Grade

68/100

D+

Grade Breakdown

Username and Password Limitations

Venmo users log in with either their custom username (which can be changed), email address, or phone number, and password. Venmo has the following password requirements:

• Minimum 8 characters, maximum 20
• Upper-case and lower-case letters
• At least one number, OR one of the these special characters: "!", "@", "#", "$", "%"

Minus one point for using email address and phone number for login, which are easily discoverable. Minus half a point for mildly arbitrary password requirements which make generating one more difficult.

3.5/5

Multi-factor Authentication

Venmo has email/SMS MFA when logging in from an unrecognized device (it seems to randomly pick between email and SMS in testing), with financial account numbers as backup options. In my case, I have a checking account and debit card linked to my Venmo, so I could enter either the checking account number or debit card information to verify.

Main MFA option, which is sometimes SMS instead of email

Checking account number option

Debit card information option

Minus one point for no strong options like an authenticator app. Minus half a point for no one-time recovery codes.

3.5/5

"Forgot Login" Flows

Venmo only has a "forgot password" flow; nothing for username or other login info. It asks for a phone number or email address and sends a password reset link there if the info is associated with a Venmo account. The message is the same whether or not the information is associated with a Venmo account, meaning that an attacker can't use a phone number or email address to "look up" if a user has an account.

Minus one point for forcing the user to rely on SMS, which is easily compromised.

4/5

Account Change Notification

Venmo sends an email notification if the login information or password is changed. The notification is sent to the old email address if that is what changed.

5/5