Grade

73/100

C

Grade Breakdown

Username and Password Limitations

Amazon users log in with their email address or phone number, and password. Amazon has the following password requirements:

• 6 or more characters

Minus 1 point for no custom username. Minus 1 point for the 6-character password minimum, which is extremely weak and shouldn't be allowed.

Brownie points for providing tips for creating a strong password.

3/5

Multi-factor Authentication

Amazon's MFA basically centers around SMS, and can be enhanced with an authenticator app. However, there seems to be no option to not have SMS as a backup option (meaning SMS is the weakest link), and there is no concept of one-time recovery codes.

3/5

"Forgot Login" Flows

Amazon has one flow for forgotten logins. It asks for the email or phone number associated with the account, and gives a different message if the piece of contact info is not associated with an account. If the info is correct, it sends an MFA code to the account's email address (regardless of how the user has MFA configured) before taking the user directly to a password reset page.

4/5

Account Change Notification

Amazon sends an email notification when the password or email is changed. It includes what the old and new email addresses are.

5/5

View Login History and Remote Logout

Amazon only has "panic mode" remote logout: the user can sign out of every active session if they think their account has been compromised.

3/5