Jump to content
  • 3

Improve defense against "sim swap" attacks

Paul A.


I noticed that it doesn't seem possible to remove the primary phone number while two-step verification is enabled.  Unfortunately, that weakens the security of two-step verification, even when using an authenticator app.  

This Wired article provides a great overview of the weakness of SMS-based two-step verification and its vulnerability to "sim swap" type attacks:


I'd love to see the ability to remove phone numbers as an override for authenticator-based two-step verification.  I'd also love to see Evernote adopt the U2F protocol for improved two-factor security:



Link to comment

5 replies to this idea

Recommended Posts

Agreed. Evernote, please remove the mandatory phone number for 2FA.

As for U2F. Modern password managers also generate 2FA (TOTP) codes. They also offer cloud syncing making you independent of devices.

Funnily, there is an inconsistency in their policy. You need premium for SMS 2FA. With basic you still need SMS for setup. BUT: during login you can select "help with 2FA" and there you can send a verification SMS, even with a basic account!

Link to comment


This topic is now archived and is closed to further replies.

  • Create New...