Grade

95/100

A

Grade Breakdown

Username and Password Limitations

The Apple ID username has to be the user's email or phone number. Apple has the following password requirements:

• 8 or more characters
• 1 upper-case letter
• 1 lower-case letter
• 1 number

Minus 1 point for no custom username.

4/5

Multi-factor Authentication

Apple has their own form of MFA built-in to their devices. When a user logs in from a new network or location, a notification is sent to all of their "trusted" Apple devices, which requires pressing "Allow" and then entering a one-time verification code. Apple also supports physical security keys and their own proprietary passkeys.

5/5

"Forgot Login" Flows

Apple only has a flow for resetting the password, which they spell out here:

If you forgot your Apple ID password - Apple Support

If the user selects the "Don't have access to any of your Apple devices?" option, it presents various options that would be challenging for someone who is not the user to perform.

In short, it would be very difficult for an attacker to abuse this flow without physical access to one of the user's devices.

5/5

Account Change Notification

Apple sends a notification via email when the password is changed or when an email address is added.

5/5

View Login History and Remote Logout

Apple does not show a list of every login session nor allow remote sign out, but it does show the devices associated with the account and allows removal, and also sends an email notification when there is a new login.

3/5