Jump to content

Yubico - Yubikey on Evernote (Two Factor Authentication)


Recommended Posts

Two Factor Authentication:

I don't know if there's a feature already that allows a two-factory authentication on Evernote. I think it would be a great feature to integrate Yubico's Yubikey as a security feature for either account sign-on for new devices or notebooks with sensitive information. If you don't know what the Yubikey is, its typically used as a security key (much like many employees get with corporate companies) for logging into popular applications. Many people invested in cryptocurrency typically use this hardware based authentication product to secure their logins for hot and cold wallets. 

I'll leave some information regarding the product and company below. I think it would make a great feature for Evernote, especially for companies and individuals with highly sensitive information on their Evernote accounts. 

Yubico:

https://www.yubico.com/

The company’s core invention, the YubiKey, is a small USB and NFC security key securing access to any number of IT systems and online services. To protect secrets on servers, we also created the YubiHSM, the world’s smallest hardware security module. For easy integration with any IT system, we offer developers open source servers, support and hosted validation services.

Yubikey

The Yubikey 5 series is there most popular product. It eliminates account takeovers by providing strong phishing defense using multi-protocol capabilities that can secure legacy and modern systems. The series provides a range of authentication choices including strong two-factor, multi-factor and passwordless authentication, and seamless touch-to-sign.

https://www.yubico.com/products/

Intergration

https://www.yubico.com/support/download/

Yubico is opensource, so it shouldn't be a problem integrating to Evernote.

 

Let me know your thoughts on a hardware authentication tool or two-factor authentication in general for Evernote.

  • Like 1
Link to comment
  • 2 weeks later...

It seems strange that you do not need to give up your phone number for a free or paid account, but you do have to give it up for MFA, unless you have a paid account.  Prople should absolutely pay for playform features....but not features used to secure your platform and our data.

Link to comment
  • Level 5

Should - should not - …

Fact is there is 2FA (which is not available for every note taking app), and it is advisable to active it.

Maybe EN will enable more one day. Currently it is by phone / message for Basic, plus by an authenticator (any, not only Google) for the paid accounts.

The reasoning for the phone number for BASIC accounts is that it provides EN with an indirect personal ID - which is not necessary for the subscribers.

Link to comment
  • 1 month later...
  • 1 month later...
  • Level 5*

This isn't a votable thread,  so "+1" doesn't really help here - I'd suggest someone posts this suggestion in a Feature Request forum and puts a link to that new thread back here,  so anyone who's interested can vote it up. 

Link to comment
  • 8 months later...
  • 2 months later...

+10 for YubikKey, and especially for Yubikey Bio (FIDO2 / WebAuth) because:

When logging into e.g. the web app, the user has to write a code from the 2FA authenticator app (when it's enabled). This method is slow and introduces human errors such as writing the wrong code, or missing the timing of the authenticator app code, since these codes change regulary.

I would love to have the option to be able to add hardware-based tokens such as a YubiKey Bio token, instead of having to use authenticator codes. By using a hardware token users will save a lot of time, get better login experience in addition to increasing their security.

YubiKey Bio series supports FIDO2/WebAuthn, U2F and one can read more on their home page about this.

To support FIDO2, fidoalliance.org writes the following:
"For developers with existing web pages or applications that are looking to implement FIDO2, there are two changes that you will have to make to your application:
1) modifying the login and registration pages of your website or mobile application to use the FIDO protocols; and
2) setup a FIDO server to authenticate any FIDO registration or authentication requests. Get a high-level overview of the steps to take for both of those changes here."

Best regards

Link to comment
  • Level 5

We will see what happens in the field of authentication. If the current initiative of Google and Apple works out (which depends on it being OKed by antitrust authorities), the time of dedicated hardware keys may be over before it ever really began.

This stuff is from my observation still pretty nerdy.

Link to comment
  • 2 months later...
  • Level 5

I doubt it will ever show on the backlog. These keys are for nerds, and they will never make it to the normal users.

The „big 4“ are currently working on an initiative to replace passwords and 2FA by something based on (probably) biometrics, saved in a Secure Enclave on device.

This will make it in the end.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...