✔️ Pass ⚠️ Partial Pass ❌ Fail
― Criteria: A product has an authentication system that corresponds to the sensitivity of the user data it manages. ― | ||
Indicator | Smart Lock | Final Results |
If a product supports user accounts, it has an authentication system for accessing those accounts. |
| ✔️ |
If a product is packaged with an account with default credentials, those credentials are unique to the instance of the product. |
| ✔️ |
If a product has an authentication system, the user must authenticate each time they want to use the product. |
| ❌ |
If a product has an authentication system, it requires at least two pieces of information to authenticate users. |
| ✔️ |
For products that handle sufficiently sensitive data, users can choose to use multi-factor authentication. |
| ❌ |
For products that handle sufficiently sensitive data, users can choose to use multi-factor authentication whenever the product is activated, or when a device is unrecognized. |
| ❌ |
If the product uses a password/passphrase for authentication, it requires that passwords are at least 8 characters long. |
| ✔️ |
If the product uses a password/passphrase for authentication, the password/passphrase may be at least 20 characters long. |
| ✔️ |
If the product uses a password/passphrase for authentication, it requires that passwords are reasonably complex. |
| ✔️ |
If the product uses a password/passphrase for authentication, it allows all reasonable characters as input. |
| ✔️ |
If the product uses a password/passphrase for authentication, it is compatible with popular password managers. |
| ✔️ |
― Criteria: A product that has an authentication system resists attempts to break it. ― | ||
Indicator | Smart Lock | Final Results |
The product allows users to be notified via an out-of-band medium when account security settings are changed. |
| ❌ |
To change a password/passphrase/pin, a user must enter the previous password/passphrase/pin, or have access to a secondary system that is used to reset it. |
| ❌ ✔️ |
The product notifies users when account security settings have changed. |
| ❌ |
If the product has an authentication system, it also has a system to prevent brute-force/dictionary attacks. |
| ❌ |