Grade

80/100

B-

Grade Breakdown

Username and Password Limitations

SoFi users log in with their email address and a password. SoFi has the following password requirements:

• 8 or more characters
• A combination of 3 or more of:
  • Upper-case letters
  • Lower-case letters
  • Numbers
  • Special characters

Minus 1 point for no custom username.

4/5

Multi-factor Authentication

SoFi supports email or SMS for login MFA.

4/5

"Forgot Login" Flows

SoFi has one flow for forgotten password. It asks for an email address and sends a password reset link there if the address is associated with a SoFi account. The message is the same whether or not the email address is associated with a SoFi account, meaning an attacker cannot use this flow to "look up" if a certain email address is associated with an account.

5/5

Account Change Notification

SoFi sends a notification to the account's email address when the password is changed.

If there is a request to change the email address, SoFi will send a notification to the old address even before the new email address is verified.

5/5