Grade

84/100

B

Grade Breakdown

Username and Password Limitations

Facebook users log in with their email address or phone number, and password. Facebook has the following password requirements:

• 6 or more characters

Minus 1 point for no custom username. Minus 1 point for the 6-character password minimum, which is extremely weak and shouldn't be allowed.

3/5

Multi-factor Authentication

Facebook's MFA supports physical security keys, authenticator apps, and one-time recovery codes.

5/5

"Forgot Login" Flows

Facebook has one flow for forgotten login information. The first step is to look up the account using a piece of contact information.

A warning is displayed if the information entered is not associated with an account, while the user's account appears if it is.

If an account is found, the password can be reset by getting a verification code via email, or logging into Google (unclear how the latter option works, and/or if this is only an option when the email is a Google email). It also appears that more information is shown when the account has been previously accessed from the same network.

It is also possible to get "temporarily blocked" from using the account lookup feature for "going too fast", although it is unclear exactly what this means.

4/5

Account Change Notification

A notification is sent to the old email address when contact info is added, changed, or deleted.

5/5

View Login History and Remote Logout

Facebook shows active login sessions and allows logging out from each one. Brownie boints for being able to log out from multiple devices at once.