Version 1.2 (February 2024)

Password Requirements and Limitations: 30%

Is a strong password required (minimum of 8 characters, and a mix of upper/lower-case letters and numbers)? Is there a length limit that forces the password to be weaker? Are there arbitrary requirements that make generating a password difficult (e.g. requires a special character, but only certain ones are allowed)?

Multi-factor Authentication (MFA): 30%

Is additional verification needed to log in besides a password? Does this support strong or weak standards? Rule of thumb: authenticator app > email > SMS > security questions (hardware keys are even better, but probably overkill for most applications). Is the user able to generate emergency one-time backup codes?

"Forgot Login" Flows: 20%

How easy is it for an attacker to learn information about or gain access to a user's account by following the "forgot username/password" flows? Do the same messages appear whether or not an account exists, meaning this flow can't be used to "look up" if a user has an account with a certain piece of contact information?

Account Change Notification: 10%

Is the user notified when their password or other piece of login information is changed? Does their old/original contact information get notified, or only the new contact information? Is this immediate or is there a delay?

View Login History and Remote Logout: 10%

Is the user able to see a list of current and past login sessions? Are they able to remotely log out of a session?

Version 1.1 (January 2024)

Password Requirements and Limitations: 30%

Is a strong password not only allowed, but required? Are there arbitrary limitations that force the password to be weak?

Multi-factor Authentication (MFA): 30%

Is additional verification needed to log in besides a password? Does this use strong standards (e.g. authenticator app, hardware key) or weak (e.g. security questions)?

"Forgot Login" Flows: 20%

How easy is it for an attacker  to gain access to a user's account if they follow the "forgot username"/"forgot password" flows?

Account Change Protection: 10%

The worst happens and the attacker has gained access to a user's account. How easy is it for them to change the login information to something else and lock the original user out of the account?

Account Change Notification: 10%

If one or more pieces of login info for the account are changed, is a notification sent to the user? Does their old/original contact info get notified, or only the new contact info?