Grade

92/100

A-

Grade Breakdown

Username and Password Limitations

PayPal users log in with their email address or phone number, and password. PayPal's password requirements are unclear. It seems like they reject anything less than 8 characters or without enough diversity of characters.

Minus 1 point for no custom username.

4/5

Multi-factor Authentication

PayPal's MFA supports hardware keys and authenticator apps. However, there is no concept of one-time recovery codes (-1 point).

4.5/5

"Forgot Login" Flows

PayPal has flows for forgotten email and forgotten password. The forgotten email flow allows a user to enter up to three email addresses that might be associated with their account, and returns a match if one is. This means that an attacker could determine if a user has an account with a particular email address (-1 point).

PayPal's forgotten password flow is quite intensive. When I tested it it, it asked for my Social Security Number, answers to two security questions, and to verify with a code via SMS. It should be noted that this was after I had recently changed the email address and phone number on the account, so this might have triggered heightened security measures.

4/5

Account Change Notification

PayPal sends an email notification if the account email address, phone number, or password is changed. The notification is sent to the old email address if that is what changed.

It should be noted that after changing the email address and phone number on my account, the account became locked until I talked to customer service. This could be frustrating for a user updating their info, but it also shows that PayPal takes the threat of account takeovers seriously.

5/5

View Login History and Remote Logout

PayPal shows the active login sessions and allows logging out from them individually.

5/5