a custom username (harder to learn about/guess), or does it have to be their email address or phone number? Are there arbitrary requirements that force the password to be weaker or make it difficult to generate?
Multi-factor Authentication (MFA): 30%
Is additional verification needed to log in besides a password? Does this support strong or weak standards? Rule of thumb: authenticator app > email > SMS > security questions (hardware keys are even better, but probably overkill for most applications). Is it possible to generate one-time recovery codes in case the user loses the device they use for MFA?
"Forgot Login" Flows: 20%
How easy is it for an attacker to learn information about or gain access to a user's account by following the "forgot username/password" flows? Do the same messages appear whether or not the contact information is entered correctly, meaning the flow can't be used to "look up" if a certain piece of contact information is associated with an account?
Account Change Notification: 10%
Is the user notified when their password or other piece of login information is changed? Does their old/original contact information get notified, or only the new contact information? Is this immediate or is there a delay?
View Login History and Remote Logout: 10%
Is the user able to see a list of current and past login sessions? Are they able to remotely log out of a session?
Passkeys (Extra Credit): +5 points
The passkey is a promising new authentication method that aims to replace the password. Passkeys are both more secure and convenient than passwords for a number of reasons, and it is exciting to see popular services adopting and promoting them. However, as of the time of writing (May 2024), overall passkey adoption has been rocky. The main issue is that the different "big players" who make most of our devices and cloud storage have implemented passkeys in different ways, making it inconvenient for users to use them across different services and brands of devices. In addition, virtually every service that provides passkeys still requires the "old-fashioned" password method, and will probably continue to do so for the foreseeable future.
For Login Score grading, passkeys are seen as a bonus feature that companies should be commended for adding. However, since they are not in the mainstream yet and passwords are not going away any time soon, companies should not be criticized for not having them yet. Therefore, until further notice, passkeys will not be part of the base grading system, but services that have implemented them get 5 points of extra credit.