Grade

72/100

C-

Grade Breakdown

Password Requirements and Limitations

Delta users log in with their custom username or SkyMiles number, and password. Delta has the following password requirements:

• Between 8 and 20 characters
• 1 upper-case letter
• 1 lower-case letter
• 1 number

5/5

Multi-factor Authentication

Delta supports login MFA via email, with SMS and app notifications as additional options. The SMS option can be disabled, which is good because that is a weak form of authentication. However, it appears that email is always available as a fallback option, and there is no concept of one-time recovery codes.

4/5

"Forgot Login" Flows

Delta has different flows for forgotten username and forgotten password.

To recover the username, Delta asks for the user's full name and email address, and then sends it via email. A different message appears if an account isn't found with that information, meaning anyone who knows a user's full name can figure out which email address they are using for their account (minus 1 point).

The forgot password flow asks for the user's full name and either SkyMiles number, email address, and username. It then allows the user to receive a password reset link via email or answer their 2 security questions. Doing the latter leads directly to a password reset page.

In short: the minimum amount of information needed to break into a user's Delta account is their full name, email address, and 2 security question answers.

4/5

Account Change Notification

Any account change triggers the same vague email notification. Additionally, if the account's email address is changed (which doesn't require any verification), the notification only goes to the new address. This means that an attacker who is able to log in can take over the account without the user knowing at all.

The email above only went to my new address, meaning that I wouldn't know if someone maliciously changed it.

1/5