Jump to content

New login process is not asking for password or two-factor authorization.


Go to solution Solved by Carey_P,

Recommended Posts

When I log in to Evernote on my work computer the browser window pops up a page that says "Account Detected! It seems you are logged in the browser with the following account:" and allows me to click on 'Continue with this account'. I have two-factor authentication turned on. This was not the way it worked before. It used to request my password and two-factor code. My computer is accessible remotely by IT so this is not acceptable. How do I go back to forced two-factor authorization?

Link to comment
  • Level 5*

Hi.  Please specify the device plus OS,  browser and Evernote version numbers.  Do you use Apple or Google log-in?

Link to comment

The app uses oauth, you already authenticated in the browser. This is expected behavior. Don't use Evernote on your work PC if you don't want your IT department to see what you are doing.

Link to comment

It's not that I don't want IT to see what I'm doing. I use Evernote for work and personal. I don't want anyone to have the ability to log into my account after I have gone home for the day and delete or modify my files. So, how do I unauthorize the browser? I've tried shutting down the browser, deleting cookies and passwords and that doesn't seem to work. 

Link to comment

10.91.1-win-ddl-public (20240604023825)
Editor: v178.10.0
Service: v1.109.4
© 2019 - 2024 Evernote Corporation. All rights reserved

Edge browser.

No Google or Apple login.

  • Like 1
Link to comment
Just now, agsteele said:

Try signing or at the end of your day's work.

I do. Everyday. That's what I don't understand about the problem. Why isn't Evernote deleting the oauth tokens when I sign out of the app? So... once I sign into a browser it is permanently set to allow my Evernote login without prompting for any credentials?

Link to comment

Ok. I've obtained more information: 

If using Chrome and logging in to the web version of Evernote: Log out, Log back in - Credentials requested.

If using Edge and logging in to the web version of Evernote: Log out, Log back in - Credentials requested.

If using Evernote Application: Log out, Log back in - Account Detected. No credentials requested.

Link to comment
Just now, Carey_P said:
4 minutes ago, agsteele said:

Do you sign out in the app or just Quit?

I sign out. File -> Sign out.

I've tried both options: 'Keep a backup' and 'Remove my Evernote data from this device'

Link to comment
  • Evernote Expert

I know that the sign in process has changed slightly so that the login now takes place in a browser window rather than a separate window for the app. I just ran the process on my computer with Firefox as my default browser.  I signed out and when I signed back in I have to provide my login credentials followed by 2FA.  I wonder if the browser has retained your credentials.  Try removing Evernote cookies and cache in your browser and see if that resets things.

  • Like 1
Link to comment

This is the same new behavior I'm seeing. No username, password, or MFA credentials are needed to login to the Windows desktop app if you've used web clipper in Chrome. It even persists through computer restarts, pretty much negating any security around accessing Evernote via desktop. Now, in addition to logging out of the desktop app I also need to open EN on Chrome (and wait for it to load) and logout of that, too. And I can't find any way to login to the desktop app WITHOUT needing to finish the process in Chrome, as that's where it sends me automatically.

  • Like 1
Link to comment

None of this is an issue if you are using Evernote on your own computer. It's really poor cybersecurity practice to use a personal account on a work computer unless you work for yourself. Assume your IT department has access to all of your personal information and can see everything you do. Also assume that with what is essentially a cloud storage service that you could get yourself into trouble storing work data in a service not controlled by work's IT department.

Using a personal Evernote account for work is a security vulnerability for the employer and you must assume at some point they will treat it as such.

When I needed a better tool for note tasking and task management I asked my supervisor if I could get a subscription for work. It's extremely important to keep work data and personal data separate.

Many people have gotten into serious trouble for using personal accounts for work, anyone heard of Hillary Clinton?

  • Like 1
Link to comment

I don't know where the conflation of work and personal use came from, but that isn't the case for me. Yet as of just a few days ago, I no longer need to enter passwords or MFA credentials--something everyone says are CRITICAL to security--when logging into the desktop app.

This is new behavior. EN has an obviously frenetic pace of change, so now I have no idea if this is a security bug, some sort of convenience feature, or something else. If I don't need to login to access my account information, that seems less secure. If the reality is otherwise or if there's some setting I can change to restore the use of MFA, I'd like someone to explain it to me so I can understand how to maintain the proper level of security. That isn't an unreasonable question, is it?

Link to comment
3 minutes ago, thefryhole said:

I don't know where the conflation of work and personal use came from, but that isn't the case for me. Yet as of just a few days ago, I no longer need to enter passwords or MFA credentials--something everyone says are CRITICAL to security--when logging into the desktop app.

This is new behavior. EN has an obviously frenetic pace of change, so now I have no idea if this is a security bug, some sort of convenience feature, or something else. If I don't need to login to access my account information, that seems less secure. If the reality is otherwise or if there's some setting I can change to restore the use of MFA, I'd like someone to explain it to me so I can understand how to maintain the proper level of security. That isn't an unreasonable question, is it?

Evernote moved to using OAuth based login. So authenticating in the browser will pass an OAuth token to the app to facilitate login. If you've already provided your MFA token in the browser and it is authorized with your account, either through logging in to evernote.com or possibly it seems by logging into the web clipper you've already authenticated and the app can then use that authorization to log in to your account. Since the browser and web clipper is already logged in to your account there is no security issue here to be concerned about. OAuth is generally more modern and more secure than the older authentication system that was phased out. 

Most apps and services are moving towards modern authentication systems such as this one. If you don't like this, don't use Evernote on a device you do not have control of.

The conflation of work and personal came up because OP's issue is they don't want their work's IT department to have access to their Evernote account.

My answer was don't use your personal Evernote account on a work device, this should be obvious. Depending on the cybersecurity team at a given company this can get you into serious trouble. Also something that may be allowed today with current leadership may be treated as theft of corporate data with new leadership which may get you into legal trouble. 

I hear people suggest that you back up your data by keeping an external hard drive offsite in your work desk. Now what happens when you leave the building with a hard drive, how do you prove that corporate data isn't on that drive and you aren't stealing it. Using a personal Evernote account on a work computer is essentially the same thing. It's a huge liability and should not be done unless you own your own business and are the IT department.

Source: I work in an IT department.

  • Like 1
Link to comment

Thank you for the clear explanation of why the login process changed and the effect on security.

You and I often wind up at loggerheads but I'm genuinely glad you're donating your time to EN, because I doubt I would have ever received an understandable response from support.

  • Like 1
Link to comment
2 minutes ago, thefryhole said:

You and I often wind up at loggerheads

I try to have that not happen and it's unfortunate when it does. My only intention is to use my IT knowledge to help people on here.

I feel that there is a very depressing tone on this forum as of late so my goal is to try to be positive and elevate the discussion a little bit because it's down in the dumps. I tend to get accused of belittling and in some cases bullying but that is not my intention. Only to educate, provide insight based on my own personal knowledge working in an IT department for many years most of that in customer service and now in internal application development.

Is Evernote perfect? No it isn't. I use a lot of software. Everything has bugs. Windows has annoying bugs, so does macOS. I'm sure if you go on the Notion subreddit or a Todoist community you will find people complaining about bugs. Bending Spoons is doing the best they can, and major issues get fixed quickly. My only goal is to look at the positive instead of pointing out every single flaw.

  • Like 1
  • Thanks 1
Link to comment

I don't know why this has turned into a personal vs work Evernote account discussion. All I wanted to know from the beginning is why it doesn't ask for my credentials and how can I force it to do so. From what I have read, it seems to have to do with the Web Clipper in the browser. If that's the case, then fine, I will uninstall the web clipper. I'm not at work so I can't try it right now. It still seems odd that even with the web clipper installed in the Edge browser, I can log into the web version, log out and subsequent logins require credentials. If I then log in with the desktop version of Evernote, it says account detected and brings up my Evernote.

This has nothing to do with work vs personal Evernote accounts. Even if I was using my own personal laptop/computer and I turned on 2FA I would expect it to query me for my credentials at every login. I also expect that when I click on 'Sign out' that it removes the oauth token and requires credentials to log back in. Otherwise, I'm not really signing out.

Furthermore, even if I had a separate Evernote account for business paid for by my employer, I would still want sign out to mean sign out. Businesses are not immune to workers ***** other workers either intentionally or accidentally.

Also, I'm not bashing Evernote. I've been with Evernote since 2008 and haven't found a program that meets my needs better. If this is a bug, fine, let's make Bending Spoons aware of it. I posted the question here instead of running to support in case it was just something I was doing wrong or a setting that I was not aware of.

Link to comment

This forum tends to digress. Sorry about that. If the web clipper doesn't work I would again suggest clearing all browsing data, particularly cookies from all time. There is likely a session cookie saved somewhere keeping you authenticated.

You may also want to consider going here: https://www.evernote.com/Devices.action and revoking access from that device. That'll work 100%.

Link to comment
  • Solution

This problem has been resolved. I did not need to remove the Web Clipper. I enabled the setting under 'Privacy, Search and Services' Clear chosen data for Internet Explorer and Internet Explorer mode every time you exit Microsoft Edge. Everything works as expected now as long as I close the browser. Thank you for everyone's input!

  • Like 2
Link to comment
  • 1 month later...
On 6/7/2024 at 9:46 AM, Carey_P said:

Ok. I've obtained more information: 

If using Chrome and logging in to the web version of Evernote: Log out, Log back in - Credentials requested.

If using Edge and logging in to the web version of Evernote: Log out, Log back in - Credentials requested.

If using Evernote Application: Log out, Log back in - Account Detected. No credentials requested.

Update: Browsing the forums on mobile, I'd missed the solution item. Health, all.

 

I'm not sure if it could inform the discussion.  I've noticed what seems to be a related behavior with Evernote desktop and Firefox on a thin client PC. I think the desktop app may be communicating with the Web client somehow, and vice versa.

How this was discovered, it may be unrelated to the specific login issue. What I was seeing, with Evernote desktop on a lightweight Windows 10 tablet: The desktop client would try to sync for hours then fail with a message that a limit of 0 bytes had been exceed. I've figured out a workaround for this, which may serve to illustrate some communication between the desktop app and the web client. Starting the Evernote Web client in Firefox first and letting it sync there,  then starting the Evernote desktop app, then the desktop app was able to sync.

I understand that this anecdote may not shed any light on the login issue, in any direct way.

Not much of a workaround,  it may be possible to delete all cookies for evernote.com in the browser ... after each log out? Wouldn't it be nice if the browser would support a site-specific handling for the cookies... assuming the account detection might be checking browser cookies for evernote.com?

Link to comment
  • Level 5*
12 hours ago, Sean C said:

I think the desktop app may be communicating with the Web client somehow, and vice versa.

Absolutely.  Every device connected to your account syncs to the server 'parent' copy for updates.  There's no local communication between the installed app and your browser - Firefox in particular operates very much within its own sandbox and prevents web content affecting the host device.  The web client is a copy of the server information.

In any event the OP solved their issue with a browser setting.

Link to comment

I noticed I had the same issue on my work laptop when using edge. Also, if I opened chrome with my personal google account there, the next day еdge would also show my personal google account instead of my work one, even though I hadn't logged in. It seemed like it was automatically pulling the data somehow. I ended up searching for a long time to figure out how to turn it off. Basically edge is a pretty questionable browser

Link to comment
  • Level 5*
1 hour ago, Catahamme said:

Basically edge is a pretty questionable browser

I would totally agree.  But if you have your account on a work device,  I'd give you fair odds that there is no possible way to prevent the IT team having access to your data if they choose to do so.  2FA and other precautions are fine for third party actors - but the IT department have local access.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...