Pw reset without authentication - should 2FA work like this?

[MiriamP 0]

I just activated 2FA with an Authenticator app. The flow was not-very-straightforward - I can't reproduce exactly, but there was at least one loop in it because the email arrived on mobile while I was doing my changes on desktop. But in the end, after two tries, I had it activated. I then decided to change my password, as it was old.

Two strange things happened:

- to had to enter my old password, then my new password, twice, then press Next. Then I had to reconfirm the change, again, using the old password.
For anyone who uses a password manager that you can have update immediately (something you want!), this is pretty terrible, because the old password has then been, you guessed it, overwritten. I also can't remember in a password changing flow having to reconfirm with the old password after the password has changed. Does this seem strange to anyone else?

So, I lost my brand new password because of this.

- I then requested a password reset. I got a reset option sent by mail. When I used it, on desktop, I fully expected to be asked to Authenticate. I just activated 2FA, after all.

I wasn't asked to authenticate a password change at all. I tried again on mobile - same deal, no authentication asked.  The only explanation I can think of is that authentication lasts an x amount of time, and I'd turned it on only 30 minutes before that, but I'm not sure this should be a thing.

I would expect any and all password changes, especially, to need authentication. Is there an idea behind this?

Thanks.

[gazumped 11,667]

34 minutes ago, MiriamP said:

Is there an idea behind this?

Hi.  I doubt it - it looks like you just managed to find a gap somewhere between being logged in with an old password and authenticated a couple of different ways where the system thinks you're in the middle of changing the password and just let it go.  As long as you do have 2FA active and a unique password used only in Evernote,  you should be as safe as it is possible to be.  We're a user-supported forum though,  so with all matters connected to security - contact Support if you want a specific answer.

[PinkElephant 8,117]

Good password managers hold a password history. I am using 1Password, and it keeps track of all former passwords. If I need to, I can recall them from the apps memory.

About the rest of your description I really can't follow it through. I think something got mixed up while trying.