Jump to content

Two step authentication (e.g. via Google authenticator) and encryption


Recommended Posts

I guess that the last two standing major services (ok, I might be exaggerating a bit) which store personal data but do not have two-factor authentication are Dropbox and Evernote.

Dropbox just did it: https://forums.dropb...ic.php?id=66910 . Now Evernote is the last service I use for storing personal data without advanced security ):

Two factor is critical for a service like Evernote where you are storing highly confidential data. Most people cannot remember different, highly secure, passwords for the myriad of web services they use. As a result it just takes one breach in another service to get an idea of your password base (even it you vary it slightly) and that exposes your Evernote account to hacking. If you are naive enough to believe your information is safe in Evernote without two factor authentication I wish you good luck. For the rest of us I would urge Evernote to get this implemented just as soon as possible - I am not storing critical data in Evernote until it becomes available but would love to be able to do so.

Link to comment
  • Replies 443
  • Created
  • Last Reply

Two factor is critical for a service like Evernote where you are storing highly confidential data.

IMO, you should not be storing "highly confidential" information in Evernote unless it's encrypted. Should you need more info, please search the boards on 'security' as this has been discussed at great length already. In a nutshell, your data is not stored encrypted on the EN servers, unless you encrypt it.

Link to comment
  • Level 5*

I guess that the last two standing major services (ok, I might be exaggerating a bit) which store personal data but do not have two-factor authentication are Dropbox and Evernote.

Dropbox just did it: https://forums.dropb...ic.php?id=66910 . Now Evernote is the last service I use for storing personal data without advanced security ):

Two factor is critical for a service like Evernote where you are storing highly confidential data. Most people cannot remember different, highly secure, passwords for the myriad of web services they use. As a result it just takes one breach in another service to get an idea of your password base (even it you vary it slightly) and that exposes your Evernote account to hacking. If you are naive enough to believe your information is safe in Evernote without two factor authentication I wish you good luck. For the rest of us I would urge Evernote to get this implemented just as soon as possible - I am not storing critical data in Evernote until it becomes available but would love to be able to do so.

Regardless of whether Evernote implements 2FA, the password practices you mention could be greatly improved by using unique (only used for one site), long, random, and regularly changed passwords. This is a relatively painless task if you use a password service like LastPass. As discussed in other threads, these simple procedures make your accounts virtually uncrackable (the key, of course, being that you regularly change them). Doing it this way means you only have to remember one password. That's not difficult at all, and it is a way to immediately strengthen your online security :)

Link to comment

Regardless of whether Evernote implements 2FA, the password practices you mention could be greatly improved by using unique (only used for one site), long, random, and regularly changed passwords. This is a relatively painless task if you use a password service like LastPass. As discussed in other threads, these simple procedures make your accounts virtually uncrackable (the key, of course, being that you regularly change them). Doing it this way means you only have to remember one password. That's not difficult at all, and it is a way to immediately strengthen your online security :)

Yup. Ever since I started using Roboform several years ago, (most) all my passwords are generated through Roboform & are 12-16 characters & are all different.

Link to comment
  • Level 5

Regardless of whether Evernote implements 2FA, the password practices you mention could be greatly improved by using unique (only used for one site), long, random, and regularly changed passwords. This is a relatively painless task if you use a password service like LastPass. As discussed in other threads, these simple procedures make your accounts virtually uncrackable (the key, of course, being that you regularly change them). Doing it this way means you only have to remember one password. That's not difficult at all, and it is a way to immediately strengthen your online security :)

Another nice feature with LastPass is its built in Security Check Challenge Tool.

It points out your weak passwords and duplicate passwords.

And it gives a score for your relative overall security.

Link to comment
  • Level 5*

Regardless of whether Evernote implements 2FA, the password practices you mention could be greatly improved by using unique (only used for one site), long, random, and regularly changed passwords. This is a relatively painless task if you use a password service like LastPass. As discussed in other threads, these simple procedures make your accounts virtually uncrackable (the key, of course, being that you regularly change them). Doing it this way means you only have to remember one password. That's not difficult at all, and it is a way to immediately strengthen your online security :)

Another nice feature with LastPass is its built in Security Check Challenge Tool.

It points out your weak passwords and duplicate passwords.

And it gives a score for your relative overall security.

Yep. This gave me several ideas for improving my overall security. Just reading their website, even if you don't use the service, is highly recommended. Whoever is writing for them is doing a great job. In addition, I like the news page for their site: Evernote could use something like that.

http://blog.lastpass.com/

Link to comment
  • Level 5*

Cute, but insanely annoying to remember across sites. I've already got a bunch of images to remember as it is. I fail at the capcha things all the time, so I guess it is marginally better than failure :) If it is an option, sure, but I imagine 2FA would be more worth the effort if EN is going to devote resources to beefing things up. A thing you have and a thing you know is better than two things you know.

Link to comment
  • Level 5*

Agreed 2FA all the way.... Although on your desktop and iPhone I hope its a one off when you set it up (then secured by the device itself) perhaps +security code as in App.

The Lastpass grid is an interesting low tech solution http://helpdesk.lastpass.com/security-options/grid-multifactor-authentication/

Yeah, I have a bank that uses the grid system. It is a real pain, but probably effective. It discourages me and hackers from logging in! Still, at least there are options :)

Link to comment

Although very secure passwords really help, they don't really work when EN would leak them. If 2fa is implemented it's less of a problem when somebody accidentally makes password public (or if you make a mistake yourself). I agree that 2fa would really be helpfull for EN. However, as long as basics like proper encryption are not implemented, I'd rather see efforts go towards that instead of something more advanced as 2fa.

Link to comment
  • 1 month later...
  • Level 5*

2-factor authentication please. easy to set-up api with google. no excuse not to have it or to even comment on it. i will export all my notes and disable my account in the meantime.

That is about the silliest thing I've seen. I want 2FA as much as anyone but I won't quit using dozens of services just because they don't have it.

As for the easy setup, please explain how easy that is with the web interface, clients for Mac, windows, iOS, windows phone, blackberry, and even webos and windows mobile clients, plus the integration with Food, Hello, Skitch, and dozens of third party apps vis the EN API.

Yes, they should do it, but I wouldn't claim it is easy.

Link to comment

I have two factor authentication with Google and I absolutely hate it. Since enabling it I've had no fewer than 10 instances when I had to receive a phone call to authenticate something or other. Furthermore, it never seems to stop and I assume that when I erase cookies or temp files it once again perceives my computer as suspicious. It's been nothing but a bother and I've removed it. Sounded like a nice idea but wound up being a headache.

Link to comment

@EdH 'As for the easy setup, please explain how easy that is with the web interface, clients for Mac, windows, iOS, windows phone, blackberry, and even webos and windows mobile clients, plus the integration with Food, Hello, Skitch, and dozens of third party apps vis the EN API.'

Google have had to address these challenges and basically it works a bit like authorising an EN app to access your account you need to use 2fa to authorise but there after the app/PC appear on a list which you can see, monitor and remove as necessary. So your data is still not completely locked down, but you can decide not to use these services and thus the web client is your only access point which does require 2fa.

The biggest problem I come across regularly is people using key-loggers These can be programs hidden on your PC or a physical device in the middle of your keyboard cable. Without 2fa you are stuffed as soon as you login to the web client the person in control of the key-logger can download your entire EN database; you would never know. The length and complexity of the password doesn't help! :ph34r:

Link to comment
  • Level 5*

@EdH 'As for the easy setup, please explain how easy that is with the web interface, clients for Mac, windows, iOS, windows phone, blackberry, and even webos and windows mobile clients, plus the integration with Food, Hello, Skitch, and dozens of third party apps vis the EN API.'

Google have had to address these challenges and basically it works a bit like authorising an EN app to access your account you need to use 2fa to authorise but there after the app/PC appear on a list which you can see, monitor and remove as necessary. So your data is still not completely locked down, but you can decide not to use these services and thus the web client is your only access point which does require 2fa.

The biggest problem I come across regularly is people using key-loggers These can be programs hidden on your PC or a physical device in the middle of your keyboard cable. Without 2fa you are stuffed as soon as you login to the web client the person in control of the key-logger can download your entire EN database; you would never know. The length and complexity of the password doesn't help! :ph34r:

LastPass, Roboform, etc.

Link to comment

@Grumpy agreed Lastpass is a great help in using proper/complex/unique passwords.... not necessarily spyware proof.... and obviously vulnerable in itself. Obviously you can enable 2FA on Lastpass also works well with yubikey http://vimeo.com/47021106

As you know Lastpass needs quite a few adjustments to avoid minimal security..... its defaults are not ideal! its configuration is balanced towards speed and ease of use rather than the best security.

Link to comment
  • 3 weeks later...
  • 3 weeks later...

I know this is an old thread, but to save starting a new one that rehashes old concerns. I've recently become more aware of security and gone on a binge. Security is a process of discouraging hackers, you can never be completely secure. But I think optional and well implemented 2fa would well suit Evernote. I'd also like to see the option to nominate a different email account than my main one for password recovery - that shouldn't be too difficult. Given the nature of EN and that the data generally isn't encrypted (which renders the service far less useful), you can't be too careful. But that does need to be balanced with convenience.

Link to comment

Dear Evernote,

I love your product, but am always fearful of the usename/password security Achilles heel of this extremely valuable tool.

Two-step authentication is no longer optional. Enough mechanisms exist for Evernote to make this happen and help us secure our data.

Evernote, PLEASE step up to the plate and activate this mission critical safety feature.

Thank you

Link to comment
  • Level 5*

Dear Evernote,

I love your product, but am always fearful of the usename/password security Achilles heel of this extremely valuable tool.

Two-step authentication is no longer optional. Enough mechanisms exist for Evernote to make this happen and help us secure our data.

Evernote, PLEASE step up to the plate and activate this mission critical safety feature.

Thank you

Hi. Thanks for posting your thoughts. I have deleted your other posts, though. Please do not spam the forums by posting the same things in multiple threads. If you want to link to those threads from one post, that is fine, of course.

As for your request, I think it has been made before, and discussed at length. Could you share your reasons for wanting it, though? It might help the developers to know what your specific concerns are when they consider whether or not to implement the feature.

Link to comment
  • Level 5

Could you share your reasons for wanting it, though?

In his absence my 2 cents...

  1. There are numerous ways passwords can and do get snagged in transit or on either end. Most of the common scenarios are covered with the addition of 2 factor together with SSL
  2. Putting on my network admin hat, and as Evernote moves further to wooing Enterprise customers... There are users who invest their data into a personal evernote account and they do their own risk evaluation on the password strength and control as suited to the data they've put into Evernote. In a corporate environment you may have one use contribute valuable and sensitive data. User 2 needs that data to do their job, but otherwise has a lower threshold of care for the data and it's protection. They choose a password to get access but take no particular care with it. They're now a liability to the shared data stack as the weakest link.
    • With 2 factor authentication an admin can stop worrying and beating on password issues. They could publish the password in the paper, and yet not grant access to the account.

[*]There is a problem when there are multiple access routes to an Evernote account. The web interface is public-ally available to all and thus demands a strong password. Using a password manager, means this is not an onerous barrier to frequent entry. However it would be a huge barrier on a mobile client to have to enter in a strong password all the time. The PIN function helps mitigate this, except for how it's implemented by Evernote.

  1. It can be bypassed by uninstalling and re-installing evernote
  2. it's limited to 4 numbers. Apples PIN code model is preferable where you can elect to use an abitrarily long numeric PIN and still use the numeric keyboard. Or to select a mixed PIN and use an alpha-numeric keyboard. It doesn't have to be much longer, but 4 is a functional minimum
  3. There are plenty of other options Evernote *could* do. Using mobile devices SN or GUID with a shorter mobile account password. If hashed together with a combination of the account and mobile device GUID details, it wouldn't be any weaker, exposed on the evernote.com website.

The code side seems trivial. There are free code options for YubiKey, Google Authenticator (I added both to WordPress instances, and can use either. Brings lots of peace of mind).

Link to comment

Reasons for 2-Step /2-Factor Authentication being Mission-Critical and why we need it ASAP!

1. User case 1: User accesses Evernote from a browser. However, PC is infected with a key-logger that may have been installed intentionally by employer/spouse/3rd party or truly be malware. Result: Evernote contents now compromised.

2. User case 2: User accesses Evernote via a browser. Colleague or other party "shoulder surfs" and captures user name and password. Result: Evernote contents now compromised.

3. Man-in-the-Middle attacks. A hacker spoofs the Evernote login page either for the net or in a specific area. The user logs in, as the page appears to be the normal appearing login page. 2-step / 2-factor authentication cannot fully protect against such Man-in-the-Middle attacks, as the user can be lulled into believing that the site is truly authentic and enter the token code too. ( Note: Man-in-the-Middle web site can be logging the person in real-time into Evernote, and relaying any displayed info such as token identifiers (last two digits of cell# a la Google..., capture the token too and within the time limit of the token lifespan - login as the user into Evernote. The 2-step / 2-Factor Authentication system is still not perfect.)

4. The 64-bit encryption supplied by Evernote is inadequate protection for this risk as:

a. 64-bit encryption is sadly inadequate security. (Seems that Evernote understands this but is blaming the rules of various nations...)

b. Use case 3: User accesses an encrypted Evernote note and decryption password and via steps 1. or 2. listed above, and the encryption password in then also compromised.

c. Use Case 4: When accessing encrypted Evernote note on a mobile device with offline Evernote notebook storage, the user can decrypt and view the note, but cannot edit and then re-encrypt the note. If modification of the note is important in real-time, user must use a laptop/mac device with app loaded. If the device and the network connection are not of known provenance (steps 1. or 2. above), user's Evernote contents are now compromised.

http://www.nytimes.com/2012/10/14/technology/two-step-verification-is-inconvenient-but-more-secure.html?_r=0

Bottom line: 2-Step / 2-Factor Authentication are now widely used by big players.

Current Results:

1. Users who have activated this option for Google/Drop Box/Paypal.... appear to be showering the implementing company with kudos and are NOT complaining loudly.

2. Security is all about paranoia. Any company who wants to offer a "secure" product, needs to cater to the more paranoid and not default to the lowest common denominator.

3. Reading the Evernote forums, I have encountered many requests for this feature. On the other hand, I have encountered NO requests NOT to implement 2-Step / 2-Factor Authentication.

4. 2-Step / 2-factor Authentication once could have been a "differentiator" between cutting edge products. It's now becoming the "standard", and Evernote is playing "catch-up."

So, may we PLEASE get 2-Step / 2-Factor Authentication for Evernote?

Thank you,

:-)

Link to comment

As I have mentioned here and elsewhere, good password practices will be a powerful defense against any unauthorized intrusion: long, unique (not shared by other sites), random, and regularly changed ones work well. In addition, if you have Evernote (and all of your other important sites) tied to a private email account you have shared with no one else, it is very unlikely that your information will be compromised. Finally, if you encrypt sensitive information in your account, even if someone managed to get into your account, they wouldn't find anything damaging.

GrumpyMonkey, you are missing the point. Single authentication is going to go away. It is no longer practical to use long random and regularly changed passwords. For example, everytime you change your password on the Windows Phone client, it erases all of your notes and settings, as if you had uninstalled EN and started over. Plus, I have EN installed on 6 clients (PCs and mobile). It is a major hassle to do a password change.

The old practices just aren't keeping up with hackers today. 2FA is the way to go, especially for a service that touts itself as your electronic brain.

I know you aren't advocating against 2FA - you are clear about that, but please, stop defending the status quo. I've seen to many companies defend the status quo until one of two things happen - it is definitively proved wrong, or the company goes out of existence.

You are right. I didn't know the point was that single authentication was going away. If that is the point, then I can't really say, because I am not a prognosticator, and I will have to remain blissfully ignorant of 2FA's necessity :) I imagine it will come someday, but my point is that we are already well-protected. Moreover, I believe users also have to take responsibility for their data security, regardless of what Evernote decides about 2FA.

As for the specific methods I suggested, I have Evernote on six devices as well (not Windows phone) and I regularly change my password. Using a password service makes this a breeze. And, to the best of my knowledge, all of the intrusions that have been brought forth in this thread as evidence for the need for 2FA would have prevented just as effectively with my methods. That seems like a useful thing to point out.

There isn't much you can do in a case like Matt Honan's, when a company you trust gives out your password information. Presumably, Apple would have bypassed 2FA when they opened up his iCloud account. However, if Matt had been using a private email that he had not told anyone about (as I suggested above), he would have been fine. The hackers wouldn't have gotten past his iCloud account. Of course 2FA for Gmail would have protected him as well. My point is that even without 2FA you are well-protected.

You can take that for what it is worth, but rest assured that my support for better password practices will not affect Evernote's course of action one bit. I am sure they are well-aware of 2FA and its benefits. The question (in my mind) is whether they want to devote their resources to it. I am not convinced that they need to do it right now.

Disagree. So long as you have an email address to which password reset requests can be sent then your security is only as good as the security on that account. In most of the examples given the accounts were hacked through social engineering. Password strength and frequency of change was of no consequence.

Once that email is hacked and its password changed almost your entire online presence is compromised, and very quickly at that.

2fa on the email account alone significantly protects against that. Trust me, I know. I was let go from my previous position without warning and had the company phone I was using for authentication removed. I had not written down the alternate one-time passcodes (learning experience for me). Trying to get my gmail account reset to 1fa was challenging at best. The saving point was that my ipad had the email application autheniticated and so I asked them to send the reset information to my email address since I could still get email on that one device. Oh and that still constitutes 2fa since I need the password and device to get access.

I'm not saying that Evernote should requrie 2fa, but it should at least be an option. Then the choice is yours.

2fa is not at all onerous if you write down the one-time passwords and keep them physically safe and separate from account information. I don't consider their suggestion of keeping them in your wallet as safe.

I always have my iPhone with me and use the Google authenticator. The only time I need this is when I'm accessing via the web which is infrequently at best.

Apps installed on my personal devices do not require 2fa if they are set up with application specific passwords which only work for that app on that device.

If Evernote is serious about security they will implement 2fa. Otherwise the first public breach of their systems will be their CEO's biggest headache, and should result in the CIOs dismissal. There is absolutely no excuse for not providing this as an option. The cost is absolutely minimal.

Then the choice is yours. I know what my choice will be.

Link to comment
  • Level 5*

Grumpy Monkey,

Once you're consolidating discussions, it seems that the following threads are all about the need for 2fa. Maybe you could combine them into one thread? (There might be more threads than I have found.)

http://discussion.ev...p-verification/

http://discussion.ev...on-needed-asap/

http://discussion.ev...se/page__st__20

http://discussion.ev...p-verification/

http://discussion.ev...se/page__st__40

http://discussion.ev...tab__reputation

Thank you,

;-)

Thanks! I think that the threads have all gone so far along now, that it would be quite a mess to join them all together now. However, other moderators have been known to prefer these massive mergers, so I'll throw the question to them and we'll give it a think. Your help pulling these together is much appreciated :)

Disagree.

We'll probably have to agree to disagree then :)

I continue to think that we are quite secure if we follow good password practices (http://discussion.ev..._20#entry156886), and while 2fa would certainly be more secure (I am not arguing against it), I think the level we have now is adequate, and I would prefer to see resources allocated for other features.

If Evernote's servers were encrypted, I might think a little differently, as it would then probably become the repository of more confidential information, because people would have a higher expectation of security. If Evernote went to a zero-knowledge system in which they encrypted the databases and did not even have access to our passwords or the content of our accounts, thereby denying even the government the ability to compel them to provide data on us, then I would definitely be more interested in 2fa, because Evernote would then become one of the most secure places on the Internet. As it is, though, we have un-encrypted databases and I think the expectation of security (at least by me) is relatively low -- about the level of an email account. Even the limited encryption Evernote currently offers for notes within their service is relatively low-level according to their own explanation of it.

Whatever Evernote decides to do, though, in the meantime, the service is what it is, and I recommend users follow good password practices to protect themselves on every service. Matt Honan, for example, would have only been exposed in one account (his mobile me one) if he had been following good password practices. There is a lot we can do as users to take responsibility for our own security.

Link to comment

I continue to think that we are quite secure if we follow good password practices (http://discussion.ev..._20#entry156886), and while 2fa would certainly be more secure (I am not arguing against it), I think the level we have now is adequate, and I would prefer to see resources allocated for other features.

If Evernote's servers were encrypted, I might think a little differently, as it would then probably become the repository of more confidential information, because people would have a higher expectation of security. If Evernote went to a zero-knowledge system in which they encrypted the databases and did not even have access to our passwords or the content of our accounts, thereby denying even the government the ability to compel them to provide data on us, then I would definitely be more interested in 2fa, because Evernote would then become one of the most secure places on the Internet. As it is, though, we have un-encrypted databases and I think the expectation of security (at least by me) is relatively low -- about the level of an email account. Even the limited encryption Evernote currently offers for notes within their service is relatively low-level according to their own explanation of it.

Whatever Evernote decides to do, though, in the meantime, the service is what it is, and I recommend users follow good password practices to protect themselves on every service. Matt Honan, for example, would have only been exposed in one account (his mobile me one) if he had been following good password practices. There is a lot we can do as users to take responsibility for our own security.

You are doing close enough to arguing against 2FA by suggesting that it be a lower priority for implementation. Your argument that everything is not perfectly secure on the servers is a strange reason for not wanting more security. Yes, Evernote and in some cases the government can see my notes, but that doesn't mean that I want someone breaking in to see them. It's fine that a good unique password is enough for you, but we don't really need you discouraging other people's valid requests for more security.

Link to comment
It's fine that a good unique password is enough for you, but we don't really need you discouraging other people's valid requests for more security.

Um...GM is free to post his (equally valid) reasons he is not clamoring for 2fa just as you are to post why you feel it is highly important.

Link to comment
  • Level 5*

I continue to think that we are quite secure if we follow good password practices (http://discussion.ev..._20#entry156886), and while 2fa would certainly be more secure (I am not arguing against it), I think the level we have now is adequate, and I would prefer to see resources allocated for other features.

If Evernote's servers were encrypted, I might think a little differently, as it would then probably become the repository of more confidential information, because people would have a higher expectation of security. If Evernote went to a zero-knowledge system in which they encrypted the databases and did not even have access to our passwords or the content of our accounts, thereby denying even the government the ability to compel them to provide data on us, then I would definitely be more interested in 2fa, because Evernote would then become one of the most secure places on the Internet. As it is, though, we have un-encrypted databases and I think the expectation of security (at least by me) is relatively low -- about the level of an email account. Even the limited encryption Evernote currently offers for notes within their service is relatively low-level according to their own explanation of it.

Whatever Evernote decides to do, though, in the meantime, the service is what it is, and I recommend users follow good password practices to protect themselves on every service. Matt Honan, for example, would have only been exposed in one account (his mobile me one) if he had been following good password practices. There is a lot we can do as users to take responsibility for our own security.

You are doing close enough to arguing against 2FA by suggesting that it be a lower priority for implementation. Your argument that everything is not perfectly secure on the servers is a strange reason for not wanting more security. Yes, Evernote and in some cases the government can see my notes, but that doesn't mean that I want someone breaking in to see them. It's fine that a good unique password is enough for you, but we don't really need you discouraging other people's valid requests for more security.

As BNF kindly wrote above, this is a forum for discussions, and so I hope you won't mind if I post my thoughts about topics here. I believe I've provided a good overview of options currently available to users, and reasons for why I think Evernote's resources could be better channeled elsewhere. I appreciate that users speak up about what they want to see Evernote do with the app, and encourage them to do so, but I also have my own ideas about what I'd like to see Evernote does.

Fortunately, you can rest assured that my opinion counts no more than anyone else's.

Link to comment
  • Level 5*

The problem is, like Facebook, gmail, and Dropbox, outside services access my Evernote account. I thought it was all going towards OATH but it hasn't as far as I can tell.

Even ignoring OATH, 2fa is a solid idea for services as popular and intertwined with outside services like EN is.

GM, if it matters, I give more weight to your opinion than that of most others.

Link to comment
  • Level 5*

Given that they've just released major updates to the Mac and iOS client without this , I'm guessing it's not happening at least in the short term.

Realistically, I've always felt that my data (that is stored with any service) is far more at risk from a major security breach than from someone bothering to try and hack my password.

Link to comment

The problem is, like Facebook, gmail, and Dropbox, outside services access my Evernote account. I thought it was all going towards OATH but it hasn't as far as I can tell.

Actually, as of November 1st all existing third party applications require use of OAuth. We removed username and password authentication permissions on the API key on that day after a 6 month transition period for all third party developers.

Link to comment

The problem is, like Facebook, gmail, and Dropbox, outside services access my Evernote account. I thought it was all going towards OATH but it hasn't as far as I can tell.

Actually, as of November 1st all existing third party applications require use of OAuth. We removed username and password authentication permissions on the API key on that day after a 6 month transition period for all third party developers.

I thought that was made pretty clear on 11/4 when the message board was hacked (along with a lot of others, including NBC's)

http://discussion.ev...6-forum-hacked/

(Talk about TIMELY!)

Link to comment

The problem is, like Facebook, gmail, and Dropbox, outside services access my Evernote account. I thought it was all going towards OATH but it hasn't as far as I can tell.

Actually, as of November 1st all existing third party applications require use of OAuth. We removed username and password authentication permissions on the API key on that day after a 6 month transition period for all third party developers.

I thought that was made pretty clear on 11/4 when the message board was hacked (along with a lot of others, including NBC's)

http://discussion.ev...6-forum-hacked/

(Talk about TIMELY!)

Eh? The two are separate thangs. Forum uses SSO which just authenticates against Evernote login. OAuth is for third party apps working with the Evernote service.

Link to comment
  • Level 5*

The problem is, like Facebook, gmail, and Dropbox, outside services access my Evernote account. I thought it was all going towards OATH but it hasn't as far as I can tell.

Actually, as of November 1st all existing third party applications require use of OAuth. We removed username and password authentication permissions on the API key on that day after a 6 month transition period for all third party developers.

That is actually not true. What seems to have happened is all new apps require it. I just tried with MagicalPad which does not use OATH and it allowed me to add a set of notes to my Evernote account. I then logged out of EN in MP (had logged in months ago) and tried to log back in. That failed, indicating that new connections do require OATH, but anyone that was already logged in as of Nov 1, they are still logged in.

Seems you need to wholesale log everyone out of everything that wasn't logged in via OATH.

Link to comment

The problem is, like Facebook, gmail, and Dropbox, outside services access my Evernote account. I thought it was all going towards OATH but it hasn't as far as I can tell.

Actually, as of November 1st all existing third party applications require use of OAuth. We removed username and password authentication permissions on the API key on that day after a 6 month transition period for all third party developers.

That is actually not true. What seems to have happened is all new apps require it. I just tried with MagicalPad which does not use OATH and it allowed me to add a set of notes to my Evernote account. I then logged out of EN in MP and tried to log back in. That failed, indicating that new connections do require OATH, but anyone that was already logged in as of Nov 1, they are still logged in.

Hmmm. That's not my understanding. I'll flag this, clarify with the platform team and get back to you post haste.

Link to comment
  • Level 5*

That is actually not true. What seems to have happened is all new apps require it. I just tried with MagicalPad which does not use OATH and it allowed me to add a set of notes to my Evernote account. I then logged out of EN in MP and tried to log back in. That failed, indicating that new connections do require OATH, but anyone that was already logged in as of Nov 1, they are still logged in.

Hmmm. That's not my understanding. I'll flag this, clarify with the platform team and get back to you post haste.

Well, just so you know my sequence of events:

  1. Installed MagicalPad update and logged into Evernote in August or September
  2. Today, opened MagicalPad and "shared" a note with Evernote (to confirm I could)
  3. Went into MagicalPad settings and told it to log out of Evernote.
  4. Tried to log back into EN and couldn't, since it does not support OATH - and I just sent a note to the developer as I have just effectively bricked my MagicalPad app. :D

Appreciate you looking into this.

Link to comment
  • Level 5*

The problem is, like Facebook, gmail, and Dropbox, outside services access my Evernote account. I thought it was all going towards OATH but it hasn't as far as I can tell.

Actually, as of November 1st all existing third party applications require use of OAuth. We removed username and password authentication permissions on the API key on that day after a 6 month transition period for all third party developers.

That is actually not true. What seems to have happened is all new apps require it. I just tried with MagicalPad which does not use OATH and it allowed me to add a set of notes to my Evernote account. I then logged out of EN in MP and tried to log back in. That failed, indicating that new connections do require OATH, but anyone that was already logged in as of Nov 1, they are still logged in.

Hmmm. That's not my understanding. I'll flag this, clarify with the platform team and get back to you post haste.

Indeed. According to the wording of the blog post, this ought to be impossible.

http://blog.evernote.com/tech/2012/11/01/third-party-authentication-transition-to-oauth-complete/

Link to comment
  • Level 5*

Indeed. According to the wording of the blog post, this ought to be impossible.

http://blog.evernote...oauth-complete/

That is what I thought too, but here I am staring at a note just shared 32min ago from MagicalPad, an app that doesn't support OATH. It still asks for my userID and Password, and that fails.

That is why I said what I did in my original post - it didn't seem to happen. Now it seems to have partially happened.

Link to comment
  • Level 5*

Hrm Mike,

I have Pocket working as well, but not in my apps list, just as MagicalPad isn't. I'll need to go through everything and see which ones are connected that aren't going through OATH. Seems to be an issue.

Link to comment

The problem is, like Facebook, gmail, and Dropbox, outside services access my Evernote account. I thought it was all going towards OATH but it hasn't as far as I can tell.

Actually, as of November 1st all existing third party applications require use of OAuth. We removed username and password authentication permissions on the API key on that day after a 6 month transition period for all third party developers.

I thought that was made pretty clear on 11/4 when the message board was hacked (along with a lot of others, including NBC's)

http://discussion.ev...6-forum-hacked/

(Talk about TIMELY!)

Eh? The two are separate thangs. Forum uses SSO which just authenticates against Evernote login. OAuth is for third party apps working with the Evernote service.

Ok. Guess I was mistaken...

Link to comment
  • Level 5*

Thanks for linking to that article. I see an argument in it, though, against the "need" for 2fa. If it is the case that "He also mentioned that their investigation also discovered that some Dropbox accounts were compromised through the use of usernames and passwords recently stolen from other websites, pointing out the need for using different passwords for every online account," then it stands to reason that users can protect themselves by following my advice to use long, unique, random, and regularly changed passwords. The problems that Dropbox had this time were the result of lax password practices on the part of users. Last time my data was exposed to the entire world by Dropbox, I doubt 2fa would have helped, because Dropbox had disabled everyone's passwords (you could just click into anyone's account for a few hours).

Personally, I find this article more interesting. I think the implication here is that expending resources on a feature that few users will take advantage of, and even fewer users will stick with, is not a solution to security problems.

http://www.zdnet.com/is-two-factor-authentication-dropboxs-security-answer-7000002065/

This one basically suggests what I have said here about good password practices, and concludes that while it is a pain to implement, you should use 2fa. The question to ask, in my opinion, is whether it is worth it for Evernote to invest its limited resources into a feature that most likely won't be used.

http://thenextweb.com/google/2012/09/01/google-2-step-verification-the-less-annoying-evil/

Link to comment

I disagree that Evernote has "limited resources". Implementing two factor authentication is not a massive expense. I use it for both securing my Google Account and my Last Pass account. Neither of which do I pay $45 annually for.

It is an added level of security which I really, really want so I will feel more at ease storing potentially sensitive information in the cloud. I practice good password administration... but if someone somehow got my password through a keylogger or other vector, they would still need my mobile phone to get in to my account. If you don't want additional security, that's fine. Good luck to you.

Link to comment

I disagree that Evernote has "limited resources". Implementing two factor authentication is not a massive expense. I use it for both securing my Google Account and my Last Pass account. Neither of which do I pay $45 annually for.

It is an added level of security which I really, really want so I will feel more at ease storing potentially sensitive information in the cloud. I practice good password administration... but if someone somehow got my password through a keylogger or other vector, they would still need my mobile phone to get in to my account. If you don't want additional security, that's fine. Good luck to you.

Well said. Totally agree.

Link to comment
  • Level 5*

I disagree that Evernote has "limited resources". Implementing two factor authentication is not a massive expense. I use it for both securing my Google Account and my Last Pass account. Neither of which do I pay $45 annually for.

It is an added level of security which I really, really want so I will feel more at ease storing potentially sensitive information in the cloud. I practice good password administration... but if someone somehow got my password through a keylogger or other vector, they would still need my mobile phone to get in to my account. If you don't want additional security, that's fine. Good luck to you.

You make some good points, of course, about keyloggers and so forth. I haven't typed a password in a long time (I use a password manager), and I use my own devices, so I've been able to avoid these kinds of problems so far. I understand that some people have no choice but to login on devices that are out of their control, so 2fa would certainly make sense for them.

As for the massive expense, I have no idea how much it would cost Evernote in terms of time, human resources, and money to implement it. I am guessing, though, that all things being equal, every site in the world would just as soon have 2fa as an option, so it must be the costs that are discouraging them from implementing it. That's really the basis of my argument, isn't it. If Evernote (or someone else in the know) jumps on here and tells me that it doesn't cost much at all to implement and it would be relatively simple to code, then I'd be all for it.

Link to comment

I disagree that Evernote has "limited resources". Implementing two factor authentication is not a massive expense. I use it for both securing my Google Account and my Last Pass account. Neither of which do I pay $45 annually for.

It is an added level of security which I really, really want so I will feel more at ease storing potentially sensitive information in the cloud. I practice good password administration... but if someone somehow got my password through a keylogger or other vector, they would still need my mobile phone to get in to my account. If you don't want additional security, that's fine. Good luck to you.

You make some good points, of course, about keyloggers and so forth. I haven't typed a password in a long time (I use a password manager), and I use my own devices, so I've been able to avoid these kinds of problems so far. I understand that some people have no choice but to login on devices that are out of their control, so 2fa would certainly make sense for them.

As for the massive expense, I have no idea how much it would cost Evernote in terms of time, human resources, and money to implement it. I am guessing, though, that all things being equal, every site in the world would just as soon have 2fa as an option, so it must be the costs that are discouraging them from implementing it. That's really the basis of my argument, isn't it. If Evernote (or someone else in the know) jumps on here and tells me that it doesn't cost much at all to implement and it would be relatively simple to code, then I'd be all for it.

Assuming Evernote is using any of a number of standard authentication services, then turning on 2fa is simply a matter of setting a few options, and installing some authentication servers. Of course if they rolled their own authentication services then who knows, but quite frankly, "Doh."

Link to comment
  • Level 5

Indeed the source code for Google Authenticator and YubiKey are freely available for the server side.

And there are mobile implementations on code.google.com for Android, iOS, and Blackberry.

If Evernote wanted to cut down on the backlash or support costs, make it a user preference for the main web interface logon.

The move of clients to oauth somewhat helps bring those into the fold without any changes needed to the clients.

It's just one more field to fill in on the initial login when granting an app access to the evernote account.

Link to comment

The problem is, like Facebook, gmail, and Dropbox, outside services access my Evernote account. I thought it was all going towards OATH but it hasn't as far as I can tell.

Actually, as of November 1st all existing third party applications require use of OAuth. We removed username and password authentication permissions on the API key on that day after a 6 month transition period for all third party developers.

That is actually not true. What seems to have happened is all new apps require it. I just tried with MagicalPad which does not use OATH and it allowed me to add a set of notes to my Evernote account. I then logged out of EN in MP and tried to log back in. That failed, indicating that new connections do require OATH, but anyone that was already logged in as of Nov 1, they are still logged in.

Hmmm. That's not my understanding. I'll flag this, clarify with the platform team and get back to you post haste.

Brief update here, received further clarification. We began disabling keys on November 1st, the important distinction here being that if a third party app needed more time, we gave it to them. As apps release updates, they watch to see progress on updates, then we revoke the key.

Furthermore, if you want to check what is and is not working, the application list of connected applications (https://www.evernote.com/AuthorizedServices.action) only shows for apps using OAuth. If an app still uses username/password authentication - it won't show in that list. Users should check if updates are available for their apps (for example - fastever definitely has an update out that uses OAuth). In order for apps to switch from username/password to OAuth - they need to push an update.

Well, just so you know my sequence of events:

  1. Installed MagicalPad update and logged into Evernote in August or September
  2. Today, opened MagicalPad and "shared" a note with Evernote (to confirm I could)
  3. Went into MagicalPad settings and told it to log out of Evernote.
  4. Tried to log back into EN and couldn't, since it does not support OATH - and I just sent a note to the developer as I have just effectively bricked my MagicalPad app. :D

Appreciate you looking into this.

I think you were right to reach out to MagicalPad on this one. We're showing that they have an time extension, meaning we haven't disabled their key yet to go OAuth only, which is why they also aren't appearing in your apps list. In short, OAuth isn't causing the error you're seeing.

Link to comment
  • Level 5*

I think you were right to reach out to MagicalPad on this one. We're showing that they have an time extension, meaning we haven't disabled their key yet to go OAuth only, which is why they also aren't appearing in your apps list. In short, OAuth isn't causing the error you're seeing.

Thanks for the info. It does explain what we are seeing. It doesn't explain my personal issue with MP. I'll deal with that one. :)

Link to comment

I think you were right to reach out to MagicalPad on this one. We're showing that they have an time extension, meaning we haven't disabled their key yet to go OAuth only, which is why they also aren't appearing in your apps list. In short, OAuth isn't causing the error you're seeing.

OK confirmed FastEver update uses OAuth, but surely as their app was updated on the 2nd it shouldn't continue to work with Username & Password?

Link to comment
  • Level 5*

I favor 2-factor authentication, but for those who are not concerned about security, maybe there could be the option to have the current standard approach? Seriously, if there are as many people out there as I hear there are with the password of "password" I can understand why EN folks are hesitant to go that route. However, the banks are going the 2-factor route anyway. It is becoming standard for many systems now. Bring it on.

Link to comment

I'll be honest the lack of two step authentication is a bit staggering to me. I would like to use Evernote to retain secure information but continuously have to refrain because of the lack of this security measure. Evernote may just be a "note" app but people still prefer to retain certain information they want to remember all in one place which also happens to be secure information such as passwords, account numbers, etc.

I have to agree with some of the aforementioned comments that it seems like a no-brainer to me. I would pay for a RSA style keyfob like paypal has without a doubt in my mind, even if it also required upgrading to a premium account I would do it without a doubt. If something like that isn't feasible or cost effective I would be just as happy to see Google Authenticator support added.

Link to comment

+1 for two factor authentication. Considering how easy it is to add google authenticator to my own wordpress site, I can't imagine it would be that difficult for the smart folks at Evernote to add.

Even better would be the ability to restrict logins to particular devices/installations/countries (much like the lastpass security model)

Link to comment

+10 for 2 step verification...

This is a must, since there is so much valuable data being stored on evernote. This is a major security risk for those that are using evernote on a daily basis to keep track of their documents and what not. the TEXT encryption option is nice, but it would be good for images aswell.

Now as for the 2 step authentication, there should be multiple options with either the Google authenticator or duosecurity.com .. its really no point in reinventing the wheel here to have an "evernote" authenticator app. just piggy back on the big boys that already have it done... really hope this gets up soon.

Link to comment

If the computer you are using is compromised with a keylogger, you have bigger issues to worry about.

The great thing about EN is the ability to use it quickly from any mobile phone or tablet to look up data. 2-factor authentication will slow things down.

I wouldn't trust the EN to keep my data secure anyway.

If you have any information that is really sensitive, you should encrypt it before putting it into Evernote. There's a gazillion and a half ways to do it. E.g. put it inside an AES encrypted zip file. Or use KeePass. Or a portable TrueCrypt container.

Anything else, such as store receipts, web page sniplets, recepies, etc. - if someone steals it, not a big deal.

Link to comment

If the computer you are using is compromised with a keylogger, you have bigger issues to worry about.

The great thing about EN is the ability to use it quickly from any mobile phone or tablet to look up data. 2-factor authentication will slow things down.

I wouldn't trust the EN to keep my data secure anyway.

If you have any information that is really sensitive, you should encrypt it before putting it into Evernote. There's a gazillion and a half ways to do it. E.g. put it inside an AES encrypted zip file. Or use KeePass. Or a portable TrueCrypt container.

Anything else, such as store receipts, web page sniplets, recepies, etc. - if someone steals it, not a big deal.

Yeah cause I love looking up my secure information while away from home on my keepass iOS client. The problem is that I need information to be accessible but secure. Keepass and TrueCrypt containers are not easily accessible from my home pc, tablet, iphone and android. That's the number one reason I prefer Evernote is because they've got a great user interface on almost every device imaginable. If I wanted to make it to be a pain in the rear to reference I'd keep it in a roledex on my desk in a handwritten encryption. And if you're so worried about it slowing you down then just don't utilize the 2-step authentication. It would be an option not a requirement.

Link to comment

@Dailen:

Reading your post, you were talking about a hardware 2FA - keyfob / card pass. This is actually a decent workable solution (although it probably means you can only use it on a desktop or a tablet with a card slot). But this is not a way most providers do it, unfortunately. At least not in the States. And it's not very well developed for mobile users.

The hardware key is a better option than other solutions but it can't be used with smartphones or many tablets. This cuts out a large number of users. So it probably doesn't make business sense to develop, procure, and service the required hardware.

I think the OP or someone here mentioned Google. Google's 2FA method, if I am not mistaken, is sending a text message to a mobile phone when you are trying to use a new device to log in. Banks make you type answers to a few preselected questions, etc. Most 2FA methods used here do not involve any physical hardware key required to unlock the data.

The problem with this approach is, it's obfuscation rather than protection. E.g. if you are using a keylogged computer, after a few sessions all of your questions are known.

The third possible solution is what Keypass uses - a keyfile along with a password. This is still not 100% secure.

Unless EN starts selling hardware keys, the best method is still to encrypt files individually. You can still use EN tags to search for them. Any other method is simply not secure enough. Of course this means that you don't decrypt them on a compromised machine, so even if someone breaks into your account, they still have to deal with encrypted attachments.

Link to comment
  • Level 5*

Given that they have just released major updates to both the Mac and iOS apps without this feature, I'm guessing it's fairly safe to assume that it's not on the short term roadmap.

Link to comment
  • Level 5

If the computer you are using is compromised with a keylogger, you have bigger issues to worry about.

The great thing about EN is the ability to use it quickly from any mobile phone or tablet to look up data. 2-factor authentication will slow things down.

It's not just your own PC you need to worry about. Remember this is in the cloud. It's accessible from any PC you happen to be near. If a site is 2 factor enabled, you can do that, be it a hotel kiosk, or a PC in a Library. 2 factor is what makes that a safe reality.

2 factor doesn't have to slow your mobile device down either.

I use 2 factor on all my Google stuff on my iPhone/iPad, and all the rest of the sites are in Last Pass with Yubikey authentication (you can use a Yubikey on an iOS device with the USB camera connector kit, or manually add the mobile device on the Lastpass website - or use Google Authenticator with Lastpass instead, but I prefer the hardware key where possible).

You only need to enter the 2nd factor once (or optionally every 30 days with Google), when you connect the client for the first time. From there after, the mobile device itself is trusted (through a unique GUID, or device hashing). Both Google and LastPass let you see the devices connected and you can verify and revoke access as needed.

But the point is the 2nd factor comes in only periodically, or for new devices accessing the account, or from new IP's, depends.

Link to comment
  • Level 5

@Dailen:

Reading your post, you were talking about a hardware 2FA - keyfob / card pass. This is actually a decent workable solution (although it probably means you can only use it on a desktop or a tablet with a card slot). But this is not a way most providers do it, unfortunately. At least not in the States. And it's not very well developed for mobile users.

The hardware key is a better option than other solutions but it can't be used with smartphones or many tablets. This cuts out a large number of users. So it probably doesn't make business sense to develop, procure, and service the required hardware.

I think the OP or someone here mentioned Google. Google's 2FA method, if I am not mistaken, is sending a text message to a mobile phone when you are trying to use a new device to log in. Banks make you type answers to a few preselected questions, etc. Most 2FA methods used here do not involve any physical hardware key required to unlock the data.

The problem with this approach is, it's obfuscation rather than protection. E.g. if you are using a keylogged computer, after a few sessions all of your questions are known.

The third possible solution is what Keypass uses - a keyfile along with a password. This is still not 100% secure.

Unless EN starts selling hardware keys, the best method is still to encrypt files individually. You can still use EN tags to search for them. Any other method is simply not secure enough. Of course this means that you don't decrypt them on a compromised machine, so even if someone breaks into your account, they still have to deal with encrypted attachments.

Don't think you have the details quite right.

Evernote doesn't have to sell anything.

They add a few lines of code and already existing 2 factor solutions can be used.

It was trivial to add Yubikey and Google Authenticator to Wordpress, as an example

You can use the "keyfob/cardpass" like Verisign/Symantec VIP device (sounds like that's what you were referring to), but they also have it in software form There is likely some license fees for the vendor side with that one though.

Google Authenticator runs as primarily as an app. But on many platforms, but even in HTML5 and java, so pretty much anywhere. See http://en.wikipedia.org/wiki/Google_Authenticator#Implementation

Yubikey covers a lot of bases in a lot of form factors: http://www.yubico.com/products/yubikey-hardware/

It can send the Verisigb/Symantec VIP tokens, you can use the Neo version with NFC so one time passwords can be touchless and include NFC enabled mobiles. And then just the standard Yubikey stuff, for anything with a USB port. One button push inserts your OTP just as if you typed it yourself. Pretty seemless.

Ideally I'd like to see Evernote go pretty much exactly the way LastPass has.

  • The 2 factor is optional, you turn it on in preferences and select which method
    • A list of pre-generated OTP's that you can keep as a fallback
    • A Yubikey for painless entry
    • Google Authenticator for those who prefer a hardware-less approach

    [*]You enter it the first time any client (mobile or desktop) logs in. From that point you can select the client as trusted, an like the current OAuth implementation Evernote has, you aren't re-asked for either 1 year, or you connect with a new or re-installed client (this would fix the current mobile evernote security hole with PIN)

    [*]The mobile client themselves are a "factor" in the login. Their GUID/device ID hashes show as a connected device in your online Evernote account. so you can see which mobile clients are attached and when they last connected to the service, with a revoke button.

    [*]A mobile client PIN that is real, not trivially bypass-able

The barrier doesn't need to be on the client side. Where the 2nd factor shows up as the hurdle (as designed) is when someone tries to take your credentials and use them on their PC, or Evenote client.

What 2 factor gives you is the pleasure of being able to get at your data from whatever browser happens to be next to you. I only need my Yubikey (rides on my keychain with my keys), or my Google Authenticator on my phone. I merely, do not mark the device as trusted, when logging in. Get at my data. And then securely log off.

You can watch me log in, even write my password down.

Once I log off, and walk away with the 2nd factor, you can't log back in.

Hackers can brute force on the Evernote website all day long, or breach Evernote and steal the password database.

They still can't log into your account.

A mountain of peace of mind, and the only extra "burden" I have is an extra 6 digits to enter every 30 days (even that's optional), or to push one button on a Yubikey when setting up a new client, or when on a foreign machine? That's brier patch.

So in my trivial way, I vote with my wallet.

My premium renewal is today.

I'm not.

I'm registering my vote on v5 et al, broken features, security holes, and the months and years of missing meaningful features over UI spackle.

Hoping to be able to reverse that and pitch in with Premium funds at some point in the future.

Link to comment
  • Level 5

Given that they have just released major updates to both the Mac and iOS apps without this feature, I'm guessing it's fairly safe to assume that it's not on the short term roadmap.

Actually with the shift to OAuth, (almost) all of this should be doable on the server side, without change to the clients.

What may require a code change is to fix the PIN bypass issue. Likely with a first run variable set in NSUserDefault to just wipe the keychain stored OAuth token after a re-install.

Link to comment
  • Level 5*
It would be very, very surprising if enabling 2-factor auth is not Evernote's highest priority. Evernote is the last standing service I seriously rely on that does not have the 2-factor auth.

Sorry, they're busy rolling out Evernote Business, new versions of most clients, and, uh, other stuff.

Link to comment
  • Level 5
It would be very, very surprising if enabling 2-factor auth is not Evernote's highest priority. Evernote is the last standing service I seriously rely on that does not have the 2-factor auth.

Sorry, they're busy rolling out Evernote Business, new versions of most clients, and, uh, other stuff.

Uh huh. And if they're not thinking about 2-factor in that context then they still aren't thinking right about what it takes to attract and also keep customers.

Business is where 2-factor lives.

It's what helps services get in the door with IT buy-in.

Speaking as one of those IT decision makers...

Evernote doesn't get business data into it, without stronger authentication.

When you have a personal account, you are invested in the safety and security of that data, and use risk appropriate handling, or you don't put it in there.

In business, you have a lot of disconnected pressures.

Business says, this data must be available and shared, rather than silo-ed on your desktop.

But when it's an outside service, IT loses insight into password strength, data usage and other security.

Data that is crucial to one person is pointless to someone else. Yet the crucial data is exposed to Mr. laissez-faire and his password and PC handling habits.

2-factor lets IT stop worrying about passwords.

Even a strong password is useless when it's re-used, left on sticky notes, or hacked from Evernote (or another site with where the same password was used).

A strong password while critical if that's all you have, is just a game, and security theater on the business network.

http://www.techweeke...-security-90733

"Box, which aims its storage and collaboration tools at enterprises, said it had not been compelled by any specific security event as Dropbox had, but customers had been asking for the additional protection.

The San Francisco company boasts is one of its key differentiators in the cloud space,
where data protection is one of the most significant barriers to adoption
. Adding two-factor authentication will give it more to brag about."

Certainly Evernote must want some marketable business brag-ability, and low barriers to adoption. Along with the investors no doubt.

Just saying...

I'm about to be non-premium at the end of the day.

LastPass has 2-factor and gets how to keep my data secure and available on all my browsers and devices.

I'm a committed life long LastPass customer.

Evernote's not (yet) in our business structure, LastPass is.

Usable, ubiquitous data is Evernote's life-blood. If protecting that life-blood isn't up there with the top goals and it spills out onto the street. What's the prognosis?

Link to comment
  • Level 5*

I'm just saying that they have other higher priorities, apparently. They seem to know a little bit about security, I'd be surprised if they're not thinking about the issue. But if it were as easy as is claimed (I don't know whether it is or isn't), and it were so important as is claimed (ditto previous), I'm thinking it would have been done by now.

Link to comment
It would be very, very surprising if enabling 2-factor auth is not Evernote's highest priority. Evernote is the last standing service I seriously rely on that does not have the 2-factor auth.

Sorry, they're busy rolling out Evernote Business, new versions of most clients, and, uh, other stuff.

That's exactly what I meant. It would be very, very surprising if rolling out Evernote business with sub-par security or luring customers to store more personal data in a service with sub-par security is a higher priority than adding the 2-factor auth. Do not get me wrong, I am a premium user and love Evernote, but simply do not feel comfortable when piles of my personal data are protected only with a password.

Link to comment
  • Level 5*
It would be very, very surprising if enabling 2-factor auth is not Evernote's highest priority. Evernote is the last standing service I seriously rely on that does not have the 2-factor auth.

Sorry, they're busy rolling out Evernote Business, new versions of most clients, and, uh, other stuff.

That's exactly what I meant. It would be very, very surprising if rolling out Evernote business with sub-par security or luring customers to store more personal data in a service with sub-par security is a higher priority than adding the 2-factor auth. Do not get me wrong, I am a premium user and love Evernote, but simply do not feel comfortable when piles of my personal data are protected only with a password.

Why not? If you follow good password practices, the chances of your account being compromised are extremely small. No one is questioning the superior security offered by 2fa, but not having 2fa doesn't mean that your account is insecure or "sub-par."

I've covered this in all the other 2fa threads, and I don't want to stir up people here, but I do think it is in everyone's benefit to have a realistic assessment of security risks and not blow things out of proportion. As for businesses, I am sure that they are well-aware of 2fa, and will make decisions based on their situation.

For example, a business that wants to share procedures across the company for how to operate software they use in their business probably doesn't need to worry much about 2fa. It would be nice, but not necessary.

Companies using corporate email to send work-related documents rarely (in my experience) employ 2fa, so they are essentially accepting the same level of risk they already have. 2fa would be nice, but not necessary.

Companies working with sensitive documents that they would only let out of the office in an extremely secure email service or encrypted will want to carefully consider their policies if they choose to employ Evernote. As it turns out, if they continue encrypting their documents, they ought to be fine. 2fa would be especially nice here, but workarounds exist even for these businesses.

Anyhow, I can think of a whole lot of cases in which 2fa is unnecessary. While it would be nice to have it, I think it is not as simple as saying you are either secure or unsecure.

Link to comment
  • Evernote Expert

If Evernote cannot address this issue and the most important probably, all the other pluses of Evernote, simply add up to zilch, and as the other person announced that since EN is present on the cloud, our data can be accessed by anybody from anywhere, through just a browser.

A simple message like "We are working on 2 factor authentication" and it will be up soon, would be comfortable. Data theft/Virus/Malware/spyware are so so rampant today that they can affect practically anybody.

I bet that if Evernote made an official announcement that they were not interested in implementing 2 factor, half people would quit Evernote.

One must understand that EN is no more a simply note taking tool, but people use them for storing personal information- memories, research information, and what not.

Just because some one or some company does not employ 2factauth, and is willing to compromise on their safety, doesn't mean that we also should.

I shall cite a simple example. I was using Windows Consumer Preview - Its antivirus used to get updated automatically. After Windows 8 is launched commercially, windows stopped the automatic Antivirus update, and made no direct intimation of the same. I was under the impression that i am protected, only when i noticed something fishy. I checked up the antivirus and saw that it was out of date.

To sum up things in 1 sentence,

"Data security is far more important today than data organization, ease of info access and storage."

Link to comment
  • Level 5

I bet that if Evernote made an official announcement that they were not interested in implementing 2 factor, half people would quit Evernote.

Come on! Get real.

15 million users are not going to drop a powerful program like Evernote over such a statement.

Link to comment
  • Level 5*

I'm a sophisticated user, 20 years enterprise IT experience, I've worked on major projects on 4 continents with massive commercial, financial and networking customers. 2fa is a nice to have, but the reality of data loss is that I am much more likely to have my data compromised by an attack directly on Evernote's server side security, or by a mistake by an employee than I am by a random attack on my own computer. The people who make a living out of attacking personal data don't do so by breaking one password at a time, they do it by either taking advantage of an existing server side hole or creating their own one through physical theft or social engineering.

I would imagine that Evernote's user base which is close to 40m would probably lose a tiny percentage if they announced that 2fa is not on their roadmap. They will never make this announcement and they may even introduce it tomorrow, but to imply that by not having it your data is at some massive risk or that we are on the verge of a large closure of accounts shows little understanding of what data security really means.

Link to comment
  • Evernote Expert

I bet that if Evernote made an official announcement that they were not interested in implementing 2 factor, half people would quit Evernote.

Come on! Get real.

15 million users are not going to drop a powerful program like Evernote over such a statement.

I guess you'd be happier being an EN fanboy than allowing someone to steal your precious data online, i suppose. Good luck :)

Link to comment
  • Evernote Expert

I'm a sophisticated user, 20 years enterprise IT experience, I've worked on major projects on 4 continents with massive commercial, financial and networking customers. 2fa is a nice to have, but the reality of data loss is that I am much more likely to have my data compromised by an attack directly on Evernote's server side security, or by a mistake by an employee than I am by a random attack on my own computer. The people who make a living out of attacking personal data don't do so by breaking one password at a time, they do it by either taking advantage of an existing server side hole or creating their own one through physical theft or social engineering.

I would imagine that Evernote's user base which is close to 40m would probably lose a tiny percentage if they announced that 2fa is not on their roadmap. They will never make this announcement and they may even introduce it tomorrow, but to imply that by not having it your data is at some massive risk or that we are on the verge of a large closure of accounts shows little understanding of what data security really means.

Thanks for your reply. But, there are other concerns as well, I suppose that many people like me would have similar concerns. I love Evernote, am not denying it, and EN has improved productivity of me many time over. But one cannot deny the fact that the more you use EN, the more ( especially premium users), the more, we are less likely to get out of the eco system. Yes, i can download out my data in 1 html file, but that doesn't quite replace the data organization and wont be importable in another system.

And this issue is not some itty bitty issue. 2 Factor Authentication will give you immense satisafaction feel, that your data is 100% safe. When EN's cloud contemporaries like Google , Dropbox are going 2fa, why not EN? Like the OP said, make it optional, those who want to use the feature, let them use it. And if the facility costs something extra, let EN charge for it.

Link to comment
  • Level 5*

Kind of ignoring your childish response to Jbenson, if 2fa is such a big deal to you and you know Evernote doesn't currently support it and may never do so, why haven't you moved your tank onto someone else's lawn?

Link to comment
  • Level 5*

I'm a sophisticated user, 20 years enterprise IT experience, I've worked on major projects on 4 continents with massive commercial, financial and networking customers. 2fa is a nice to have, but the reality of data loss is that I am much more likely to have my data compromised by an attack directly on Evernote's server side security, or by a mistake by an employee than I am by a random attack on my own computer. The people who make a living out of attacking personal data don't do so by breaking one password at a time, they do it by either taking advantage of an existing server side hole or creating their own one through physical theft or social engineering.

I would imagine that Evernote's user base which is close to 40m would probably lose a tiny percentage if they announced that 2fa is not on their roadmap. They will never make this announcement and they may even introduce it tomorrow, but to imply that by not having it your data is at some massive risk or that we are on the verge of a large closure of accounts shows little understanding of what data security really means.

Thanks for your reply. But, there are other concerns as well, I suppose that many people like me would have similar concerns. I love Evernote, am not denying it, and EN has improved productivity of me many time over. But one cannot deny the fact that the more you use EN, the more ( especially premium users), the more, we are less likely to get out of the eco system. Yes, i can download out my data in 1 html file, but that doesn't quite replace the data organization and wont be importable in another system.

And this issue is not some itty bitty issue. 2 Factor Authentication will give you immense satisafaction feel, that your data is 100% safe.

Completely wrong, 2fa does in no way mean that your data is 100% safe. It seems that you are ignoring the reality of data breaches, they do not in any great number come from individual users. They come from the supplier, 2fa doesn't provide you any further significant protection in this case.

Link to comment
  • Evernote Expert

I will give my final word on this topic. Even after so many threads and posts, if EN does not address this issue immediately, we are sitting on a potential minefield, waiting for one of them to explode, any moment. What guarantee is there that the successful hack attempt at Yahoo may not repeated at EN? And if such an event happened, all the positive credibility earned by EN will vaporise, not to forget further legal complications and most importantly, the thought process going through the head of the users.

And for god sake, all the EN Fanboys , kindly stop saying that the security at EN is good enough. It is just reflection of the contemptuous attitude that you have towards genuine concerns of all the other users who post in favour of the topic.

It is Evernote's prerogative to implement such a feature or not, but the minimum that it can do is come clear on its intentions regarding such an important subject.

"Be safe than sorry".

Link to comment

Archived

This topic is now archived and is closed to further replies.


×
×
  • Create New...