Grade

92/100

A-

Grade Breakdown

Username and Password Limitations

Robinhood users log in with their email address and a password. Robinhood has the following password requirements:

• 10 or more characters

Minus 1 point for no custom username. Brownie points for a 10-character minimum length, which is better than most.

4/5

Multi-factor Authentication

Robinhood supports login MFA via authenticator app, device approval, or SMS. It also supports a one-time recovery code, but it can only be generated while using the browser app, which is odd because most people use Robinhood via the mobile app (minus 0.5 points).

4.5/5

"Forgot Login" Flows

Robinhood has a different flow for forgotten password and forgotten email address.

For forgotten password, the user is prompted for an email address to receive a reset link. The message is the same whether or not the email address is associated with a Robinhood account.

For forgotten email, Robinhood asks for the user's birthday and SSN, and then shows a partial email address (e.g. "du****n@g***l.com). An MFA code is required to see the full email address or update the email address. Interestingly, the MFA code is always sent via SMS to the phone number associated with the account, even if a more secure form of MFA is set up.

In short: an attacker would have to intercept a user's email and SMS messages in order to break in to their account using this flow. However, it is possible to glean which email address is associated with an account (minus 1 point).

4/5

Account Change Notification

Robinhood sends an email notification if the password is reset or the contact information is changed. The notification is sent to the old email address if the email address is changed.

5/5

View Login History and Remote Logout

Robinhood shows the active login sessions and allows logging out from each one.

5/5