Grade

83/100

B

Grade Breakdown

Username and Password Limitations

Bank of America users log in with a custom username and password. Bank of America has the following password requirements:

• 8 to 20 characters
• 1 upper-case letter
• 1 lower-case letter
• 1 number
• Not repeat the same number or letter more than 3 times in a row
• Certain special characters are allowed: @ # * ( ) + = { } / ? ~ ; , . -

Minus 0.5 points for minor password limitations (max length 20, special character requirements).

4.5/5

Multi-factor Authentication

For logging in, Bank of America only supports SMS and email for MFA. However, buried in their settings is the option to use a USB security key "to increase limits for certain transfer types". It is unclear without further testing how much this feature could be utilized in "normal" account usage (e.g. not only high-volume transfers and payments).

4/5

"Forgot Login" Flows

Bank of America has one flow for forgotten login info. The first step asks for the user's SSN and the last 6 digits of any Bank of America account they have (checking, debit card, credit card, etc.).

Going as deep into the "forgotten" chain as possible: if "Don't have an SSN or TIN?" is selected, the system will try to send an MFA code via SMS. If the "trouble receiving your code by phone" option is selected, it will fall back on email.

If the user says they also don't have access to their email, the system shows the last 4 digits of their debit card and asks for its PIN.

If the PIN is entered correctly, the user arrives at a screen that shows their username and allows them to reset their password. An email is sent at this stage notifying that the account was looked up.

In short: the minimum information needed to break into someone's Bank of America account (at least one with a checking account/debit card) is their SSN, the last 6 digits of one of their account numbers, and their debit card PIN. The user will be notified via email that this happened.

Minus 1 point for being able to access the account with relatively easy-to-obtain/guess information.

4/5

Account Change Notification

Bank of America sends an email to the primary email address when the password is changed. No notification is sent when an email address is added to the account. However, there doesn't seem to be an easy way to change or remove the primary email address, and the email address is not used for logging in.

5/5

View Login History and Remote Logout

Bank of America shows the 20 most recent login sessions, but doesn't have a remote logout feature.