Account New login Notification insufficient and approach outdated

[GC2023 4]

Hi,

I recently got hacked, which is my own fault... but I think Evernote can be improved to help ensure this sort of things doesn't happen in future.

I know about not reusing passwords, MFA and all the rest - security is an onion and all that.

The default tenant of good cyber security is a Zero trust approach - never trust, always verify!

To that end I wonder if it has been discussed on this forum before that the simple approach of changing to an always verify approach to new login clients  will significantly improve overall security.

I had some important information in Evernote that I forgot to remove some years ago and this has caused a significant financial impact.

I received one email about one new login. I missed it amongst all the other email I receive.

I reviewed my access history - there were almost 2K logins all on the same day from hundreds of IP in what I suspect is an attempt to overwhelm Evernotes so called anomaly detection system.

If I had received 2K emails about new logins that might have sparked a reaction.

If however instead of allowing the access - the login required validation from the "hacker" through my email account which is very well protected - this would never have happened.

Most websites I used now use this methodology - verify by email on new client location/login using some code or random string.

I work in software - this is a pretty simple implementation with a vast improvement to the overall default security of accounts.

While the current approach to notify via email comes across as proactive, it doesn't actually do anything to protect users and the users need to react retroactively which is sometimes too late.

99.9% of the time you're going to be login in to Evernote on a device which also has some access to email.

Switch it on by default, people can switch it off if they want and augment it with MFA for the additional layers but as Evernote have email addresses, this seem like a easy place to start and a default way to secure.

Or send me 2K emails instead of just one... they are cheap.

[gazumped 12,075]

On 9/10/2023 at 10:10 AM, GC2023 said:

To that end I wonder if it has been discussed on this forum before that the simple approach of changing to an always verify approach to new login clients  will significantly improve overall security.

Hi.  Evernote will be aware of the latest moves in this market and recently updated the 2FA pocess.  We're mainly other users in the public Forums here - if you want to suggest new security steps or your personal experience,  it's best to submit a Support ticket.

[Dave-in-Decatur 4,006]

Welcome to the forums, @GC2023. As @gazumped says, a support ticket or feedback email (I think it's feedback@evernote.com) is the way to get this idea into the hopper. I like it though. Anytime I log into my bank from an unknown device--including a private browser window on a known computer--I am offered the option to text or email a confirmation code. People do keep sensitive stuff in Evernote (wisely or not), which is why crooks attack it, and a verification code seems helpful.

[GC2023 4]

Thanks both I will do as you suggest.