Criteria: A product has an authentication system that corresponds to the sensitivity of the user data it manages.
IndicatorSmart LockFinal Results
If a product supports user accounts, it has an authentication system for accessing those accounts.
  • The app requires the creation of an account on their system, and the creation of a password before allowing any further action.
✔️
If a product is packaged with an account with default credentials, those credentials are unique to the instance of the product.
  • The app does not have default credentials, you are instead forced to create new credentials in order to do anything.
✔️
If a product has an authentication system, the user must authenticate each time they want to use the product.
  • The app does not make you reauthenticate after restarts or reboots of the device.
If a product has an authentication system, it requires at least two pieces of information to authenticate users.
  • The app requires an email address, password, and SMS number. It sends verification codes to the email address, as well as via SMS.
✔️
For products that handle sufficiently sensitive data, users can choose to use multi-factor authentication.
  • The app handles potentially sensitive data, such as locational information, and has far reaching permissions, and there does not appear to be an option to allow multi-factor authentication within the app.
For products that handle sufficiently sensitive data, users can choose to use multi-factor authentication whenever the product is activated, or when a device is unrecognized.
  • There does not appear to be an option to allow regular multi-factor authentication within the app.
If the product uses a password/passphrase for authentication, it requires that passwords are at least 8 characters long.
  • The app requires the password to be at least 8 characters.
✔️
If the product uses a password/passphrase for authentication, the password/passphrase may be at least 20 characters long.
  • The app did not enforce an upper limit on any of the tested passphrases.
✔️
If the product uses a password/passphrase for authentication, it requires that passwords are reasonably complex.
  • The app requires passwords to be 8 characters long, and requires one each of an upper-case letter, a lower-case letter, a number, and a special character.
✔️
If the product uses a password/passphrase for authentication, it allows all reasonable characters as input.
  • The app allowed all special characters that were attempted.
✔️
If the product uses a password/passphrase for authentication, it is compatible with popular password managers.
  • On the login screen, the app allowed the copy/paste function from a password manager to input username and password.
✔️
Criteria: A product that has an authentication system resists attempts to break it.
IndicatorSmart LockFinal Results
The product allows users to be notified via an out-of-band medium when account security settings are changed.
  • The app does not allow for or send out-of-band notifications, such as by email or text message, whenever a user changes a security setting.
To change a password/passphrase/pin, a user must enter the previous password/passphrase/pin, or have access to a secondary system that is used to reset it.
  • Logged in: When you are already signed into the app, it does not require entering an old password, or confirmation via a secondary system to change a password.
  • Not logged in: When you are not logged in and click “forgot my password,” the app requires a mobile number, or an email address.

✔️
The product notifies users when account security settings have changed.
  • The app does not notify users when account security settings have changed.
If the product has an authentication system, it also has a system to prevent brute-force/dictionary attacks.
  • The app does not seem to limit the number of login attempts in any way.