Grade

86/100

B

Grade Breakdown

Username and Password Limitations

Target users log in with their email address and password. If there is a phone number associated with the account, which is optional, it can be used to log in too. Target has the following password requirements:

• Between 8 and 20 characters

and combination of 2 or more of:

• 1 upper-case letter
• 1 lower-case letter
• 1 number
• 1 special character, excluding "<" and ">"

Minus 1 point for no custom username. Minus 0.5 points for minor password limitations (max length 20, special character requirements).

3.5/5

Multi-factor Authentication

Target supports either email or SMS for login MFA.

4/5

"Forgot Login" Flows

Target has one flow for forgotten password. It first asks for either the email address or phone number associated with the account, and then allows the user to reset their password or log in with a temporary code. It then sends an MFA code to that piece of contact information to confirm the action.

Target gives an error message if an email address or phone number is not associated with an account, meaning an attacker can use this flow to "look up" which contact information is being used for an account (minus 1 point).

4/5

Account Change Notification

Target sends email notifications when the password is changed and when a phone number is added or removed. If a user tries to change their email address, they first need to confirm from their old email address.

5/5

View Login History and Remote Logout

Target shows the current login sessions and allows each or all of them to be remotely logged out of.

5/5