Jump to content
  • 3

Improve defense against "sim swap" attacks


Paul A.

Idea

I noticed that it doesn't seem possible to remove the primary phone number while two-step verification is enabled.  Unfortunately, that weakens the security of two-step verification, even when using an authenticator app.  

This Wired article provides a great overview of the weakness of SMS-based two-step verification and its vulnerability to "sim swap" type attacks:

https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication/

I'd love to see the ability to remove phone numbers as an override for authenticator-based two-step verification.  I'd also love to see Evernote adopt the U2F protocol for improved two-factor security:

https://www.yubico.com/solutions/fido-u2f/

 

  • Like 1
Link to comment

5 replies to this idea

Recommended Posts

  • 0

Agreed. Evernote, please remove the mandatory phone number for 2FA.

As for U2F. Modern password managers also generate 2FA (TOTP) codes. They also offer cloud syncing making you independent of devices.

Funnily, there is an inconsistency in their policy. You need premium for SMS 2FA. With basic you still need SMS for setup. BUT: during login you can select "help with 2FA" and there you can send a verification SMS, even with a basic account!

  • Like 1
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...