Grade

47/100

F

Grade Breakdown

Username and Password Limitations

Equifax users log in with their email address and a password. Equifax has the following password requirements:

• Between 8 and 20 characters
• 1 upper-case letter
• 1 lower-case letter
• 1 number
• 1 or more of certain special characters: ! @ $ * + -

Minus 1 point for no custom username. Minus 0.5 points for the specific special character requirements that make generating a password cumbersome.

3.5/5

Multi-factor Authentication

Equifax has no way to configure login MFA.

0/5

"Forgot Login" Flows

Equifax has one "Account Recovery" flow. This first asks for: SSN, birthday, full name, phone number, and email address.

It then asks for MFA using either the email address or phone number associated with the account.

Upon entering the correct one-time passcode, the username is displayed and the password can be reset.

If an email address or phone number that is not associated with the account is entered, those will not be shown as MFA options.

The MFA step when a "wrong" email address is entered.

The MFA step when a "wrong" phone number is entered.

The MFA step when both a "wrong" email address and phone number are entered.

In short: in order to break into an account with this flow, an attacker would have to intercept a user's email or SMS messages. However, it is possible to glean if a certain email address is associated with an account, which is significant because that is used for logging in (minus 1 point).

4/5

Account Change Notification

Equifax sends an email notification when the email address, phone number, or password associated with the account is changed. The old email address is notified if that is what changed.

5/5