Grade

65/100

D

Grade Breakdown

Username and Password Limitations

TransUnion users log in with a custom username and password. TransUnion has the following password requirements:

• Between 12 and 64 characters

Brownie points for a 12-character minimum length, which is better than most.

5/5

Multi-factor Authentication

TransUnion does login MFA via email at its discretion (it seems to be triggered when logging in from a new device or network). However, there is no way to configure anything about it as a user, e.g. save a trusted browser or force it to happen every time (minus 0.5 points).

3.5/5

"Forgot Login" Flows

TransUnion has one forgotten login flow, which is pretty much as insecure as you can get. The "Login Help" page first asks for the user's SSN and last name.

The next page asks for the user's birthday and their answer to their security question (1 question, which is configured when creating the account).

...and that's it. If those are entered correctly, the username is displayed and the password can be reset, which then logs in to the account.

Therefore, the entire security of the account hinges on the answer to 1 security question.

2/5

Account Change Notification

An email notification is sent when the password is changed, but not for the username or email address. If the email address is changed, no notification goes to the old email address.

3/5