Grade

68/100

D+

Grade Breakdown

Username and Password Limitations

Equifax users log in with their email address and a password. Equifax has the following password requirements:

• 8 or more characters
• 1 upper-case letter
• 1 lower-case letter
• 1 number
• 1 or more of special characters

Minus 1 point for no custom username.

4/5

Multi-factor Authentication

Equifax supports MFA via email and SMS.

3/5

"Forgot Login" Flows

Equifax has one "Account Recovery" flow. This first asks for: SSN, birthday, full name, phone number, and email address.

It then asks for MFA using either the email address or phone number associated with the account.

Upon entering the correct one-time passcode, the username is displayed and the password can be reset.

If an email address or phone number that is not associated with the account is entered, those will not be shown as MFA options.

The MFA step when a "wrong" email address is entered.

The MFA step when a "wrong" phone number is entered.

The MFA step when both a "wrong" email address and phone number are entered.

In short: in order to break into an account with this flow, an attacker would have to intercept a user's email or SMS messages. However, it is possible to glean if a certain email address is associated with an account, which is significant because that is used for logging in (minus 1 point).

4/5

Account Change Notification

Equifax sends an email notification when the email address, phone number, or password associated with the account is changed. The old email address is notified if that is what changed.

5/5