We are removing SMS as a two factor authentication method

[Federico Simionato 1,031]

Lately we've disabled new activations of 2FA through SMS.

During the next few weeks we will remove SMS as a 2FA method for all users, and we will start asking those who have set up 2FA with SMS to move to a system like Google Authenticator, Authy, 1Password or similar. (EDIT: yes, you can choose any of these methods, just select "Google Authenticator" in the flow)

This will significantly improve security for Evernote AND users (in short, SMS are a bad way to do 2FA).
 

• Updated Help & Learning article: https://help.evernote.com/hc/en-us/articles/208314238-Set-up-two-step-verification
• Email preview with more information:

[paddycook 3]

Why is Google Authenticator the only other choice in the App? What about Microsoft etc.

 

[bioadam 5]

Google Authenticator is a no-go for my work devices. If Evernote cannot support Microsoft Authenticator, then it needs to pause remove of SMS for 2fa. Otherwise I would have to migrate to a different solution. (The price increase is already an issue.)

[WilliamL 658]

This is inconvenient, I use sms partly because authenticator apps - especially google cannot fathom the fact people get new phones and locks me out of it. I use Microsoft authenticator for some things and I don’t see that listed. I’ll need to back up my data now! Don’t want to risk getting locked out of it. 

[WilliamL 658]

I tried google - it’s not working. Follow the instructions, enter the code on Evernote - says not the expected code. Tried several times same result. These hurdles just to use the service as normal are not ok, I don’t know why google won’t work but now I’m faced with a simple option - remove the additional security layer and expose my account or risk getting locked out. Sigh. 

[agsteele 2,978]

You can use any Authentication app that supports TOTP. Authy is good or Microsoft Authenticator. There are many more options.

Your choice. 

Just choose the Google option in the setup but use the app of your preference.

[mpiet 0]

I am using 1password for 2fa. Login works well with 1password and 2fa on the browser version of Evernote.

But 2fa does NOT work with the 1password one-time code on my Android app! I keep getting "wrong code" messages.

After logging in on the Android app with (user) and (password), the screen explicitly asks for the code from the "Google Authenticator app" (exact wording). This is quite confusing.

What's wrong here?
How can I log into my Evernote app on Android now, after I was forced to use 2fa?
I want to continue using 1password as my password manager of choice, and you explicitly stated this should be working.

Thanks for your help in advance.

UPDATE: for some reason, it now worked, approx. 5 hours after activating the 2fa.

 

Evernote Android v. 10.52.2 - German language version, above error messages are rough translations.

Edited August 4, 2023 by mpiet
issue resolved itself after some time

[WilliamL 658]

1 hour ago, agsteele said:

You can use any Authentication app that supports TOTP. Authy is good or Microsoft Authenticator. There are many more options.

Your choice. 

Just choose the Google option in the setup but use the app of your preference.

I’ve tried both google and Microsoft - in both cases it doesn’t work. 

I follow the instructions, put in my email and the code Evernote gives me, the authenticator then gives me a code - I paste that into Evernote to confirm and get an error that it’s not the expected code. 

This is beyond frustrating, this is meant to be an app that helps me, at the moment I’m wasting time jumping through needless hoops with yet another part of the infrastructure that doesn’t seem to be working.  

[agsteele 2,978]

I can only say that it works for me.

Otherwise open a ticket and come back in a few days when, perhaps the issue is resolved and you have time to try again. 

You might try to disable 2FA before trying it again.

[CHQ 7]

18 hours ago, WilliamL said:

especially google cannot fathom the fact people get new phones and locks me out of it.

Thanks all for sharing your knowledge here! Read that Authy might be a good alternate option to Google Authenticator. I have not tried both. For those who did, does it do what Google Authenticator does (not recognize that you have a new phone?)

[agsteele 2,978]

All the Auth apps need to refresh with a new phone. The unique ID friends on the unique phone identity. Change phones and you get a different code.

Maybe Authy does some clever stuff between devices but I somehow doubt it.

[7529748@gmail.com 3]

I've been using Microsoft Authenticator for a couple of years now. Even moved it across several new phones. The Evernote authentication works fine for me. No issues.

[WilliamL 658]

Got it working! For some reason doing it on the iPhone isn’t working - the code it asks me to paste into the Authenticator etc, I do that and it gives me an error when trying to enter the numbers to confirm at the Evernote side. Using my iPad it generated a qr code to be scanned by the Authenticator - that worked fine and seems to be working as expected. Not sure if there is an issue with the codes being generated on iPhones to enable authentication but the qr code worked. What a pain! 

[JoshYoung 6]

Pretty sure this has to do with the move to France, and has nothing to do with security, but nice that they have an excuse? All of the big players still use SMS. I can login to my company's Microsoft SSO using SMS and take down the entire DB, there's no way this is "for security."

[PinkElephant 8,284]

I switched to 2FA on the Mac, and it generated a QR-Code. I used the MS Authenticator on my iPhone to scan it, and it created a valid 6 digit OT-code right away.

[WilliamL 658]

19 minutes ago, PinkElephant said:

I switched to 2FA on the Mac, and it generated a QR-Code. I used the MS Authenticator on my iPhone to scan it, and it created a valid 6 digit OT-code right away.

Try it through the iPhone, that’s what I used and was having the problem with. Evernote app, extra settings, into security and doing it there. In there it doesn’t generate a qr code but a code of numbers and letters to be pasted into the authentication app, using that process didn’t work, when I tried with the iPad, which did generate the qr code it worked first time. 

[agsteele 2,978]

That sounds to me like the phone wasn't displaying the image of the QR code.

Good that it is resolved via the iPad.

[ATHiker95 1]

On 8/4/2023 at 11:43 AM, agsteele said:

You can use any Authentication app that supports TOTP. Authy is good or Microsoft Authenticator. There are many more options.

Your choice. 

Just choose the Google option in the setup but use the app of your preference.

i went in on my iMac and set up google authenticator (because it didn't give me the choice of 1Password).  So I can log in with the Google Authenticator but when I try to log in with the two factor code that 1Password generates it, it won't accept it.  I got the impression from your post that it should have worked?

Thanks!

[Boot17 1,490]

I wonder why BS decided now at this time to remove SMS as 2FA. Sure, it isn’t as secure as Authenticator apps, buts it’s still better than nothing. And since they are already reeling from bugs and support issues already and we can see this is going to drastically increase support requests. I wonder how it will play out. 

[agsteele 2,978]

I believe that there have been some attempts to compromise some accounts. No doubt the SMS method has additional expense sending the SMS.

[PinkElephant 8,284]

Anybody having a problem should report it to support, including the steps taken to setup the authenticator.

The usual method is to run the setup on one device, and use another (preferably a phone or tablet) to scan the QR-Code.

The choice of authenticator app doesn’t play a role, as long as it created standard one time cipher codes. There are authenticators designed to work cross devices.

[Boot17 1,490]

7 hours ago, agsteele said:

No doubt the SMS method has additional expense sending the SMS.

Thanks - This also triggered my brain with something I heard recently with regards to changes in the 10DLC space. One of the deadlines for change is Aug 31st — at least for USA customers/recipients. (https://support.twilio.com/hc/en-us/articles/14910496447771-Shutdown-of-Unregistered-10DLC-Messaging-FAQ)

Perhaps external factors such as this are related and this was something they wanted to do long term anyway and might as well just do it now since there is more prevalence of authenticator apps.

Seems like unfortunate timing in any case. 

[PinkElephant 8,284]

Wouldn‘t call this unfortunate at all. There had been some criticism here in the forum that Free users were forced to use SMS codes by default. Any 2FA is better than none, but SMS is less secure than by Authenticator.

Just one example: A SMS code is valid several minutes. The code produced by an app is valid only 30 seconds, plus 30 seconds after it expired. For Phishing it is much harder to work within the 1 minute time frame, than in the longer frame provided by SMS.

The field is now even between different plans.

[Boot17 1,490]

Never said dropping it was unfortunate. I said the timing of it was. 

[PinkElephant 8,284]

Don’t see why now is worse than tomorrow.

If it should be dropped (I think it should), the sooner the better

[Boot17 1,490]

14 hours ago, PinkElephant said:

Don’t see why now is worse than tomorrow.

If it should be dropped (I think it should), the sooner the better

Allow me to present you with Exhibit A:

On 8/5/2023 at 10:48 PM, Boot17 said:

... And since they are already reeling from bugs and support issues already and we can see this is going to drastically increase support requests...

And here we have Exhibit B:

😉

[PinkElephant 8,284]

The login method doesn’t have much to do with the apps code. It’s a completely different field, including authentication, token and certificate management and the like.

Beside this, it seems they are working down the list of cost cutting items. One item is probably the cost incurred by sending SMS. So easy solution: There is an alternative already in place (!), to which we could switch over. No additional cost, maybe a bit of scaling it up.

Sounds like a no brainer to me. That it seems they found a bug buried there since 2013 is coincidental.

I wonder when we will see passkeys implemented. This would calm down the occasional FIDO requests as well.

[Paul A. 650]

On 8/5/2023 at 9:48 PM, Boot17 said:

I wonder why BS decided now at this time to remove SMS as 2FA. Sure, it isn’t as secure as Authenticator apps, buts it’s still better than nothing.

Cost cutting.

On 8/4/2023 at 8:15 AM, WilliamL said:

This is inconvenient, I use sms partly because authenticator apps - especially google cannot fathom the fact people get new phones and locks me out of it. I use Microsoft authenticator for some things and I don’t see that listed. I’ll need to back up my data now! Don’t want to risk getting locked out of it. 

Newer versions of Google Auth support syncing codes to your Google account, so that they will be transferred to new phones. It's slightly less secure, but also less likely that you'll be locked out of your account. See below:

https://support.google.com/accounts/answer/1066447?hl=en&co=GENIE.Platform%3DAndroid#:~:text=Keep your Google,your Google Account.

 

[Graham Tappenden 5]

So while Twitter/X only removes 2FA by SMS for non-paying users, Evernote removes it AND puts the price up anyway?  Perhaps they could at least fix the passcode bug on Android first?

[Jon/t 1,378]

10 minutes ago, Graham Tappenden said:

So while Twitter/X only removes 2FA by SMS for non-paying users, Evernote removes it AND puts the price up anyway?  Perhaps they could at least fix the passcode bug on Android first?

Passcode is fixed. There's an update working its way through Google Play.

You'll be finding a lot of other companies retiring 2FA via SMS soon as its not as secure as folks thought, new laws in some US states about SMS gateways to reduce fraud and it costs.

[Scoggs 0]

All good re the 2FA. But why on earth do they still offer Text Messages as an option when you go into the settings? Crazy. Aggressive emails sent to ask me to change from SMS, then I still see that option when I visit the page. 

[gboyd 16]

In this day and age everyone should be using 2fa, I have everything turned on and use MS, nothing wrong with the Google version.I just have everything in the MS eco system (except EN).

Not a fan of SMS for 2fa either.

[PinkElephant 8,284]

The option is still there, because it is not disabled yet. EN is asking users to make the switch, but can’t simply disable SMS because it might lock out people from their accounts.

[Elshad 22]

JoshYoung, they moved to Italy not France, so probably not the reason for the change 😀

[PinkElephant 8,284]

… and security offered by Microsoft is sort of a non-argument lately 😳

https://arstechnica.com/security/2023/08/how-an-unpatched-microsoft-exchange-0-day-likely-caused-one-of-the-uks-biggest-hacks-ever/

https://arstechnica.com/security/2023/08/microsoft-cloud-security-blasted-for-its-culture-of-toxic-obfuscation/

[MarcUsaurelius 0]

Evernote has placed a banner at the top of my (Evernote) home screen page advising of the discontinuation of SMS 2FA, however, no such warning or advisory appears on my account security settings page where options like 2FA are chosen or declined. This seems like a rather glaring oversight, and for many (including myself), this omission will lend the impression that the discontinuation of SMS 2FA is not genuine or at least not imminent, and therefore, need not be acted upon by the account holder. Also, Evernote staffer F. Simionato indicates that the popular 1Password app can be used, however, as a 1Password app user myself, I'm unaware of that app having 2FA code generator capability (being a password manager app, of course, the 1Password app can generate random passwords, but I've not seen a 2FA code generator facility in 1Password app. I'd like to use that, but how? Please explain, in detail.

 

Also, EN expert user "Agsteele" advises (above) that any  TOTP-compliant authenticator app will work fine for 2FA with EN, and to simply "choose the Google option" when reconfiguring your 2FA options in your EN account settings security page in order to use any TOTP-compliant 2FA authenticator app. If this is accurate and true, then EN really should post a clearly worded advisory on the EN user's account settings/security settings page, explaining that choosing "Google" is actually "an umbrella option," allowing them to use any TOTP-compliant authenticator app. Better still, why can't EN simply state outright on the user's security setting page that "any TOTP-compliant 3rd party authenticator app (Google; Microsoft; 1Password; etc.) can be used by choosing the appropriate option in security settings>2FA," if, in fact, that is the case? Pretty simple to communicate, really, yet EN is fumbling this one.

 

Please comment and clarify, thanks! M.U.

[Federico Simionato 1,031]

@MarcUsaurelius read here: https://support.1password.com/one-time-passwords/

Although I don't suggest generating 2FA codes in the same service that stores your passwords, it defeats the purpose of "2 factor" authentication.

[PinkElephant 8,284]

I absolutely want to second the warning here: Don’t use your password manager to serve the 2nd factor on top of the password.

It means putting all eggs into the same basket. Unfortunately there have been breaches of some password managers in the recent time. This is another reminder that only a true separation of the key holding / generation adds to the security.

Personally I use Authy as my 2FA-authenticator. It is independent, easily installed cross devices and proved very reliable. But of course if you already use any other app, you can simply add EN to the list. It will work with any standard one time cipher code generator.

[Upbeat 0]

what happen if you don't have recovery code and phone is lost? is the account still recoverable through customer service?

[grujicd 0]

On 8/19/2023 at 11:32 AM, Upbeat said:

what happen if you don't have recovery code and phone is lost? is the account still recoverable through customer service?

This is my main concern. At least with SMS, if phone is lost or stolen, mobile provider will issue a new SIM card after checking my ID. They act as a main validator of my identity. Where I live (Serbia) spoofing SIM card or SMS or taking over phone number are unheard of. It remains a theoretical risk, but not a practical one. While loosing access to phone for one reason or another is something that happened to everyone in my network. It doesn't have to be theft, there's always a risk of hardware failure. 

Authorization connected to a single device seems like a single point of failure and thus very risky. I'll have to investigate connecting Google Authenticator to Google account. To be honest, even Google account seems more risky if google decides to block it for any reason. 

[ENnut 51]

I use Google Authenticator which offers a solution to this issue. Follow the link below, and see the section "Transfer your Google Authenticator codes."

https://support.google.com/accounts/answer/1066447

[Jon/t 1,378]

On 8/19/2023 at 10:32 AM, Upbeat said:

what happen if you don't have recovery code and phone is lost? is the account still recoverable through customer service?

Not sure but you could always store them on a different device or even print them out and stick them in a drawer.

I've got mine stored in my password keeper.

[PinkElephant 8,284]

Any of you concerned about a one device risk could start using an app that supports multiple devices. Authy does, just for example.

You can have identical codes generated on phones, tablets, PCs and even smart watches. The printed backup codes are still there, but it is very unlikely you will need them ever.

[James Shaw 0]

The email and help page are ambiguous though - can we still disable 2FA?  Or will 2FA with an Auth app be mandated?  

Because forcing people to move to auth apps may make their access less secure if they choose to disable 2FA..

[agsteele 2,978]

You can, as now, choose not to use 2FA. But if you use it you will in due course need to switch to an app authenticator rather than SMS.

If you are switching to an app authenticator first disable the SMS version and then enable via app.

There are many apps to choose from.  Google is the one named in the registration but you can use any of the others. Authy seems partiularly useful since it can be installed on multiple devices.

[Northwesternalum 1]

I'm sorry but Evernote you need to do a better job of helping your customers (long-term customer in my case) make this transition. I followed your instructions and got stuck. I downloaded the app. I got to a screen that asks for me to add some  codes. My only option is to to scan a QR code (I got a list of codes) how do I scan them? Or I have the option of entering a setup key. Your support document addresses none of this. Please help. My life's work is on Evernote. 

 

[PinkElephant 8,284]

Did you follow this help article ?

https://help.evernote.com/hc/en-us/articles/208314238

I just set it up today for a Free account I use temporarily for a project. Took me 5 minutes, worked without any problems.

[Northwesternalum 1]

4 minutes ago, PinkElephant said:

Did you follow this help article ?

https://help.evernote.com/hc/en-us/articles/208314238

I just set it up today for a Free account I use temporarily for a project. Took me 5 minutes, worked without any problems.

Yes I did. 

[RonMarlowe 0]

Will this be compatible with Evernote Legacy?

[Boot17 1,490]

12 minutes ago, Northwesternalum said:

My only option is to to scan a QR code (I got a list of codes) how do I scan them?

Have you used an Authenticator app before?

[Northwesternalum 1]

Thank you. Yes, I followed the instructions and set up my preferred app. In this case, downloaded the Google Authenticator on my iphone. That's where I got stuck when trying to set it up from there. In the meantime, I went to my Google account on my desktop to set up Authenticator there. It looks like I was successful but how do I know it will work with evernote when signing in?  

[Boot17 1,490]

4 minutes ago, Northwesternalum said:

It looks like I was successful but how do I know it will work with evernote when signing in? 

What part looks successful? The installation of Google Authenticator on your phone?

You'll know that it will work when you actually 2FA sign in with it.

But have you used one before for 2FA or is this the first time you are using Google Authenticator for 2FA?

If you've used one before -- you set it up the exact same way as you do for any other service. This isn't specific to Evernote.

If this is the first time -- then I recommend watching the first couple of minutes of this video: https://www.youtube.com/watch?v=h000FgWyKJA. That might help. You can also web search other videos -- just search "how to use authenticator apps" or "how to use Google Authenticator".

 

[agsteele 2,978]

With the 2FA QR code for Evernote displaying on a desktop, open the authenticator app. For the Google Authenticator tap the large + button to add the Evernote account. Process from there providing the code as required.

[VincentC 278]

Northwesternalum,

You Tube is your friend.  There are lots of you tube videos that will walk you through setting up Google Authenticator.  As Boot17 mentions, the process is not specific to Evernote, so just watch a few videos  and I think it will become much clearer. 

 

Good luck,

Vinnie

[PinkElephant 8,284]

Personally I don’t use the Google Authenticator. I use Authy, feels better.

I simply open the app, hit the + and follow the instructions on the screen.

[Slim Diggity 0]

I have a different account that I can’t get into because I changed my phone number. Great job, Evernote. With 2 step verification being abolished, does that mean I’ll be able to log into my old account without providing a phone number? Because my password is still correct.

[ZWR3 6]

My question is, once you have installed and use Google Authenticator, how does Evernote allow for a backup phone or other means to access the code sent? I had my wife's phone listed in preferences before, so that if I lost my phone or needed to send the code to another device, this served as backup. How does one still do this in the authenticator app world. The scenario I'm trying to plan for is I go over a cliff with my phone on my bike and my wife, who has access to my password vault app, can't sign in to Evernote without the authenticator app code on my now-destroyed phone. Thanks for any help someone can be.

[Dave Green 214]

From the support pages:

• WHAT IF I DON'T HAVE ACCESS TO MY PHONE?

  If you do not have access to your phone, you may use a backup code to log in to your Evernote account. Backup codes allow you to access your account whenever you are unable to provide a verification code, which may happen if you lose your mobile phone. If you are unable to provide a verification code and you do not have a backup code, you will be unable to sign in to your Evernote account.

  ---------------------- end of the content from support page -----------------------

  Another alternative:

  You can use 1Password Family (or comparable product) that allows the TOS 2Factor code to be generated within 1Password.  If you place the account in a vault shared with your wife, she will have access to the same code generation (as will you on other devices that you have 1Password installed).  It reduces security a bit since now 1Password and your password are in the same place.  

   

[PinkElephant 8,284]

There are several Authenticator that can be installed on several platforms.

I use Authy, works on all sort of platforms, including the Apple Watch.

The hint about 1 Password is technically ok. But it means to put all eggs into the same basket.

[Dave Green 214]

9 minutes ago, PinkElephant said:

The hint about 1 Password is technically ok. But it means to put all eggs into the same basket.

I did include that disclaimer.

[Dave Green 214]

Also at a reduction of security, you can initialize multiple devices against the same QR Code before you submit the first code back to Evernote.

[ehrt74 240]

This is quite a long thread and I may have overlooked something. Just wanted to add that SMS is not secure. It does not support end-to-end encryption but generally uses whatever the network provider thought was a good idea back in 1998. RCS is a lot better here, but apple refuses to support it.  So basically we're stuck at this stage with #SOME_ADDITIONAL_APP.

I personally use 1password because it seems not to have had a security beach (yeah, I know. This rock protects you from bear attacks). I can certainly see a strong case for moving to managing your own passwords and codes (for the tech savvy).

[PinkElephant 8,284]

About secure or not secure:

No 2FA is the least secure version - if a password is reused or weak, it is absolutely insecure 

2FA by SMS is better, but with an effort, it can be broken

2FA by time cipher code (authenticator) is OK, state of the art

What would be even better (but is currently not supported by EN) would be hardware keys like FIDO or Yubikey.

The latest development is Passkeys - since all big players move into that direction, I hope it will make it into EN soon.

[ZWR3 6]

Thanks all for the replies and feedback. I think I've got a plan now. And, Pink Elephant, I was being told about Passkeys just the other day when visiting with an Apple engineer. Interesting how more and more security and higher levels of it are being prompted by a parallel increase in hacking.

 

[Northwesternalum 1]

On 9/1/2023 at 12:49 PM, Boot17 said:

What part looks successful? The installation of Google Authenticator on your phone?

You'll know that it will work when you actually 2FA sign in with it.

But have you used one before for 2FA or is this the first time you are using Google Authenticator for 2FA?

If you've used one before -- you set it up the exact same way as you do for any other service. This isn't specific to Evernote.

If this is the first time -- then I recommend watching the first couple of minutes of this video: https://www.youtube.com/watch?v=h000FgWyKJA. That might help. You can also web search other videos -- just search "how to use authenticator apps" or "how to use Google Authenticator".

 

Thank you for this info. Yes, the Google Authenticator is installed on my phone. However, this will be the first time I will be using Google Authenticator for 2FA. I will watch the video as you suggested. 

[hahrach 1]

Hi,  I am an almost complete luddite and use evernote personally.  I don't have room on my phone to download another app and wonder what other options might be available to me and/or, what will happen if I don't do what is being asked...I have some really sweet memories included in evernote and don't want to lose this information.  Thanks.

[essie 0]

I followed the email instructions—got the Google Authenticator.  Got a code on my cell, to confirm that it’s working.  

My question:  WHY am I still getting repeated emails from the Evernote system, even after I took the above step?  I thought the Evernote system would recognize that I’d done this. 

[PinkElephant 8,284]

@hahrach Google Authenticator: 38MB, Microsoft Authenticator 186 MB, Authy 27 MB etc.

And you don’t have room for another app ? For Authy erase 7 pictures, for Goggle Authenticator 10, and you have the space. OK, Microsoft is a hard one, here a whole album with maybe 45 pictures has to go.

This is the only option for 2FA, and I do not suggest to skip this security step altogether. You can pick whatever app you want to use, as long as it generates standard one time cipher codes. Personally I use Authy, for ease of use and the ability to run it without any problem on several devices simultaneously.

[Boot17 1,490]

On 9/13/2023 at 3:08 PM, essie said:

I followed the email instructions—got the Google Authenticator.  Got a code on my cell, to confirm that it’s working.  

My question:  WHY am I still getting repeated emails from the Evernote system, even after I took the above step?  I thought the Evernote system would recognize that I’d done this

I can't answer the WHY for your case, but I can report that I did get an in-app notification to make the change and after I did, I didn't see any further in-app notifications nor did I get emails about it after.

[hahrach 1]

On 9/14/2023 at 2:14 PM, PinkElephant said:

@hahrach Google Authenticator: 38MB, Microsoft Authenticator 186 MB, Authy 27 MB etc.

And you don’t have room for another app ? For Authy erase 7 pictures, for Goggle Authenticator 10, and you have the space. OK, Microsoft is a hard one, here a whole album with maybe 45 pictures has to go.

This is the only option for 2FA, and I do not suggest to skip this security step altogether. You can pick whatever app you want to use, as long as it generates standard one time cipher codes. Personally I use Authy, for ease of use and the ability to run it without any problem on several devices simultaneously.

Thank you for taking the time to reply.  I have removed many more than the # of pics you suggest.  That didn't make enough space for google authenticator.  Are you speaking about Twilio Authy ?  Perhaps that will work.  Still wondering what exactly will happen if I am not able to do this?  There are many more sites that store my information and are not requiring more than 2FA, so I am still unclear as to why Evernote is choosing this direction, especially since they do not seem to be available to answer questions. 

[Boot17 1,490]

1 hour ago, hahrach said:

There are many more sites that store my information and are not requiring more than 2FA

This is just 2FA too.

1 hour ago, hahrach said:

so I am still unclear as to why Evernote is choosing this direction

(It's in the this thread above) Less hassle for them, less cost for them, and more secure for us (and them). While still better than nothing, SMS isn't as secure as an authenticator app.

I use Authy too (yes, owned by Twilio) for 14 different accounts and it works great.

[PinkElephant 8,284]

You don’t have 2FA if you don’t have 2FA. I am not aware of sites that allow to enter only by a code - usually you need a user/password or identifier, plus the second factor.

There is passkeys, but I sincerely doubt you already encounter it on a relevant number of sites.

The most secure method uses a hardware key - but since it is less comfortable, you only find it in places that need a very high security level. 2FA by an authenticator is currently the best combination of security and ease of use.

EN doesn’t need to explain why it replaces one method by another. They just elevated the Free users to the level of the subscribers, login-wise. That’s all you need to know.

The rest you can find at Google.

[Vladimir84 11]

On 04.08.2023 at 18:42, WilliamL said:

I tried google - it’s not working. Follow the instructions, enter the code on Evernote - says not the expected code. Tried several times same result. These hurdles just to use the service as normal are not ok, I don’t know why google won’t work but now I’m faced with a simple option - remove the additional security layer and expose my account or risk getting locked out. Sigh. 

Hello there! I have the same problem. Tried many times during last month, wasted in total more than an hour of my time, used Google Authenticator, Microsoft Authenticator and no one of these ways won't work - Evernote says me that I provide wrong codes! Excuse me, WTF? Evernote support, any solution for this issue? Please, don't answer me like "it works fine for me", etc., because it doesn't work at all!

[agsteele 2,978]

I switched one of my accounts just yesterday and it went really smoothly. So the issue you describe isn't universal.

I cancelled the SMS Auth first and then set up the app approach.

In the process you have to give codes from the Authenticator and the emergency codes. It is possible to mix these up and that would generate the error you describe.

Otherwise, you can open a support ticket.

[Vladimir84 11]

36 minutes ago, Vladimir84 said:

Hello there! I have the same problem. Tried many times during last month, wasted in total more than an hour of my time, used Google Authenticator, Microsoft Authenticator and no one of these ways won't work - Evernote says me that I provide wrong codes! Excuse me, WTF? Evernote support, any solution for this issue? Please, don't answer me like "it works fine for me", etc., because it doesn't work at all!

Seems that I've managed it by myself and the problem was on my side: time settings of my phone were not automatic, so there was the lagging by approx 30 seconds from real time. I suppose that this time difference just caused 6-digit codes to be expired. After switch this setting to auto, the problem solved. But this was absolutely not obvious. Hope this case will be helpful to someone.

[essie 0]

Thank you, Boot 17 for offering feedback.  

Sounds like there might be a system glitch, or I did something wrong.

A Staff member messaged me, so hopefully someone on the “Team” will find out why I keep getting reminder emails. 

[PinkElephant 8,284]

Any time offset on the device can cause 2FA to reject a time based cipher code.

On this case switching to another app won’t work, because the time stamp is off for all.

[hahrach 1]

On 9/20/2023 at 11:03 AM, PinkElephant said:

You don’t have 2FA if you don’t have 2FA. I am not aware of sites that allow to enter only by a code - usually you need a user/password or identifier, plus the second factor.

There is passkeys, but I sincerely doubt you already encounter it on a relevant number of sites.

The most secure method uses a hardware key - but since it is less comfortable, you only find it in places that need a very high security level. 2FA by an authenticator is currently the best combination of security and ease of use.

EN doesn’t need to explain why it replaces one method by another. They just elevated the Free users to the level of the subscribers, login-wise. That’s all you need to know.

The rest you can find at Google.

As I said, I don't know all the jargon all that well...I guess I should have clarified text 2fa?  I have not had to add another app in order to facilitate accessing any other sites, whether its 2fa or otherwise.  I don't know what a passkey is or a hardware key...as I would think would be pretty clear by my self describing as a luddite of sorts...I am aware that EN doesn't 'need' to explain why; however, they have offered to answer questions and/or provide help and do not have enough resources to do so in a timely manner, related to the impending deadline - they themselves have spoken to this.  I'm not sure if your tone is intended to be condescending, but it sure comes across that way in your deciding 'that's all I need to know'....that's not for you to decide.  No need to answer further, your take on this isn't helpful to me at the moment.

 

[hahrach 1]

On 9/20/2023 at 10:37 AM, Boot17 said:

This is just 2FA too.

(It's in the this thread above) Less hassle for them, less cost for them, and more secure for us (and them). While still better than nothing, SMS isn't as secure as an authenticator app.

I use Authy too (yes, owned by Twilio) for 14 different accounts and it works great.

Thank you so much for your response.  I guess I should have said texting 2fa...it's the addition of the extra step and downloading an app that is proving challenging for me.  I hadn't seen the details above as to it being less hassle, less cost for them as well as purportedly more secure, which I can't speak to as I don't actually understand it well enough and in the end, it doesn't actually matter as this is what they are going ahead with.  I will try Authy, thank you for confirming it was Twilio - that's super helpful.

[orenji 0]

I hate installing these apps on my phone... I can't help but feel annoyed that you're removing the SMS method Useless feedback? Maybe. I dont want to have to install an entirely different app I dont want on my phone so I can use Evernote.

[PinkElephant 8,284]

SMS code is the least secure of all 2FA methods. Better than no 2FA, but far inferior to app code or passkeys.

You should check if other apps you use are still on 2FA by SMS, and switch them over to the app as well.

Now you have it, you can make better use of it.

[JayceA 0]

I just received the red warning banner in my Evernote App to disable 2-factor SMS, so I did, but now cannot re-enable 2-factor with Google Authenticator (on iOS), I am also receiving the "wrong code than expected" message when trying to log in. 

[igoleye 0]

On 8/4/2023 at 8:56 PM, Federico Simionato said:

I receive this message. However when i tried to access my website with the sms verification, it does not work.  Either the sms is delayed or when it sent a message, it even has non text component -like ♖♗♘♙.  This is very frustrating to do given i have a professional account.  PLEASE HELP.

 

Lately we've disabled new activations of 2FA through SMS.

During the next few weeks we will remove SMS as a 2FA method for all users, and we will start asking those who have set up 2FA with SMS to move to a system like Google Authenticator, Authy, 1Password or similar. (EDIT: yes, you can choose any of these methods, just select "Google Authenticator" in the flow)

This will significantly improve security for Evernote AND users (in short, SMS are a bad way to do 2FA).
 

• Updated Help & Learning article: https://help.evernote.com/hc/en-us/articles/208314238-Set-up-two-step-verification
• Email preview with more information:

 

[PinkElephant 8,284]

https://help.evernote.com/hc/en-us/requests/new

 

That‘s support, we are just fellow users.

 

I am sure you don‘t have a valid code - it is a 6 digit, numbers only code. From SMS you need to get a fresh one (tried the first 6 digits yet ?), from the app it will refresh every 30 seconds. With the app the most common reason for problems is when the device on which the app is running looses sync with the global internet time network. Once it is several seconds off, the generated codes will not be valid, because they are calculated based on the universal world time.

[margigold 0]

Please can someone help me. I'm locked out of my Evernote Desktop account due to 2FA now no longer supporting SMS.

In July I enabled 2FA and it all worked ok with SMS. I did not enable Google Authenticator at that time or get keys. I am a basic (Personal) account user. I've been trawling the forums and read that SMS is no longer possible. I'm caught out. I've raised a ticket but reading other comments am not hopeful of a quick reply and my whole work is dependent on notes in Evernote going back 10 years.

I do still have it running and am logged in on my Ipad and Iphone. But am unable to adjust the security settings from there (I do not think?)

The reason I logged out in the first place was that my evernote was not syncing properly from my desktop to my Ipad and Iphone, so I logged out of my Desktop account with the plan to log back in again.

Big mistake.

Can anyone advise on how to get this working, any tricks  or how best to get support from Evernote. I never saw the mail about them phasing out SMS

So grateful for any help.

[Running evernote on MAC Ventura 13.4.1]

[Foo 4]

Please support Passkeys or physical keys (Yubikey) at a minimum. 2FA TOTP is old and clunky.

[PinkElephant 8,284]

You can wish for it. However Passkeys is just now rolling out, and is not yet really established. Physical hardware keys never found a wide distribution. Currently among all secure alternatives, OT codes are the options that is available for everyone. 

And that’s what counts.

The perspective is probably passkeys, when widely accepted.

You can send feedback or contact support.

[kolenkid 2]

So Evernote removed SMS as a 2FA method without any warning. I had to read it on this forum. And because they removed 2FA by SMS I cannot longer acces my Evernote account to setup 2FA with Google authenticator. How to solve this Evernote!?

[PinkElephant 8,284]

Anything you need to know is in this help article. 

https://help.evernote.com/hc/en-us/articles/208314238

[kolenkid 2]

No, its not, because the first thing I have to do is sign in to my account settings. And that's not possible because Evernote removed SMS as a 2FA method.

[PinkElephant 8,284]

You can search the help database without being signed in.

[kolenkid 2]

Yes, I can. But I cannot setup Google Authenicator without signing in to my account setttings. And to sign in, I need SMS as a 2FA method.

[PinkElephant 8,284]

Read the help article ? The link is embedded.

[Jon/t 1,378]

As far as I know If you've not changed from SMS 2FA then you'll be asked to reset your password when logging in next. 

[kolenkid 2]

I had a Google authenticator login years ago. But it was not possible to set it over to a new phone. Since then i used the option to send a code by SMS. I was never asked to reset my password and was never noticed that the sms option would be removed.

[kolenkid 2]

8 minutes ago, PinkElephant said:

Read the help article ? The link is embedded.

I already did that. But now I have to wait to get acces to my own account. I cannot understand how Evernote locks customers out, without any warning.

[PinkElephant 8,284]

Tried a password reset yet ?

https://help.evernote.com/hc/en-us/articles/208313998

[kolenkid 2]

Ok, that's a way to acces the accountsettings. And then it's possible to setup a new Google Authenticator login without using 2FA?

[kolenkid 2]

31 minutes ago, PinkElephant said:

Tried a password reset yet ?

https://help.evernote.com/hc/en-us/articles/208313998

I just tried, but to change your password you have to fill in a authentificationcode!

[PinkElephant 8,284]

Then it's support you need to contact.

If you have a login issue, try support as a guest, and select "Account" as ticket type.

https://help.evernote.com/hc/en-us/requests/new?ticket_form_id=254668&guest=true&guest=true