Grade

99/100

A+

Grade Breakdown

Username and Password Limitations

Google users log in with their custom username and password. Google specifies their password requirements here:

Create a strong password & a more secure account - Google Account Help

In short: "any combination of letters, numbers, and symbols (ASCII-standard characters only). Accents and accented characters aren't supported." They will reject a password that is "particularly weak" (in testing, this tended to be something with a lot of the same characters, and/or only letters and no numbers or special characters).

It's unclear what the weakest possible password could be, but Google should be more specific and strict with their requirements (minus 1 point). Brownie points for giving tips for strong passwords in clear language.

4/5

Multi-factor Authentication

Google's MFA supports authenticator apps, physical security keys, and one-time recovery codes.

5/5

"Forgot Login" Flows

Google's account recovery flows are spelled out here:

How to recover your Google Account or Gmail - Google Account Help

In short, they allow for numerous ways to sign in if a user doesn't have their password. This includes sending one-time passcodes via SMS or email, but only if those phone numbers/email addresses are configured as recovery options. A security-savvy user can optimize their recovery options to make it very difficult for an attacker to abuse this flow.

5/5

Account Change Notification

Google will immediately notify all email addresses associated with the account when something in the account has changed. In general, Google is notoriously good at notifying about potentially suspicious activity (to the point where memes have been made about it).

Some of Google's notorious "security alerts".

5/5

View Login History and Remote Logout

Google shows a list of previous login and supports remotely logging out from each one.

5/5