Charles Schwab

client.schwab.com

Last update: February 2024

 

Grade

93/100

A

 

Grade Breakdown

Username and Password Limitations

Charles Schwab users log in with a custom username and password. Charles Schwab has the following password requirements:

  • 8 or more characters
  • 1 letter
  • 1 number

Brownie points for the space character being allowed in the password, which is helpful when generating passphrases.

5/5

 

Multi-factor Authentication

Charles Schwab supports login MFA via SMS, their mobile app, or the Symantec VIP service. There is no concept of one-time recovery codes, and if the user chooses an option other than SMS, there is no option to "fall back" on SMS. This makes the system more secure, but also inconvenient if the user loses access to their MFA device.

Minus 0.5 for no one-time recovery codes.

4.5/5

 

"Forgot Login" Flows

Charles Schwab has separate but similar flows for forgotten username and password.

The username recovery flow first asks for the user's birthday, SSN, and zip code. It then asks for a phone number to send a recovery code to. It only sends a recovery code if that phone number is associated with the account, and the message displayed is the same whether or not that is the case.

If the security code is entered correctly, the user then needs to answer their security question (1 configured during account setup).

It then finally displays the username.

The password flow is the same, except it starts at the enter phone number step. The security question answer leads to a password reset screen.

In summary: to either get a Charles Schwab user's username or reset their password, an attacker would have to know the phone number associated with the account, intercept that message with a recovery code, and also know the answer to the security question.

5/5

 

Account Change Notification

Charles Schwab instantly notifies the user of any change made to the account, including sending an email to the old address if that is what changed.

5/5

 

View Login History and Remote Logout

Charles Schwab shows the current and previous logins to the account, but doesn't have an option to remotely log out.

3/5