Grade

101/100

A+

Grade Breakdown

Username and Password Limitations

X users log in with their custom username, email address, or phone number, and password. X has the following password requirements:

• 8 or more characters

5/5

Multi-factor Authentication

X supports login MFA via SMS, authenticator app, and/or hardware key. It also supports a one-time recovery code.

5/5

"Forgot Login" Flows

X has one email-based flow for forgotten password. The user needs to confirm their username and email address (the latter is an optional extra step enabled by the "Additional password protection" setting, shown later). They then request a verification code by selecting an obscured version of their email address. Upon entering the correct code, they can reset the password.

When trying to log in, there is a different message if an account doesn't exist with the entered email or phone number (minus 1 point).

4/5

Account Change Notification

X sends an email notification when the password is changed. It also restricts activity for 48 hours after a change, making a malicious account takeover difficult.

5/5

View Login History and Remote Logout

X shows the current active sessions and allows remotely logging out. A different page also shows a detailed account access history that includes IP addresses.

5/5