Grade

74/100

C

Grade Breakdown

Username and Password Limitations

Bluesky users log in with their email address or custom username, and password. The username can be changed. There are no minimum password requirements; in testing, the system accepted any length of string with just lower-case letters, which means that an extremely insecure password is possible (minus 1 point).

4/5

Multi-factor Authentication

Bluesky only supports login MFA via email using a code. Authenticator apps, hardware keys, and one-time recovery codes are not supported (minus 1 point).

Extra weird thing: when entering the code, you actually have to include the "-"

4/5

"Forgot Login" Flows

Bluesky has one flow for forgotten password. It asks for an email address and sends a code there if the address is associated with a Bluesky account.

The messaging is the same whether or not an email address is associated with a Bluesky account, meaning an attacker cannot use this flow to "look up" if a certain email address is associated with an account.

5/5

Account Change Notification

Bluesky does not send any notification after the account email or password is changed. However, it does require verification with the old email address in order to change to a new one, which significantly disrupts an account takeover attempt and gives this section a passing score.

3/5