Jump to content

Archived

This topic is now archived and is closed to further replies.

gospelgreedy

Two Factor Authentication???

Recommended Posts

This has been mentioned on other posts. Try searching for two factor authentication.

The Evernote CTO has commented on the difficulty of implementing it across all the platforms Evernote supports.

There are no absolute guarantees in the world of digital media and cloud storage, but here are 6 reasons why your data is safe in Evernote.

http://michaelhyatt.com/is-your-data-safe-in-evernote.html

If you want more security, then store your data locally.

Or use a 3rd party encryption program like TrueCrypt

Share this post


Link to post

I'd rather not use encryption with EverNote as I'm not able to search my notes with that on.

I also want my notes in the cloud (not local).

Adding Two Factor Authentication is an update to the login process. I realise a change to the login process could break a lot of clients, but the TFA feature could be off by default.

Surely it's just a matter of time before some high profile accounts are hacked? The negative press would be quite damaging for EverNote.

With TFA, that is much less likely.

Share this post


Link to post
Surely it's just a matter of time before some high profile accounts are hacked? The negative press would be quite damaging for EverNote.With TFA, that is much less likely.

There are no guarantees that any account cannot be hacked. The only way to make it as difficult as possible is to to use encryption along with a good/strong encryption password, which of course means the indexing cannot occur.

viewtopic.php?f=56&t=29117&p=124156&hilit=dropbox#p124156

Two factor authentication is a bit like putting your house key under the door mat. Certainly not as secure as true encryption.

Share this post


Link to post

I know there are no guarantees with an online account.

I also know when the use of encryption is useful and when it isn't.

TFA is not encryption. I'm not expecting it to be.

Two factor authentication is a bit like putting your house key under the door mat.

TFA is a bit like having a front door with two locks. You might be daft enough to put 1 key under the door mat. The 2nd key is in your back pocket.

The first key is useless without the 2nd key.

Share this post


Link to post

gospelgreedy is correct. BurgersNFries, you might be confusing be confusing authentication and confidentiality, very different concepts.

im not sure what evernotes web application is written in (java maybe??) but ive had good experiences with duo two factor authentication for our companys php-based web login: http://www.duosecurity.com (and my own ssh server personally which i previously used google authenticator for)

really everyone should be using strong passwords but obviously people dont do the best job with their passwords. :?

Share this post


Link to post

two factor authentication would be nice, but i probably won't use it. i regularly change my passwords on important accounts (once a month or less), which i find far less annoying than two factor authentification. as long as it is default off, i wouldn't mind having the secure option at least available.

Share this post


Link to post
you might be confusing be confusing authentication and confidentiality, very different concepts.

I understand that TFA & encryption are two different things. However, TFA only makes it a bit more difficult for someone to get into your account using a password. Is it helpful? Sometimes. But TFA can be hacked, too. Or what if something fails on the EN end as it did recently with Dropbox? TFA is like putting your door key under the welcome mat & IMO, provides users with a false sense of security, IMO. If you want to put info in the cloud that you don't want prying eyes to see, the best (but still not infallible) method is always encryption with a strong password.

Share this post


Link to post

I don't want to use encryption!

I want to use EverNote features (which I couldn't do with encryption).

I want better authentication.

It's an easy fix and is a great benefit, IMO.

EverNote could even make some money out of it by offering it to premium accounts only.

Share this post


Link to post

I'd actually prefer to see an option to encrypt selected notebooks, and have the encryption key stored on selected devices. Either that, or tracking which devices can access your account. The encryption route could be easier than 2FA because it could be implemented for limited applications to start with and rolled out to more and more as time goes on.

I'm about to try the paperless route, but some documents will be in a notebook only on my PC because I'd rather take the chance of losing them than having them stolen. Mostly thinking about financial stuff...

Share this post


Link to post

From http://www.pcmag.com/article2/0,2817,2416266,00.asp

 

"I can confirm that we had been planning to roll out optional two-factor authentication to all of our Evernote users later this year," a company spokeswoman said in an email. "Those plans have now been accelerated."

 

Finally.  Great thing about baddies get in sometimes, means the castle gets better walls.

 

Hopefully we'll get features like Recent Logins, Ability to disallow existing app tokens, only specified Countries Allowed, local encryption.

Share this post


Link to post

My view on 2FA is that it's an inevitable step for all these cloud service providers and EN is behind where it should be in providing it.  It may well be just another layer of security and as such vulnerable in some ways, but they'll all be offering it soon and I will be using it.  I use it on my gmail and I am glad I have it.  I moved away from Hotmail because Google did it first.

 

The reason they're all going to be offering it is quite simple.  Forget the arguments about doormats. etc.  They'll be offering it because they all keep getting hacked (I know, I know, it wouldn't have prevented this hack).

 

I believe there's a bigger issue looming. In the country I live in, if you leave your keys in the car on the driveway, and the car gets stolen, the insurance company won't pay out.  The day may come when insurance companies offering cover against identity theft (and lots do) won't pay out if you uploaded a pile of personal data to the cloud and had it stolen.

 

Also, a word on encryption. If 2FA is seen as something which slows things down and has a poor user experience, then encryption could be seen as far worse. The way EN works today, if I had to encrypt everything I would use it very little.  I believe there may be other ways to do it though, but across all devices is so difficult.

Share this post


Link to post

sooo. now that it's here, and I've turned it on, and I want to get a new phone and/or factory reset my phone.... do I disable two-factor authentication in evernote until I get authenticator up on the new/reset device, or will simply following google's procedures to move the authenticator from one phone to another phone also automatically move Evernote's connection to that specific authenticator?

Share this post


Link to post

×
×
  • Create New...