Grade

67/100

D+

Grade Breakdown

Username and Password Limitations

Amazon users log in with their email address or phone number, and password. Amazon has the following password requirements:

• 6 or more characters

-1 point for no custom username. -1 point for the 6-character password minimum, which is extremely weak and shouldn't be allowed. Brownie points for providing tips for creating a strong password.

3/5

Multi-factor Authentication

Amazon's MFA centers around SMS and can be enhanced with an authenticator app. However, there's no option disable the SMS option (-2 points), and no concept of one-time recovery codes (-0.5 points).

2.5/5

"Forgot Login" Flows

Amazon has one flow for forgotten logins. It asks for the email or phone number associated with the account, and gives a different message if the piece of contact info is not associated with an account (-1 point). If the info is correct, it sends an MFA code to the account's email address (regardless of how the user has MFA configured) before taking the user directly to a password reset page.

4/5

Account Change Notification

Amazon sends an email notification when the password or email is changed. It includes what the old and new email addresses are.

5/5

View Login History and Remote Logout

Amazon only has "panic mode" remote logout: the user can sign out of every active session if they think their account has been compromised (-2 points).

3/5