Grade

89/100

B+

Grade Breakdown

Username and Password Limitations

Wealthfront users log in with their email address and password. Wealthfront has the following minimum password requirements:

• 8 or more characters (can be all lower-case letters)

Brownie points for grading the strength of the password when setting it up.

4/5

Multi-factor Authentication

Wealthfront's MFA supports using an authenticator app, and SMS can optionally be added as a backup option. However, there is no concept of one-time recovery codes. This means that if the user uses only the authenticator app for MFA, which is more secure, they are forced to contact customer support to log in if they lose their MFA device.

Minus half a point for not being able to generate one-time recovery codes.

4.5/5

"Forgot Login" Flows

Wealthfront only has a "forgot password" flow; nothing for username or other login info. It asks for an email address and sends a password reset link there if the address is associated with a Wealthfront account. The message is the same whether or not the email address is associated with a Wealthfront account.

In short: an attacker would have to have already compromised a user's email in order to use this flow to break into their account.

5/5

Account Change Notification

Wealthfront sends an email notification if the password is reset or the email address is changed. The notification is sent to the old email address if that is what changed.

5/5

View Login History and Remote Logout

Wealthfront shows the active login sessions, but only allows logging out from all of them at the same time as opposed to individually.