Scoring System

Username and Password Limitations: 30%

Can the user create a custom username (harder to learn about/guess), or does it have to be their email address or phone number? Are there arbitrary requirements that force the password to be weaker or difficult to generate?

Multi-factor Authentication (MFA): 30%

Is any additional verification needed to log in besides a password? Does this use strong or weak standards? Rule of thumb: authenticator app > email > SMS > security questions (hardware keys are even better, but probably overkill for most applications). Is it possible to generate one-time recovery codes in case the user loses the device they use for MFA?

"Forgot Login" Flows: 20%

How easy is it for an attacker to learn information about or gain access to a user's account by following the "forgot username/password" flows? Do the same messages appear whether or not the contact information is entered correctly, meaning the flow can't be used to "look up" if a certain piece of contact information is associated with an account?

Account Change Notification: 10%

Is the user notified when their password or other piece of login information is changed? Does their old/original contact information get notified, or only the new contact information? Is this immediate or is there a delay?

View Login History and Remote Logout: 10%

Is the user able to see a list of current and past login sessions? Are they able to remotely log out of a session?

Passkeys: +5 points (Extra Credit)

The passkey is a promising new authentication method that aims to replace the password. Passkeys are both more secure and convenient than passwords for a number of reasons, and it's exciting to see popular services adopting and promoting them. However, as of the time of writing (June 2025), overall passkey adoption has still been rocky. The main issue is that the different "big players" who make most of our devices and cloud storage have implemented passkeys in different ways, making it inconvenient for users to use them across different services and brands of devices. In addition, almost every service that supports passkeys also still requires the "old-fashioned" username/password option and will probably keep doing so for the foreseeable future.

For now, Login Score sees passkeys as a feature that companies should be praised for adding but not criticized for not. It shows that a company is taking serious strides towards better account security, but isn't widely adopted enough to be expected.