Jump to content

Two step authentication (e.g. via Google authenticator) and encryption


Recommended Posts

@Grumpy "Actually, it is probably the appearance of security (the existence of a feature) rather than actual usage that will improve people's impression of Evernote. Even if only just one user implements 2fa, the fact that they have it will raise their profile among those who are concerned about security. That shouldn't be discounted!"

Agreed so let's get on with it, by the end of March please! (annoucement of such would be good in the next 48 hours)

 

Never bother arguing with the evangelists.. its like feeding the trolls.

 

I will voice my displeasure and vote with my wallet. I will simply use the export feature and take all my Evernote data elsewhere. If I can't find a suitable online service with 2FA I will utilize a local solution just as I did before Evernote (some support dropbox sync anyway, so yea).

 

I mean nearly 3 years of lip service and they still haven't done 2FA... Decisions, decisions.

Link to comment
  • Replies 443
  • Created
  • Last Reply
  • Level 5*

@Grumpy "Actually, it is probably the appearance of security (the existence of a feature) rather than actual usage that will improve people's impression of Evernote. Even if only just one user implements 2fa, the fact that they have it will raise their profile among those who are concerned about security. That shouldn't be discounted!"

Agreed so let's get on with it, by the end of March please! (annoucement of such would be good in the next 48 hours)

 

Never bother arguing with the evangelists.. its like feeding the trolls.

 

I will voice my displeasure and vote with my wallet. I will simply use the export feature and take all my Evernote data elsewhere. If I can't find a suitable online service with 2FA I will utilize a local solution just as I did before Evernote (some support dropbox sync anyway, so yea).

 

I mean nearly 3 years of lip service and they still haven't done 2FA... Decisions, decisions.

 

I didn't even know we were arguing about anything. In fact, I've been mostly in agreement with posters, with only minor differences in opinion. Evernote announced in December that they would implement 2fa (I don't know where your 3 years of lip service comes from). There are a lot of great applications out there. I hope that you find one that fits your needs and provides the two-factor authentication you need.

Link to comment
  • Level 5*

Hey Grumpy when do they think 2FA will implement it.

 

Good question. I have no inside knowledge, so I am afraid I cannot say. My guess, though, would be sometime soon. They have actually been looking at this for a while now (see Dave's October 2012 comment here http://blog.evernote.com/tech/2012/10/10/password-safety-reminder/), and now that they have Business, it seems like good timing. In the meantime, long (10, 20, or more characters), random, unique, and regularly changed passwords will provide a pretty high level of security. 

Link to comment

@Grumpy "Actually, it is probably the appearance of security (the existence of a feature) rather than actual usage that will improve people's impression of Evernote. Even if only just one user implements 2fa, the fact that they have it will raise their profile among those who are concerned about security. That shouldn't be discounted!"

Agreed so let's get on with it, by the end of March please! (annoucement of such would be good in the next 48 hours)

 

Never bother arguing with the evangelists.. its like feeding the trolls.

 

I will voice my displeasure and vote with my wallet. I will simply use the export feature and take all my Evernote data elsewhere. If I can't find a suitable online service with 2FA I will utilize a local solution just as I did before Evernote (some support dropbox sync anyway, so yea).

 

I mean nearly 3 years of lip service and they still haven't done 2FA... Decisions, decisions.

Evernote evangelists know a lot about EN. Probably more than you do. They've certainly *helped* a lot more users than you have, with your one, single post. Yet we become targets when you disagree & we then get all lumped together. Grow up.

Link to comment
  • Evernote Expert

Well, i suppose EN is plannning to hold back such classified information that they are working on 2fa, make it so strong and unbreakable so that they can release a 100FA it for their 100 year anniversay. Right, EN? :wub:

Link to comment

About three years ago, someone managed to get access to an e-banking account of mine and it is only because of 2fa that no money was stolen. Fortunately, the bank was using 2fa right since I started e-banking with them many years ago. At that time you received a printed list of transaction codes that you used one after the other. However, these codes were only required to start a transaction, you could log into your account to see your balance just with ID/password. 

 

One day I was informed that there had been three attempts to transfer money from my account to an account in Russia, but that the transfers had not been permitted because the transaction codes entered had not been correct. The bank blocked my account and it turned out that someone had been able to log in with my ID/password, had started the transaction, but had entered wrong transaction codes. My password at this time was unique, reasonably strong, but I did not change it every month...

 

I still have no clue who gained access to my account or how it was done, but as a consequence I wiped my computer and re-installed everything from scratch. At the same time the bank introduced an improved authentication system using a little code generator device that operates with my ATM card. 

 

With this 'live' experience of the benefits of 2fa in mind, I very much appreciate that EN intends to introduce it, and I hope it will come soon. At the same time I am also hoping for improvements regarding the encryption of the database. Currently I encrypt sensitive data myself (mostly as .zip archives), but a build-in option to encrypt the entire content of notes, rather than only text, would be highly appreciated.

Link to comment

Dear Evernote,

 

In light of the recent security alert, please reward your premium (paying) subscribers with 2-step authentication security (e.g. via google authenticator) and allow for encrypted notes/notebooks.

 

I searched for 2 step authentication via google and on these forums and found lots of dead links to topics regarding 2 step auth... is someone deleting posts relating to authentication?

 

This is certainly a development that is needed. 2 step is being adopted by other cloud services e.g. dropbox (which has google 2 step support) + boxcrypt; and lastpass which also has a plethora of permitted 2 step auth schemes...

 

Come on evernote - step up to it!

 

Many thanks for listening to my request.

 

EDIT BY MODERATOR:  Merged with an existing thread.  Please do not start new threads on topics already being discussed.

Link to comment
  • Level 5*

No censoring of discussion of 2FA (or anything else) is going on that I know of. There could be a couple of reasons that links have gone dead that I can think of:

  • Links to posts in the old forum may be dead, even though many of the posts were transferred over
  • The moderators sometimes coalesce topics or posts, if they're identical/related (generally, what I will do is merge the new topic to the older topic). Links to posts that have been moved around may be dead, though you'd hope that the forum tools would take care of that.

If you know of the locations of the links that you have found that are dead, you're welcome to list them here, and maybe some ambition moderator could track their referents down, or at least mark them as dead.

 

I repeat that no censoring of discussions is taking place.

Link to comment

No censoring of discussion of 2FA (or anything else) is going on that I know of. There could be a couple of reasons that links have gone dead that I can think of:

  • Links to posts in the old forum may be dead, even though many of the posts were transferred over
  • The moderators sometimes coalesce topics or posts, if they're identical/related (generally, what I will do is merge the new topic to the older topic). Links to posts that have been moved around may be dead, though you'd hope that the forum tools would take care of that.

If you know of the locations of the links that you have found that are dead, you're welcome to list them here, and maybe some ambition moderator could track their referents down, or at least mark them as dead.

 

I repeat that no censoring of discussions is taking place.

 

Thanks for merging. As mentioned I did search before posting and every link returned was dead - hence my (mistaken) conclusion of shenanigans.

 

Example links that were returned by both google search, and forum search:

 

http://discussion.evernote.com/topic/31878-2-step-two-factor-authentication-verification-needed-asap/

http://discussion.evernote.com/topic/22013-2-step-verification/

http://discussion.evernote.com/topic/24995-security-two-factor-authentication-please/page-2

etc

Link to comment
  • Level 5*

Thanks for merging. As mentioned I did search before posting and every link returned was dead - hence my (mistaken) conclusion of shenanigans.

Interesting -- some other mod must have done the merge of your post. We really, really try to avoid censoring in these forums, though obviously spam removal is necessary, and the forum software is set up to "****" words that it considers to be bad.

 

Thanks for the links. Now for that ambitious moderator to step up and find our where the links live. :)
Link to comment

Thanks for merging. As mentioned I did search before posting and every link returned was dead - hence my (mistaken) conclusion of shenanigans.

Interesting -- some other mod must have done the merge of your post. We really, really try to avoid censoring in these forums, though obviously spam removal is necessary, and the forum software is set up to "****" words that it considers to be bad.

 

Thanks for the links. Now for that ambitious moderator to step up and find our where the links live. :)
I merged JimboF's new thread into this one but did not alter JimboF's post in any way. If the links were ok before & dead now (which really doesn't make sense), then there may be a flaw in the message board merge option.
Link to comment

Ok, reread the post. Someone else merged the 2fa threads at least more than a couple of days ago. It wasn't me. We went through this over the weekend, when someone else accused the admins/mods of deleting the 2fa threads after the EN hack & Heather posted the live link to the merged thread.

Link to comment

Ok, reread the post. Someone else merged the 2fa threads at least more than a couple of days ago. We went through this over the weekend, when someone else accused the admins/mods of deleting the 2fa threads after the EN hack & Heather posted the live link to the merged thread.

http://discussion.evernote.com/topic/35596-what-is-evernotes-stance-on-2-factor-authentication-post-the-security-mishap/
Link to comment

Ok, reread the post. Someone else merged the 2fa threads at least more than a couple of days ago. We went through this over the weekend, when someone else accused the admins/mods of deleting the 2fa threads after the EN hack & Heather posted the live link to the merged thread.

Apologies to continue the OT posts: So the root cause is tidy up activities by the mods, and out of date/stale search index?

 

Update: thanks for the link to the other accusation of censorship - shame this was not the 1st hit on my search :)

Link to comment
  • Level 5*

Ok, reread the post. Someone else merged the 2fa threads at least more than a couple of days ago. We went through this over the weekend, when someone else accused the admins/mods of deleting the 2fa threads after the EN hack & Heather posted the live link to the merged thread.

Apologies to continue the OT posts: So the root cause is tidy up activities by the mods, and out of date/stale search index?

 

Update: thanks for the link to the other accusation of censorship - shame this was not the 1st hit on my search :)

Looks like the links that you posted were all links to topics in the new forum, so it's probably a side-effect of topic merging. I certainly did some of that; I usually leave a note to the original poster so that they know that it happened. Anyways, carry on.
Link to comment

Ok, reread the post. Someone else merged the 2fa threads at least more than a couple of days ago. We went through this over the weekend, when someone else accused the admins/mods of deleting the 2fa threads after the EN hack & Heather posted the live link to the merged thread.

Apologies to continue the OT posts: So the root cause is tidy up activities by the mods, and out of date/stale search index?

 

Update: thanks for the link to the other accusation of censorship - shame this was not the 1st hit on my search :)

That's what it looks like to me. Although new links in the board seem to get out there pretty quickly, IDK how long it takes Google to remove broken/removed links. As Jeff stated, posts/threads are not censored with the exception of spam posts or posts that are generally considered offensive. Even in that case, posts will remain but may be edited by a mod & the mod will add a note in the post to that effect, just as I did when merging your post into this thread.
Link to comment
  • Level 5

LOL. It was a real shame about that rollout getting bungled, because without the crashing it would have really impressed people (I think). Now, with the hacking thing, no one is even paying attention to the app. The iOS team deserves a lot more positive attention than they are getting on this one!

Ding.  And that's why the time you spend iterating on the QA and security processes all the way along.

Weekends like these are expensive in so many ways from development to support and over time, sales and marketing as the image/brand is tarnished.

 

And as you point out, it robs the kudo's due for the development dollars you have already spent.

Link to comment

Just +1'ing Google Authenticator or equivalent.

 

Evernote is one of those few apps that I'm likely to use on "strange" computers. I do try to stay out of Internet cafes and such, but I definitely log into Evernote, Dropbox my email accounts and Lastpass when I'm away from my own computers. Evernote is also often a gateway to other important information (account numbers, identifying information for password resets, etc.)

 

Having 2FA just on those sorts of apps means that a keylogger attack is worthless, as is someone just looking over my shoulder. I'd love to see it, and I think it's one app where it really makes a lot of sense. 

 

FYI, EN Engineers: LastPass does a lovely job with its 2FA method, including letting me dictate which specific devices are "safe" and can bypass it.

Link to comment
  • Level 5*

 

 

Hi. Thanks for posting that link. I don't think it was a "good" article, though. For example, the CEO announced 2-factor authentication in December, not April of last year. The dating on the interview that is linked from that article is in the European style, so it goes day, month, year. If he visited the forums, and read the 2fa threads, he'd know this :)

Link to comment
  • Evernote Expert

 

 

Hi. Thanks for posting that link. I don't think it was a "good" article, though. For example, the CEO announced 2-factor authentication in December, not April of last year. The dating on the interview that is linked from that article is in the European style, so it goes day, month, year. If he visited the forums, and read the 2fa threads, he'd know this :)

 

I am sorry Grumpy, but your argument holds little water here. When the whole world is up in arms and talking about 2fa especially after the recent security hack, common sense said that EN must have made a mention of it in their official release. Sadly, i find nothing of it nor in the official EN forums. And 3 days later, when millions are crying for it, it would still not be late for the EN team to come out with an official release atleast telling the status of 2fa, if they are indeed currently in implementation. Sadly, no. So, by making a reference to some post made 2 months ago, and with an Evangelist who claims to not know the inner workings of Evernote, i think its not fair to mislead people when the main guns of EN themselves are not interested in taking a stance on EN.

 

Surely, you know - i know - everyone on the internet seems to be want to know the status of 2fa, then my question really is why aren't the people officially letting us know what the status is?  I don't care if it costs 10 dollars more/user, or is much complex to implement, or will be ready by tomorrow, or in 2 years time , or possibly EN is working on some super dooper uncrackable technology.Whatever? As users, we have the right to know the status of things as they stand as off today. If Evernote encourages us to upload tax documents online, surely, it must be an unbreakable locker. And given that we are putting our entire digital life up there, paying money and promoting the service, we demand to know not from an Evangelist who will take no responsibility but from an official representative. Remember that everyday we continue to use Evernote, we get entangled in a situation where we cannot come out of it easily, since our information is all up and organized, and if we get the real thought process of 2fa of whats in EN's top decision making heads, we can make a decision.

 

The cloud brings us great conveniences all right, but if 1 major risk of security outweighs all the other good, then there is little point of going through. It is like saying that i can give you a super smart phone that can make you coffee, take you to jupiter and take your dog for a walk, but there is a 50% chance of cancer, and it will take us 1 year to get a definite or acceptable cure for cancer if you continue using our phone.  If the information was this clear, the user can decide for himself if the phone is worth it or not.

 

I don't blame you Grumpy, but i get this really sick feeling that EN and Evangelists in this forum have created a detrimental culture of non accountability to the big bosses in Evernote , that all our shortcomings will be taken care by the Evangelists, and the fact that not an official word of 2fa has come out, even after an attempt to crack Evernote by hackers, seems to be reflective of it.

Link to comment
  • Level 5*

 

 

 

Hi. Thanks for posting that link. I don't think it was a "good" article, though. For example, the CEO announced 2-factor authentication in December, not April of last year. The dating on the interview that is linked from that article is in the European style, so it goes day, month, year. If he visited the forums, and read the 2fa threads, he'd know this :)

 

I am sorry Grumpy, but your argument holds little water here. When the whole world is up in arms and talking about 2fa especially after the recent security hack, common sense said that EN must have made a mention of it in their official release. Sadly, i find nothing of it nor in the official EN forums. And 3 days later, when millions are crying for it, it would still not be late for the EN team to come out with an official release atleast telling the status of 2fa, if they are indeed currently in implementation. Sadly, no. So, by making a reference to some post made 2 months ago, and with an Evangelist who claims to not know the inner workings of Evernote, i think its not fair to mislead people when the main guns of EN themselves are not interested in taking a stance on EN.

 

Surely, you know - i know - everyone on the internet seems to be want to know the status of 2fa, then my question really is why aren't the people officially letting us know what the status is?  I don't care if it costs 10 dollars more/user, or is much complex to implement, or will be ready by tomorrow, or in 2 years time , or possibly EN is working on some super dooper uncrackable technology.Whatever? As users, we have the right to know the status of things as they stand as off today. If Evernote encourages us to upload tax documents online, surely, it must be an unbreakable locker. And given that we are putting our entire digital life up there, paying money and promoting the service, we demand to know not from an Evangelist who will take no responsibility but from an official representative. Remember that everyday we continue to use Evernote, we get entangled in a situation where we cannot come out of it easily, since our information is all up and organized, and if we get the real thought process of 2fa of whats in EN's top decision making heads, we can make a decision.

 

The cloud brings us great conveniences all right, but if 1 major risk of security outweighs all the other good, then there is little point of going through. It is like saying that i can give you a super smart phone that can make you coffee, take you to jupiter and take your dog for a walk, but there is a 50% chance of cancer, and it will take us 1 year to get a definite or acceptable cure for cancer if you continue using our phone.  If the information was this clear, the user can decide for himself if the phone is worth it or not.

 

I don't blame you Grumpy, but i get this really sick feeling that EN and Evangelists in this forum have created a detrimental culture of non accountability to the big bosses in Evernote , that all our shortcomings will be taken care by the Evangelists, and the fact that not an official word of 2fa has come out, even after an attempt to crack Evernote by hackers, seems to be reflective of it.

 

My argument doesn't hold water? The author of the article was wrong. As far as I know, that is a fact. You may like the conclusions that the author reaches, but marshaling mistaken evidence in support of it hardly makes for a persuasive argument that Evernote doesn't care about security. 

 

My personal opinion and interest isn't going to generate a culture of non-accountability, because my voice carries little, if any weight, at Evernote headquarters. Do you see a vertical list view on OSX? I didn't think so :) I'm just a user like you and everyone else. Personally, 2fa is not a hot button issue for me. That's all. I've encouraged you and others to speak your minds on the forums. What more should I do?

Link to comment
  • Evernote Expert

 

 

 

 

Hi. Thanks for posting that link. I don't think it was a "good" article, though. For example, the CEO announced 2-factor authentication in December, not April of last year. The dating on the interview that is linked from that article is in the European style, so it goes day, month, year. If he visited the forums, and read the 2fa threads, he'd know this :)

 

I am sorry Grumpy, but your argument holds little water here. When the whole world is up in arms and talking about 2fa especially after the recent security hack, common sense said that EN must have made a mention of it in their official release. Sadly, i find nothing of it nor in the official EN forums. And 3 days later, when millions are crying for it, it would still not be late for the EN team to come out with an official release atleast telling the status of 2fa, if they are indeed currently in implementation. Sadly, no. So, by making a reference to some post made 2 months ago, and with an Evangelist who claims to not know the inner workings of Evernote, i think its not fair to mislead people when the main guns of EN themselves are not interested in taking a stance on EN.

 

Surely, you know - i know - everyone on the internet seems to be want to know the status of 2fa, then my question really is why aren't the people officially letting us know what the status is?  I don't care if it costs 10 dollars more/user, or is much complex to implement, or will be ready by tomorrow, or in 2 years time , or possibly EN is working on some super dooper uncrackable technology.Whatever? As users, we have the right to know the status of things as they stand as off today. If Evernote encourages us to upload tax documents online, surely, it must be an unbreakable locker. And given that we are putting our entire digital life up there, paying money and promoting the service, we demand to know not from an Evangelist who will take no responsibility but from an official representative. Remember that everyday we continue to use Evernote, we get entangled in a situation where we cannot come out of it easily, since our information is all up and organized, and if we get the real thought process of 2fa of whats in EN's top decision making heads, we can make a decision.

 

The cloud brings us great conveniences all right, but if 1 major risk of security outweighs all the other good, then there is little point of going through. It is like saying that i can give you a super smart phone that can make you coffee, take you to jupiter and take your dog for a walk, but there is a 50% chance of cancer, and it will take us 1 year to get a definite or acceptable cure for cancer if you continue using our phone.  If the information was this clear, the user can decide for himself if the phone is worth it or not.

 

I don't blame you Grumpy, but i get this really sick feeling that EN and Evangelists in this forum have created a detrimental culture of non accountability to the big bosses in Evernote , that all our shortcomings will be taken care by the Evangelists, and the fact that not an official word of 2fa has come out, even after an attempt to crack Evernote by hackers, seems to be reflective of it.

 

My argument doesn't hold water? The author of the article was wrong. As far as I know, that is a fact. You may like the conclusions that the author reaches, but marshaling mistaken evidence in support of it hardly makes for a persuasive argument that Evernote doesn't care about security. 

 

My personal opinion and interest isn't going to generate a culture of non-accountability, because my voice carries little, if any weight, at Evernote headquarters. Do you see a vertical list view on OSX? I didn't think so :) I'm just a user like you and everyone else. Personally, 2fa is not a hot button issue for me. That's all. I've encouraged you and others to speak your minds on the forums. What more should I do?

 

Yet another classic example post of Evangelists deviating from the main line of attack and defending Evernote, inspite of its flaws. I don't say that EN needs to implement 2fa by tomorrow.  If you really think that EN carried that much sense of interest in user security, and also realised that the forum and the internet are boiling for 2fa, don't you think that the bosses should come out and say, "Guys chill, the hackers couldn't even dent a scratch on us, but in interest of so many users who want to know status of 2fa, this is this and that.. and will implemented by so and so date.. or something to that effect?".

 

Well, if Evernote continues to remain silent and says that merely reset the password will makes things better without even touching on the issue of a simmering issue, then i think it does nothing but reek of contempt for the user's emotions and requests especially after what we all have been through last week. If 2fa is not a hotspot for you, so be it. There are millions of users clammering for 2fa, and all the tech forums say taht it is time for en to go 2fa. Maybe, EN thinks that we all are stupid or probably not worth responding to..

Link to comment
  • Level 5*

 

 

 

 

 

Hi. Thanks for posting that link. I don't think it was a "good" article, though. For example, the CEO announced 2-factor authentication in December, not April of last year. The dating on the interview that is linked from that article is in the European style, so it goes day, month, year. If he visited the forums, and read the 2fa threads, he'd know this :)

 

I am sorry Grumpy, but your argument holds little water here. When the whole world is up in arms and talking about 2fa especially after the recent security hack, common sense said that EN must have made a mention of it in their official release. Sadly, i find nothing of it nor in the official EN forums. And 3 days later, when millions are crying for it, it would still not be late for the EN team to come out with an official release atleast telling the status of 2fa, if they are indeed currently in implementation. Sadly, no. So, by making a reference to some post made 2 months ago, and with an Evangelist who claims to not know the inner workings of Evernote, i think its not fair to mislead people when the main guns of EN themselves are not interested in taking a stance on EN.

 

Surely, you know - i know - everyone on the internet seems to be want to know the status of 2fa, then my question really is why aren't the people officially letting us know what the status is?  I don't care if it costs 10 dollars more/user, or is much complex to implement, or will be ready by tomorrow, or in 2 years time , or possibly EN is working on some super dooper uncrackable technology.Whatever? As users, we have the right to know the status of things as they stand as off today. If Evernote encourages us to upload tax documents online, surely, it must be an unbreakable locker. And given that we are putting our entire digital life up there, paying money and promoting the service, we demand to know not from an Evangelist who will take no responsibility but from an official representative. Remember that everyday we continue to use Evernote, we get entangled in a situation where we cannot come out of it easily, since our information is all up and organized, and if we get the real thought process of 2fa of whats in EN's top decision making heads, we can make a decision.

 

The cloud brings us great conveniences all right, but if 1 major risk of security outweighs all the other good, then there is little point of going through. It is like saying that i can give you a super smart phone that can make you coffee, take you to jupiter and take your dog for a walk, but there is a 50% chance of cancer, and it will take us 1 year to get a definite or acceptable cure for cancer if you continue using our phone.  If the information was this clear, the user can decide for himself if the phone is worth it or not.

 

I don't blame you Grumpy, but i get this really sick feeling that EN and Evangelists in this forum have created a detrimental culture of non accountability to the big bosses in Evernote , that all our shortcomings will be taken care by the Evangelists, and the fact that not an official word of 2fa has come out, even after an attempt to crack Evernote by hackers, seems to be reflective of it.

 

My argument doesn't hold water? The author of the article was wrong. As far as I know, that is a fact. You may like the conclusions that the author reaches, but marshaling mistaken evidence in support of it hardly makes for a persuasive argument that Evernote doesn't care about security. 

 

My personal opinion and interest isn't going to generate a culture of non-accountability, because my voice carries little, if any weight, at Evernote headquarters. Do you see a vertical list view on OSX? I didn't think so :) I'm just a user like you and everyone else. Personally, 2fa is not a hot button issue for me. That's all. I've encouraged you and others to speak your minds on the forums. What more should I do?

 

Yet another classic example post of Evangelists deviating from the main line of attack and defending Evernote, inspite of its flaws. I don't say that EN needs to implement 2fa by tomorrow.  If you really think that EN carried that much sense of interest in user security, and also realised that the forum and the internet are boiling for 2fa, don't you think that the bosses should come out and say, "Guys chill, the hackers couldn't even dent a scratch on us, but in interest of so many users who want to know status of 2fa, this is this and that.. and will implemented by so and so date.. or something to that effect?".

 

Well, if Evernote continues to remain silent and says that merely reset the password will makes things better without even touching on the issue of a simmering issue, then i think it does nothing but reek of contempt for the user's emotions and requests especially after what we all have been through last week. If 2fa is not a hotspot for you, so be it. There are millions of users clammering for 2fa, and all the tech forums say taht it is time for en to go 2fa. Maybe, EN thinks that we all are stupid or probably not worth responding to..

 

The guy got the facts wrong in his main argument about Evernote's lack of concern for consumers. I would call that quite relevant to the discussion, wouldn't you? I think it is cool that users are researching about Evernote on the web and posting links to other resources (that is why I thanked them for posting the link), but when the information is incorrect, then I think it benefits all of us to get the facts straight. It's up to you if you want to deal with the facts or not, but I see no place in my comments that "my argument does not hold water." Please point out my mistake.

 

I wasn't aware that we are here attacking Evernote. I am here for a discussion, and in this one, I do not agree with your point of view; namely, that if Evernote representatives do not to appear in this thread and provide you an ETA for a feature, then that shows they think you are stupid or not worth responding to. I would prefer that they carefully develop any new feature, thoroughly test it, and implement it when they are ready.

 

What is "all that we have been through"? I woke up Saturday, Evernote told me to change my password, and I did. This is the same thing I have had to do for all sorts of other services. None of my data was compromised. The hackers took off with my email address (available to anyone with the ability to use Google), my user name (available to anyone who clicks on links to my shared notebooks), and an encrypted password that is now worthless. All I went through was (literally) a one minute process of changing my password. Some people went through a much rougher process, and I do feel for them, especially if they had to do something like download all of their data offline again. I think they certainly have justification for being upset. Were you one of those people? My impression from your posts was that you were just as "inconvenienced" as me.

 

I am not saying that Evernote shouldn't implement 2fa, or that I think it is OK for them to lose my user data to hackers (encrypted or not). However, if we step back from the hyperbole and emotion to look at the situation objectively, then I think you will agree that Evernote is acting in a responsible, respectful manner. Or, maybe you wouldn't agree. That is your choice, because this is a discussion board, after all, and it is OK to have a different opinion, whether we are Evangelists or not. 

Link to comment
  • Evernote Expert

One, i am more personally affected: My entire IOS Evernote apps, hello included is screwed.. Installed latest update, reinstalled, still problem persists. Filed a ticket with support, yet to get a fix..

 

http://discussion.evernote.com/topic/35659-problem-continues-even-after-updated-software/

 

So, one, i have serious reasons to be damn pissed off, irrespective of whether 2 factor auth could have avoided the issue or not..

 

Evernote on my IOS is unusable as of now.

 

Two, as i said, i don't expect Evernote to come and reply to each person on the forum, but when EN issues an official statement which is considered to be the gospel truth over which thousands of reviews, posts and news will float, it is imperative that they talk about 2 factor auth in such an important press meet. Third, it has been 3-4 days now, since the incident happened. And EN still has not released an official 2 fac auth, and that is my primary concern. You seem to be a not for 2 factor auth person, so i guess, the fact that not an OFFFFFFFIIIIICCCCCIIIIAAAAALLLLLL mention of EN's stance on 2 factor auth does not seem to concern you one bit. So, i think our arguments are irrelevant.

 

Anyways, thanks for being around and of great help. With staunch defenders like you, i am not very hopeful that EN might make such a statement that cares little for the opinion of millions of users. After all, i suppose Phil Libin must have told his folks - "Don't worry, Grumpy and his team will take care of everything." :)

Link to comment

One, i am more personally affected: My entire IOS Evernote apps, hello included is screwed.. Installed latest update, reinstalled, still problem persists. Filed a ticket with support, yet to get a fix..

 

http://discussion.evernote.com/topic/35659-problem-continues-even-after-updated-software/

 

Sorry for the delay here, and please expect longer than normal ticket responses--we've got our entire support staff working overtime responding to the influx of tickets associated with the reset--as you can imagine, volume has jumped up a bit.  It sounds like you've got a very specific issue, unrelated to the reset--provide me the ticket info and I'll look into it, but it sounds like it will be a specific bug related to the iOS client.

 

As for 2 factor or anything remotely related to the password reset--any new information will be released through our official channels, so you won't see me (or any employee) active in here waxing poetic on the reset--it's just not presently the proper place for it.  When we release additional information it will definitely be broadcast in the forums (and social media, etc) to ensure as many users as possible are made aware.

Link to comment
  • Level 5*

Glad it is coming soon. Sad it took this security incident to trigger it.

This change was already in the works.

Not the "coming soon" part. It was on the list to do in 2013. Now I suspect it is on the list to do ASAP.

Link to comment

Glad it is coming soon. Sad it took this security incident to trigger it.

This change was already in the works.
Not the "coming soon" part. It was on the list to do in 2013. Now I suspect it is on the list to do ASAP.
Excellent news, shame they are briefing the press etc rather than using "official channels" as gbarry put it? (Forum official announcements, Evernote Blog, Twitter etc)

Now what we need is a time frame. (This quarter?)

Link to comment
  • Level 5*

 

 

Glad it is coming soon. Sad it took this security incident to trigger it.

This change was already in the works.
Not the "coming soon" part. It was on the list to do in 2013. Now I suspect it is on the list to do ASAP.
Excellent news, shame they are briefing the press etc rather than using "official channels" as gbarry put it? (Forum official announcements, Evernote Blog, Twitter etc)

Now what we need is a time frame. (This quarter?)

 

How does that old song run? "Evernote don't do delivery dates.."

 

I'm interpreting,  with no inside knowledge whatsoever,  but I'd guess that:

  1. The press briefings are highly sensible firefighting against the recent negative headlines of "Evernote got hacked and was forced to..."
  2. There's no specifics involved so what are they going to tell us here?
  3. Publishing details of security plans tends to be counter-productive ("if you're going to hit me,  don't waste your time here,  or here..")
  4. Putting this together - even with some existing activity under their belt - is going to take a while (even the man from Sophos says so)
  5. Given the pasting Evernote took for the hastily issued (but very timely) email,  they're going to plan and check very carefully before launching anything that might cause another storm...
  6. Whatever they do it'll be:
  • a step too far,  or
  • not enough or
  • all of the above...
Link to comment

As some suspected...."Evernote used the MD5 cryptographic algorithm to secure its passwords, despite numerous security experts saying that MD5 isn't fit for that purpose -- no matter how well it might be salted."

 

http://www.informationweek.co.uk/security/application-security/password-police-cite-evernote-mistakes/240150250?cid=RSSfeed_IWK_ALL

 

Not sure this is still true but the article points to EN blog posts on the subject....

 

http://blog.evernote.com/tech/2011/05/17/architectural-digest/#comment-455

 

Which in hindsight look naive?

Link to comment
  • Level 5*

Hindsight is definitely 20/20 - and I'm sure whatever Evernote have said about security in the past is now long out of date and undergoing energetic reviews as we speak...

Link to comment

YubiKey. Google Authenticator. Something other than username/password.

 

Personally, I use YubiKey with LastPass on both Windows and my Android phone. It works and would be an excellent solution to this issue with EN. Google Authenticator would be nice, but falls apart if I'm running it on my Android along with EN. Assuming my EN user/password has been compromised, all one would have to do is run the Android Google Authenticator app, grab the code, and plug it into the Android EN login along with my EN user/password. Nothing gained here at all (please correct me if I'm missing something on this.)

Link to comment
  • Level 5*

YubiKey. Google Authenticator. Something other than username/password.

 

Personally, I use YubiKey with LastPass on both Windows and my Android phone. It works and would be an excellent solution to this issue with EN. Google Authenticator would be nice, but falls apart if I'm running it on my Android along with EN. Assuming my EN user/password has been compromised, all one would have to do is run the Android Google Authenticator app, grab the code, and plug it into the Android EN login along with my EN user/password. Nothing gained here at all (please correct me if I'm missing something on this.)

I hope EN does something like what Google does and assigns a specific unique password to an app, so even if someone got it, it wouldn't work on any other machine. Leave the 2FA to the PC and web browser.

Link to comment
  • Evernote Expert

One, i am more personally affected: My entire IOS Evernote apps, hello included is screwed.. Installed latest update, reinstalled, still problem persists. Filed a ticket with support, yet to get a fix..

 

http://discussion.evernote.com/topic/35659-problem-continues-even-after-updated-software/

 

Sorry for the delay here, and please expect longer than normal ticket responses--we've got our entire support staff working overtime responding to the influx of tickets associated with the reset--as you can imagine, volume has jumped up a bit.  It sounds like you've got a very specific issue, unrelated to the reset--provide me the ticket info and I'll look into it, but it sounds like it will be a specific bug related to the iOS client.

 

As for 2 factor or anything remotely related to the password reset--any new information will be released through our official channels, so you won't see me (or any employee) active in here waxing poetic on the reset--it's just not presently the proper place for it.  When we release additional information it will definitely be broadcast in the forums (and social media, etc) to ensure as many users as possible are made aware.

 

thank you, i have got a response and the support staff are looking into the problem.

Link to comment

YubiKey. Google Authenticator. Something other than username/password.

 

Personally, I use YubiKey with LastPass on both Windows and my Android phone. It works and would be an excellent solution to this issue with EN. Google Authenticator would be nice, but falls apart if I'm running it on my Android along with EN. Assuming my EN user/password has been compromised, all one would have to do is run the Android Google Authenticator app, grab the code, and plug it into the Android EN login along with my EN user/password. Nothing gained here at all (please correct me if I'm missing something on this.)

I hope EN does something like what Google does and assigns a specific unique password to an app, so even if someone got it, it wouldn't work on any other machine. Leave the 2FA to the PC and web browser.

 

Actually using Yubikey for 2FA on the Android is a reality for LastPass now and it's pretty elegant. I just bought a Yubikey NEO which supports NFC so all that's necessary is to swipe the Yubikey across the back of the phone which opens the LastPass login screen. Enter username/password and you're in. Granted, this only works for LastPass now and only Android phones that support NFC, but it's a pretty cool solution.

 

One other thing that LastPass has implemented recently is a "poor man's Yubikey" which uses your own flashdrive as a hardware key. Install a LastPass tool on the flashdrive called Sesame and you now have hardware 2FA. Here's an article on lifehacker that discusses the LastPass 2FA.

Link to comment
  • Level 5*

Yubikey is nice and all, but that is really overboard for most people. $30 to buy and ship one, and now you have to carry it around. And no, I don't carry a key ring with me everywhere, but I do carry my phone everywhere.

 

If EN does do Yubikey, do it like Lastpass did - make it optional.

Link to comment

Yubikey is nice and all, but that is really overboard for most people. $30 to buy and ship one, and now you have to carry it around. And no, I don't carry a key ring with me everywhere, but I do carry my phone everywhere.

 

If EN does do Yubikey, do it like Lastpass did - make it optional.

Agreed Yubikey is nice but make it optional.... And to re-iterate what you said earlier only use 2fa on all web logins and on authorising an EN clients initial installation/sync.

So when using a previously installed EN App on the iPad you would not need to login with 2FA.... And in my world the same would apply to the Windows and Mac client. However these EN clients and the devices they are installed/authorised to, would be listed in your account (accessed through the web) like third party OAuth, you would then be able to deauthorise their access at will... Requiring a 2fa login to reconnect.

Link to comment
  • Level 5

Firstly I disagree that yubikey is overkill for most people.

It's cheap at 4 times the price compared to the old days where a SecureID was serious money and you needed one for each service.

Yubikey sits on my physical keyring and the same one is used across many sites directly, and all of them once my yubikey protected OpenID and LastPass are brought in. It's cheap even if you use it at only one destination, but silly cheap if you integrate it wherever you're able to.

And it's a lot more convenient than Google Authenticator because there's nothing to type or copy/paste, though I use G.A. lots too.

It's one of the cheapest most convenient options available.

But I certainly agree it would be great to follow LastPass lead on options.

They offer:

a cumbersome paper method

OTP's you can generate and store for later copy/paste

A flash drive with a LastPass Token file on it (not suggested)

Yubikey

Google Authenticator (which also offers fallback Pre-generated OTP's)

On the topic of not using 2fa on mobile devices, again that should be a preference like with LastPass. It's a security hole.

Remember getting an OAuth cookie is a web authentication too. A hack shouldn't bypass 2fa just because a mobile client user agent is spoofed. At a minimum this requires some mobile client support.

In the LastPass model every client instance has its own GUID. a unique serial. When it's protected from transport sniffing/spoofing that alone can be a second factor. But the initial pairing needs to be protected. In the LastPass model it's by one of the existing offered 2factor options the first time, or by a link that says "I don't have my second factor with me" and you're sent an email link which can approve the mobile client addition.

In true form, LastPass also allows turning off that email option if you have other redundancies in place.

For example you can associate up to 5 yubikeys on an account. So if I don't have my yubikey I can use my 1st gen backup yubikey. Or my wife's. Or one of my stored one time passwords.

Link to comment
  • Evernote Expert

No, i think hardware keys like Yubikey will be cumbersome since EN is a global product, and considering that EN has 50 million users, and assume a nominal 0.5-1% failure rate of hardware or even less spread across evenly in the globe will require several service centers across the world. I mean just take India, Yubikey or EN will have to setup atleast a minimum of 200 service centers spread across cities, or give them to regular distributors and this for a 20-30$ product. Even that would be insufficient for an EN user who uses internet in a tier III town. No, i think software implementations are more meaningful here.

Link to comment
  • Level 5

No, i think hardware keys like Yubikey will be cumbersome since EN is a global product, and considering that EN has 50 million users, and assume a nominal 0.5-1% failure rate of hardware or even less spread across evenly in the globe will require several service centers across the world. I mean just take India, Yubikey or EN will have to setup atleast a minimum of 200 service centers spread across cities, or give them to regular distributors and this for a 20-30$ product. Even that would be insufficient for an EN user who uses internet in a tier III town. No, i think software implementations are more meaningful here.

1.  Not 100% of the evernote userbase will use 2fa

2. It would be poor planning to provide only one option IMO.  Which is why I peppered my remarks with LastPass's good examples.

3.  Yubico is already a global company (they aren't based in the US).

4. As a user who uses both yubikey and google authenticator everyday, let me strongly suggest that Yubikey is the least cumbersome.  Together with LastPass it's less cumbersome than username and password. I can log in anywhere with one button push or less if it's on a trusted device.

5. Google has way more users than Evernote, and Yubico is who they've chosen to partner with in their exploration of replacing username/password for identity.

6.  Yubikeys are extremely robust.  There's no display, battery, or physical buttons.  They've been riding on my keyring along with brass physical keys for years.

 

There's no service centers.  You can't service a Yubikey.  You buy one online.  A few days later it shows up.  You start using it.  Done.  If my mid-60's year old parents in Canada can self order a bundle of LastPass Premium +plus Yubikey, online and get going with them, it won't say much for the Evernote userbase if they stumble doing much the same.  You didn't need a physical store front to sign up for Evernote, why would you need one for a Yubikey?

Link to comment
  • Level 5*

I would love to see some additional authentication with Evernote. Additionally, it would be nice if the team could use Google Authenticator. This way, they cover three mobile OS's and users who already use it would not have to install another application.

 

I think GA and SMS are the way to go here. I love GA, but SMS is better for me for one reason - even if I lose my phone, I can just get a new one and the SMS still works.

 

GA works on my iPad on the other hand whereas SMS doesn't...  :)

Link to comment
  • Level 5

GA works on my iPad on the other hand whereas SMS doesn't...  :)

It's for that reason that SMS doesn't really work for me.  You can use GA on multiple devices (even as a browser extension on the desktop which is ill-advised).  So it has more redundancy than the hassle of cellphone replacement.  GA also has other fallbacks.  Your desktop can create new GA keys, and as a default will only prompt on previously authenticated desktop instances once every 30 days, so the loss of a phone doesn't lock you out of your account except perhaps 1 chance out of 30.  

But more importantly GA allows generating a list of one time passwords to be used in such occasions.

I store mine, encrypted in a lastpass secure note.  So even on the 1out of 30 day, I have a way in, yet the back door is encrypted and protected by yubikey multi-factor.

(and yes I have multiple yubikey backups, and OTP's for LastPass as well).

Sounds complicated I suppose but it's not.  Set and forget.  In day to day trivially simple to use.

I may have more and higher sensitivity logins to manage than some, but it's no more or less effort than a sterotype soccer mom with a handful of sites.

Link to comment
  • Level 5*

GA works on my iPad on the other hand whereas SMS doesn't...  :)

It's for that reason that SMS doesn't really work for me.  You can use GA on multiple devices (even as a browser extension on the desktop which is ill-advised).  So it has more redundancy than the hassle of cellphone replacement.  GA also has other fallbacks.  Your desktop can create new GA keys, and as a default will only prompt on previously authenticated desktop instances once every 30 days, so the loss of a phone doesn't lock you out of your account except perhaps 1 chance out of 30.  

 

Well, if I've lost my cell phone, that is priority numero uno to get replaced, so no hassle there. Connect it, and boom - everything works.

 

If EN allows it, I'll opt SMS any day of the week over GA, but I won't by any means be disappointed if GA is the only offering.

Link to comment
  • Evernote Expert

 

GA works on my iPad on the other hand whereas SMS doesn't...  :)

It's for that reason that SMS doesn't really work for me.  You can use GA on multiple devices (even as a browser extension on the desktop which is ill-advised).  So it has more redundancy than the hassle of cellphone replacement.  GA also has other fallbacks.  Your desktop can create new GA keys, and as a default will only prompt on previously authenticated desktop instances once every 30 days, so the loss of a phone doesn't lock you out of your account except perhaps 1 chance out of 30.  

 

Well, if I've lost my cell phone, that is priority numero uno to get replaced, so no hassle there. Connect it, and boom - everything works.

 

If EN allows it, I'll opt SMS any day of the week over GA, but I won't by any means be disappointed if GA is the only offering.

 

GA could make EN beneficial only for those who use high end smart phones and digital devices. SMS can work for users who even have basic Nokia phone. { I know that they cant get the best use without a mobile EN platform, but atleast the process will work for all. }

Link to comment
  • Level 5*

Good point Panzerkampfwagen, but honestly, I wonder how many EN users that would be smart enough to enable 2FA don't already have a smartphone. May be a lot, and SMS would be necessary. May be small though.

Link to comment

On personal devices like your phone/laptop/pc you should add your own security. Nothing should be accessible when it gets stolen not even limited!

It matters less. If I have physical access to your hardware, I most certainly can get at your data, regardless of whatever security you've implemented (especially for closed, limited devices like phones, branded Android devices and Apple products).

Your best bet in those cases is to implement a remote wipe function. Even that isn't foolproof, but it is better than relying upon built-in "security."

Link to comment
  • Level 5*

On personal devices like your phone/laptop/pc you should add your own security. Nothing should be accessible when it gets stolen not even limited!

It matters less. If I have physical access to your hardware, I most certainly can get at your data, regardless of whatever security you've implemented (especially for closed, limited devices like phones, branded Android devices and Apple products).

Your best bet in those cases is to implement a remote wipe function. Even that isn't foolproof, but it is better than relying upon built-in "security."

 

I think the security is actually pretty robust, especially on an iPhone. Unless the person in possession of the phone is pretty skilled, it will take them hours, days, or more to hack into Evernote (as I understand the current state of hacking). Nothing is perfectly secure, of course, but locking things buys you time to change passwords.

Link to comment
  • Level 5*

 

On personal devices like your phone/laptop/pc you should add your own security. Nothing should be accessible when it gets stolen not even limited!

It matters less. If I have physical access to your hardware, I most certainly can get at your data, regardless of whatever security you've implemented (especially for closed, limited devices like phones, branded Android devices and Apple products).

Your best bet in those cases is to implement a remote wipe function. Even that isn't foolproof, but it is better than relying upon built-in "security."

 

I think the security is actually pretty robust, especially on an iPhone. Unless the person in possession of the phone is pretty skilled, it will take them hours, days, or more to hack into Evernote (as I understand the current state of hacking). Nothing is perfectly secure, of course, but locking things buys you time to change passwords.

Yeah. The canard that "if I have physical access you have no security" just isn't true. Sure, by preventing physical access, it throws up a HUGE barrier to hackers, but just because you have physical access it isn't like breaking into Windows 95 where you just press [ESC] on the login screen.

 

You'd have to be very skilled to get access to data on an encrypted drive, such as one secured by Bitlocker or TrueCrypt, and the access on iOS and Windows Phone is equally secure as the data is encrypted on the device chip. I am not sure about Android, and OEMs bypass much of Android security by using their own custom UI. We've seen this recently with the screen-lock on Samsung devices like the Galaxy S3 and Note II that let you bypass the lock screen entirely. Apple had a lockscreen glitch until yesterday's patch, but even then it only gave you access to contacts.

 

However, if you lose your phone, wipe it.

 

But I'm not too worried about my data if I lose physical access to the device. I have enough safeguards in place (encryption, Prey, device wipe) that even James Bond couldn't get into the device fast enough before my data went "poof."

Link to comment

I think that I agree with a lot of what is said here. Frankly, the user and password system is broken on the internet. We rely too much on them, and most people only have 2-3 passwords. We all know that, though. 

 

What would be good, in my point of view, is to have an optional 2FA solution using any of the following:

 

  • SMS
  • OATH-compatible service - Google account, for instance, since you offload the authentication to the third party, which already supports 2FA(kind of)
  • 2FA Hardware tokens - The kind that display a 6 to 10-digit code that you put in in addition to your password (sometimes at the end of the password or username). We buy the tokens either from you, or from another vendor (Like the c100 tokens from Feitian)
  • Yubikey - Specifically the Neo, but maybe work with Yubikey to create a solution with a micro-USB connector, so you can plug it directly into your phone like a USB OTG cable. 
  • For mobile, maybe allow authentication via Bluetooth (i.e. You can log in to EN on your mobile app by username, password, and having a specific bluetooth device connected (since all are supposed to have unique MAC addresses). They can be spoofed, of course, but it's a bridge until we all have NFC. 

I would also like to see a built-in optional certificate-based encryption, compatible (on Windows) with smartcards / certificates. Make it so that we can have multiple certificates that will unlock the account's master key (which we don't know). All data would be encrypted with the account master key, and the master key private key would be encrypted with each certificate we have set up. 

 

The recent EN hack wasn't the end of the world, from what I have read. They didn't get into the database, but you never know what'll happen next time. Regardless of what they do, it would be really nice to see it happen soon, at bare minimum on the desktop side (even if it's not a full security fix, just to get the solution started and get our "feet" wet / purchase what we need for the final solution). 

 

Make it initially available to only paid members (so you can have people sign up for your awesome, cheap service), giving your more money to work on this :)

Link to comment
  • Level 5*

Apple adds two-step authentication option for iCloud, Apple IDs

Apple has joined giants like Google and Facebook in offering two-factor authentication as an option for its accounts.

 

Evernote, when to you plan to upgrade your security to two-step authentication?

I don't think anything has changed or been announced since March 5.

 

http://www.informationweek.com/security/management/evernote-were-adding-two-factor-authenti/240150023

 

Evernote, after suffering a data breach that caused the company to reset passwords for all of its 50 million users, announced that it plans to adopt two-factor authentication as quickly as possible.

 

I know Apple just added it, but they probably weren't moving down this path until August 2012 when a blogger's account was hacked primarily by social engineering. 2FA would have helped then. 2FA wouldn't have helped in the EN situation, other than it wouldn't have been as urgent to reset passwords (if it was even necessary at all).

EN has to work 2FA into 2 IOS apps, WIndows 7 and earlier, WIndows 8, OSX, Blackberry, WebOS, Windows Phone, and Android, plus the website, and make sure it works with the Business accounts. So, I suspect "quickly as possible" is about all they can give us at this point, and I'd wager it will be faster than Apple's 8 month response.

Link to comment
  • 4 weeks later...

Google has just released Keep.  It's an app similar to EverNote but you can secure things with Google Authenticator.  Since it seems that EN will never get around to offering 2FA, I'm going to start using Google Keep for things I'd rather not keep in EN.  Here are a few points of comparison:

 

  1. Google Keep uses drive for online storage, so if you've turned on Google Authenticator, your notes are already protected.
  2. Like so many other side projects, google keep may be orphaned by the company while EN is updated very frequently.
  3. Google Keep doesn't make text in photos searchable as EN does.
  4. Google Keep app doesn't include an app pin option like EN does.  (Since I use a phone pin anyways, this isn't a security set back for me.)
  5. Google Keep doesn't enable multiple "notebooks".
  6. Google Keep doesn't offer encrypted notes. 
  7. Google Keep has a much cleaner, simpler interface.  I prefer the Google Keep interface.

While I think EN is a much more fulsome note keeping solution, I'm going to start using Google Keep and see if I can live with the warts.  I'm still disappointed that EN hasn't made 2FA a priority, so my move is being made partly out of spite, I guess.  

Link to comment
  • Level 5*

Google has just released Keep.  It's an app similar to EverNote but you can secure things with Google Authenticator.  Since it seems that EN will never get around to offering 2FA, I'm going to start using Google Keep for things I'd rather not keep in EN.

"He said Evernote will begin introducing two-factor authentication “probably in May,” along with other “user-visible” security changes."

http://www.pcworld.com/article/2035401/evernote-ceo-we-want-to-build-hardware.html

Link to comment

@thommango: Ok, fine, whatever, but when someone or something offends me, and I have control over their presence in my life, I have a simple strategy for the situation. 

 

One thing, though -- I asked about 2FA in a separate topic, in the context of the recent security breach. My question is (and it's a sincere question; I am a software dev of some experience, but would never claim to be a security expert): how would the presence of 2FA in Evernote user account logins have helped in this situation? The only thing I can think of is that they would not have needed to force password resets, but I don't even know whether that's true or not.

jefito,

 

If EN has architected their products correctly, then users with 2FA would not have their data exposed from an exposure of usernames and passwords.  Your question raises a good issue, perhaps there are other weaknesses in their core architecture.  Perhaps that's why a 2FA solution doesn't seem to be in their product roadmap.  

Link to comment
  • Level 5*

@thommango: Ok, fine, whatever, but when someone or something offends me, and I have control over their presence in my life, I have a simple strategy for the situation. 

 

One thing, though -- I asked about 2FA in a separate topic, in the context of the recent security breach. My question is (and it's a sincere question; I am a software dev of some experience, but would never claim to be a security expert): how would the presence of 2FA in Evernote user account logins have helped in this situation? The only thing I can think of is that they would not have needed to force password resets, but I don't even know whether that's true or not.

jefito,

 

If EN has architected their products correctly, then users with 2FA would not have their data exposed from an exposure of usernames and passwords.  Your question raises a good issue, perhaps there are other weaknesses in their core architecture.  Perhaps that's why a 2FA solution doesn't seem to be in their product roadmap.  

 

The 2FA solution is in the roadmap.  And the previous post didn't raise any questions that I can see,  other than wondering whether a password reset would still have been required.  I'd guess not - but it's still something I would have done,  because I'm quite fond of my data.

Link to comment
  • 2 weeks later...
  • Level 5*

Just noticed Microsoft have implemented 2fa across all their accounts.

http://blogs.technet.com/b/microsoft_blog/archive/2013/04/17/microsoft-account-gets-more-secure.aspx

Very similar to Google's implementation (allowing great flexibility) and will also work with the Google authenication app (rfc6238).

Time EN delivered on their promised 2FA!

 

I think this was covered here. they said "sometime in may" and we've heard nothing to the contrary. Not sure why MS implementing 2fa on some services means Evernote should do it too at the same time. How long has Microsoft been working on it? How many software clients did MS have to modify to get this implemented?

 

Or are you saying that EN should just pull the trigger and do it, and hope and pray it works if they really aren't ready, but hey, MS did it, so it must be time!

 

I want it as much as anyone, but I want it to work. 2FA is one of those things you don't want to get wrong, or people loose access to their accounts.

 

I am on a few betas and am not seeing much activity, so I am hoping that means they are implementing 2FA in all of their clients.

 

They said May, and I want it to be May, but I'd rather it be July and right than May and wrong.

 

And MS is no gauge here as to what should be done. Win8, Windows RT & Windows Phone all speak to MS's wisdom right now.

Link to comment

@Edh I mention Microsoft for two reasons -

1. Microsoft's 2fa solution looks very similar in operation to Googles. Well thought through and workable on mobile clients etc. without forcing constant 2fa challenging.

2. Evernote has been thinking about 2fa for years, it should not be last to protect its similarly large user base.

But agreed, make sure it works before release!..... Some hope :-)

Link to comment
  • Level 5

Depends on how they want to implement it but at least with one approach they don't have to change any of the clients.

Most now use oauth in a web call to Evernote servers for login. 2factor could just be one more field in that authentication prompt.

So everything would be server side.

Just like adding googles Authenticator to the EN Wordpress blog in 2 minutes, turns a username/password form, into a username/password/Authenticator form.

The trick there is implementing much shorter token life. They might want to implement it that when 2factor is enabled in account preferences that oath tokens are issued to expire in 1 month instead of 1 year. Just as Google does with their Authenticator unless you check the box at authentication to trust this device.

But again all of that is server side. The only client side piece which may or may not already be there is ensuring clients are uniquely identify able via GUID. But perhaps it's sufficient to handle that within the token.

Link to comment

Well I waited, and waited, but due to the absence of any information about the arrival of 2fa (there hasn't been any new, has there?), i've just started implementing my own solution.

 

I've got a VPN router at home so I've set it up to allow a remote connection from me using an openvpn client

The connection allows me to take remote control of my Mac Mini

The Mac Mini has Evernote installed and everything in local notebooks (copying as I type)

I will continue to use the web clipper but notes with sensitive info in them will be copied from a cloud notebook to a local one

I lose ocr of documents with pictures in them, but i'll take that hit

WIth Microsoft introducing 2fa I'll use a Onenote on Skydrive for some things

 

So that's it.  All stuff in local notebooks.  Thanks for a great note organizer Evernote, but the cloud service, no thanks, not any more.  And I save some dollars come renewal time in June.

 

Sad day.

Link to comment
  • Level 5*

Well I waited, and waited, but due to the absence of any information about the arrival of 2fa (there hasn't been any new, has there?), i've just started implementing my own solution.

Hi. Phil said 2FA is coming in May.

http://www.pcworld.com/article/2035401/evernote-ceo-we-want-to-build-hardware.html

 

I've got a VPN router at home so I've set it up to allow a remote connection from me using an openvpn client

The connection allows me to take remote control of my Mac Mini

The Mac Mini has Evernote installed and everything in local notebooks (copying as I type)

I will continue to use the web clipper but notes with sensitive info in them will be copied from a cloud notebook to a local one

I lose ocr of documents with pictures in them, but i'll take that hit

WIth Microsoft introducing 2fa I'll use a Onenote on Skydrive for some things

Sounds like you have a good plan going forward. You might want to keep an eye out for the 2FA announcement from Evernote, and see if Evernote doesn't fit better into your system then.
Link to comment

Here's hoping when 2fa eventually arrives that it's not like Apple's. It only protects high level account changes/activities no protection for iCloud contacts and calendar!#?

Microsoft are gaining fast. Outlook.com with 2fa is becoming a difficult product to beat. In my view Microsoft has finally moved infront of google/gmail (iCloud in 3rd place).

Link to comment
  • Level 5*

Here's hoping when 2fa eventually arrives that it's not like Apples. It only protects high level account changes/activities no protection for iCloud contacts and calendar!#?

Microsoft are gaining fast. Outlook.com with 2fa is becoming a difficult product to beat. In my view Microsoft has finally moved infront of google/gmail (iCloud in 3rd place).

Outlook.com still serves up ads, even though I paid for the service. Wait, I pay money and get ads? How is this better than Google, where I also pay money and get ads? I think it is unlikely I will ever use outlook again, esp. since it doesn't exist in the Appleverse.

OneNote is OK, and is definitely a step forward, but there is still no OneNote on the Mac (or a decent one on iOS), so I am not sure what I would get out of using it myself.

Windows is improving, and I am glad to see them back in the game, but they have a long ways to go before I wil consider investing in their products. 2FA isn't the only factor in my decision. I am more concerned about usability, and in my opinion, Skydrive/GDrive are less useful than Dropbox (amazing, considering the money they have to throw at their products), and OneNote is not even on my radar right now for notes (I used it for many years).

Link to comment

@Grumpy I'd ask MS support to look at your account as the ads should be gone and you should see a feed for social network activity for people you are communicating with...in that window instead.

I'm not recommending Onenote it's the package as a whole and how more and more polished its becoming. Outlook.com works well on the iPad.....

But their 2fa is clever.... It works with the google authenticator, text message or even telephones you with a voice message with a code.

Link to comment
  • Level 5*

@Grumpy I'd ask MS support to look at your account as the ads should be gone and you should see a feed for social network activity for people you are communicating with...in that window instead.

I'm not recommending Onenote it's the package as a whole and how more and more polished its becoming. Outlook.com works well on the iPad.....

But their 2fa is clever.... It works with the google authenticator, text message or even telephones you with a voice message with a code.

Good advice. However, it is unlikely that I will call support, because I already spent an hour+ with them just getting Office worked out. Besides, no support on the Mac anyhow, so there isn't much point!

But, it is good to know that the ads are at least (apparently) not supposed to be there, though I suspect I am supposed to be paying a fee of some sort (outlook plus?) to get rid of them on top of the subscription cost for 365. I have received a one year subscription, so I will use it, but I doubt I will renew it at the end of the year. The only chance that I would be interested in paying for all of this is if I buy into the Microsoft universe with a Surface Pro. That is unlikely to happen unless they suddenly find a way to get more battery life out of it.

Glad to hear that the 2FA is working out well. I look forward to seeing what Evernote has in store for us.

Link to comment

Thanks for pointing me to that article Grumpy.  Hardware eh!  "something new and magical"... I do wish people would stop thinking...  "so what would Steve Jobs have said if he was going to announce this :-)

 

It's an interesting article.

 

I'm going to stay with my plan for my sensitive info and as soon as they deliver 2fa i'll probably be back.

Link to comment
  • Level 5*

@Grumpy yes sorry you will need the plus addon, shame as a 365 user that you don't get that too.

Yep. That is what I figured. I think you can see now why I am so loathe to continue with Microsoft. I have been getting by fine with my Office 2011, but with the subscription now I get just five devices, and still Office 11 (no update for Macs folks) in exchange for forking over 10 dollars a month. On top of that, I have to pay $20 a year to get rid of ads. Really? No way.

I think after my subscription ends, I'll go back to Office 2011 (on the disc), and use that until it becomes obsolete. 2FA is nice and all, but there are all kinds of other things that have to be done right, and the lack of compatibility with other operating systems makes Microsoft products (for me, at least) a non-starter at the moment. On that note, Adobe Photoshop and the "Suite" (thankfully, not Acrobat) are moving to a subscription model, so I guess we are parting ways as well. There are a lot of products out there that are "good enough."

I'm limiting my subscriptions to products that I really, truly enjoy, and find critical for my work. They can dangle 2FA or some other features in front of me if they would like, but it won't be enough for me, I am afraid. Obviously, other people have different cost/benefit analyses, and will reach different conclusions. This is how I am thinking, though.

Like I said, I am glad to see Microsoft still in the fight. However, I don't see them gaining anything fast.

Link to comment

@Grumpy not sure how you are working but you don't need to use the outlook.com website if you have office365. You can add your outlook.com/hotmail account into Outlook within office 365.

I don't think Microsoft will stop selling the perpetual license for Office 2013, you don't need to have a subscription although the home/student edition is very attractively priced for 5 devices etc.

Regarding Mac Outlook it struck me, last time I looked at, that Parallels is the answer?

Link to comment
  • Level 5*

@Grumpy not sure how you are working but you don't need to use the outlook.com website if you have office365. You can add your outlook.com/hotmail account into Outlook within office 365.

I don't think Microsoft will stop selling the perpetual license for Office 2013, you don't need to have a subscription although the home/student edition is very attractively priced for 5 devices etc.

Regarding Mac Outlook it struck me, last time I looked at, that Parallels is the answer?

Outlook, of course, but no OneNote on the Mac, and Mac folks continue to be far behind Windows folks with the software. The perpetual license version will continue to exist for a decade (last I heard) and I wouldn't expect them to predict any further out than that. However, the perpetual license will be one license for one computer. Better not upgrade ever again! The current license has traveled through at least 3 computer upgrades since I first bought it.

As for Parallels, that is a good way to go, but it is one more hoop to jump through for me, and it takes up that much more storage space, so in the end, I'll go with the stuff I've got on the Mac. Again, if I can get by with "good enough," then there isn't much incentive to pay for Microsoft's stuff.

In the case of 2FA, it will be here soon for Evernote, so I don't see OneNote (on those grounds, at least) as a solution. Gmail is free, and I've already got it, so Outlook isn't too tempting. Pages works well on the iPad and Mac, for a fraction of the Word cost, so not much incentive to use Microsoft stuff. Maybe the next iteration of the Surface Pro will convince me to change.

Personally, I find the big suite idea (everything in one place, synced, and integrated) to be very compelling, but no one has pulled it off well yet, so I'm not holding my breath. If Microsoft can figure it out, then who knows? But, as a longtime OneNote user, I don't think that is the best platform for my notetaking. I've been keeping an eye on it, but don't expect to go back (for my use case, at least).

Link to comment
  • Level 5*

Thanks for that. The fact that you can (apparently) only use it on one computer at a time is discouraging, but maybe the license said that for Office 11 as well, while allowing for multiple installs. It's not like I am installing it on a thousand computers, but I do have an old netbook, for example, that I'd like to use Office on as well. 

 

Apple Pages? Any computer you log into with your Appstore account will be able to download a copy (as far as I know). I wish Microsoft would do something similar, but I guess we can't always get what we want!

Link to comment
  • Level 5

Yeah, the pricing of the 365 Home premium subscription can lure you into a multi-PC install like the Mac appstore, but as always, when you're being particular about licensing, you note that Office home premium does not equate to Pages/Numbers/Keynote.

Office home/premium may not be used to produce output for commercial use.

So write an ebook (with an extra step as unlike Pages, Word doesn't save to epub) that you want to sell, or print a lemonade stand poster, and you're not license compliant.

 

Cycling back to Evernote, I guess one can instead create their epub in Evernote ;-)

http://trunk.evernote.com/app/everepub/iphone

Link to comment
  • Level 5*

Yeah, the pricing of the 365 Home premium subscription can lure you into a multi-PC install like the Mac appstore, but as always, when you're being particular about licensing, you note that Office home premium does not equate to Pages/Numbers/Keynote.

Office home/business may not be used to produce output for commercial use.

So write an ebook (with an extra step as unlike Pages, Word doesn't save to epub) that you want to sell, or print a lemonade stand poster, and you're not license compliant.

 

Cycling back to Evernote, I guess one can instead create their epub in Evernote ;-)

http://trunk.evernote.com/app/everepub/iphone

 

Good points. I did not know that. I'll have to review the fine print, because some colleagues of mine using education versions of Office may inadvertently be violating the license agreement.

 

[EDIT: Here is the clause]

In the Microsoft Software License Terms, the "non-commercial use" text identifies the use of the product. You may install one licensed copy of the software on three devices in your household. The software is not licensed for any commercial business activities, nonprofit business activities, or revenue-generating business activities.

 

It isn't as if the Microsoft police will come beat down our doors and take away our research on sixteenth century documents, but I do think signing away my rights is not the way to go when creating intellectual property, and this would be one more reason I would be leery about switching to Microsoft stuff just for that 2FA.

 

As for EverEPUB, good find! I will look into that :)

Link to comment
  • Level 5

In reference to: http://blog.evernote.com/blog/2013/05/16/first-look-evernote-for-google-glass/

 

Assume my thoughts to be somewhat similar to what my bosses would be if I were to focus energy on a cool project, and boast about it publicly, before an important project he'd asked me to complete was finished.

Or [insert play before homework finished anecdote here].

[insert my comments on the Mac EN v5 "spackle"]

 

It's one thing to work on it, but another to blog and say you're working on it, in light of certain unfinished contexts/threads.

At least with the paying customers, I'm not sure it gives you the marketing bump, you think it does.

 

In and of themselves the v5 client rev, the website refresh, and projects like Glass are fine.  But marketing is about timing. In a certain order, these things rather than helping pickup momentum in the user base, poke a sharp stick at already sore spots.

 

But I could put my optimism hat on and assume this was farmed out to the summer interns as a project, while real weighty work and fixes continue un-distracted.  In which case a good marketing rep might have cleverly slipped in that tidbit to the blog blurbbage, showing they were attuned well to the wide readership.

Link to comment

Those are very salient and well made points CWB.  But unless I'm misunderstanding you, I'm not sure your boss in this hypothetical situation would ask you to sit on something that was complete and useful to your userbase for 3-6 months while something else gets completed, all in the name of optics.  We can balance announcements when things are spaced apart by a few weeks, but it's not like we're going to halt development and announcements on updates and interesting projects here while we implement Two Factor. 

 

Let's also not forget that other outlets broke this story as well months ago, other outlets are reporting it now, and we are quite happy to talk about all the great work that went into the experience we're building on Google Glass here on our own blog as well.

Link to comment
  • Level 5

Actually, yes, I am saying that sometimes you do let something sit a little bit in the name of optics.  Because sometimes a badly choreographed launch kills a perfectly functional idea prematurely.

I'd love to be nothing but thrilled at my daughters achievement in thing X or Y when she brings it to me.  But if something else urgent that she's be asked to do, and she's agreed to do, isn't done yet, then I'm left with a soured jubilation with her achievement.  "That's great honey, good work, but isn't it true that it shouldn't be done yet, if this other stuff is still incomplete".

 

So yes, I think it may be analogous to my boss scenario.  He won't be thinking that I'm sitting on a complete and ready to go thing, while I finish my "homework".  He'll be thinking that, that "thing" shouldn't in fact be complete yet, to be sitting on, if I'd been doing instead the things we agreed I'd be working on.

 

And if we remove the artificial constraint that a company isn't single talented/single tasking like an individual, then for the valuable (though balanced and measured) benefit of optics, can it not be said that EN wouldn't really be sitting on the Glass project unreleased, but that it would continue to develop into a better thing, until it could be announced in a well choreographed manner with the entire product line.

 

If nothing else, we're used to hearing from you that you don't comment on unreleased products (and this discussion is one of the many reasons why companies rightly don't comment on unreleased features - please continue to not do so).  Or can we also anticipate a blog post showing what 2 factor authentication will look like when released?

 

When there's potential for more people to prefer you weren't devoting limited developer resources to it, than there are Glass Explorers in 2013, other than wanting to draft on Google's announcements and I/O buzz, Glass isn't going to be released until into 2014.  What's the rush?

 

It's always the case that great work goes into something internally for months or even years before you talk about it, hard as that might be.  It sucks but great products and ideas die on the hard rocks of optics, logistics, timing and messaging.

 

Will you attract enough Glass wearing new premium customers in the Glass explorer program to make up for the potential risks to some difficult to quantify number of the existing paid base?

 

The point is you have a ton of impossible to please factions of users, each with their own points of pain.  Each with the potential to take umbrage that their "simple" (or at least not harder then Glass sharing) search/UI/todo/feature has having received EN lip service as "important to us too" or "coming soon" for X, Y, Z years in blog posts, conference speeches, impromptu Phil statements, forum posts, yet while Glass is still off into 2014 for wide release, voila, here's Glass integration.  You may as well put a sticky at the top of each forum the pokes a pointy stick in their eye when they open and read it.

 

</coming down off the soapbox/ledge now>

 

Because it's difficult to quantify, it would seem to me, prudent to take the safer course.  Don't burn capital needlessly simply because enough due care hasn't been considered on the timing and messaging, in the rush to exuberantly jump in with a "me too".

 

--Signed, merely an IT guy at a place serially rolling out new stuff to large user bases for a living.

(and as an invested customer, critiquing for your and via my proxy usage of the product, best success)

Link to comment

Again, great, thoughtful response. There's a lot to unpack here, but let me respond to a few points.
 

The point is you have a ton of impossible to please factions of users, each with their own points of pain.  Each with the potential to take umbrage that their "simple" (or at least not harder then Glass sharing) search/UI/todo/feature has having received EN lip service as "important to us too" or "coming soon" for X, Y, Z years in blog posts, conference speeches, impromptu Phil statements, forum posts, yet while Glass is still off into 2014 for wide release, voila, here's Glass integration.  You may as well put a sticky at the top of each forum the pokes a pointy stick in their eye when they open and read it.

 
I know you're talking within the context of Glass, but by your own admission here, and full knowing we have competing user interests across the product, then taken to its logical extreme we'd never announce anything because it might anger users over an unreleased feature.  I know that's not what you're saying per se, but threading the needle amongst competing interests is something we have to do daily, and will continue to have to do.  The other point you make here is that we're sort of breaking our established rules when talking about our products under development until they are ready to release.  I think this is a little different, insofar as we're building a product on pre-release technology, and we're telling you about it because we're excited to be working with it, and it was already announced by another company--namely Google.  If you read tech news at all (and I'd wager you are steeped in it daily), you've probably tripped over the fact that we're developing for it, and maybe even seen a demo of it in action.  The idea that we should recuse ourselves from reporting this same news on our own blog strikes me as somewhat incorrect.
 

When there's potential for more people to prefer you weren't devoting limited developer resources to it, than there are Glass Explorers in 2013, other than wanting to draft on Google's announcements and I/O buzz, Glass isn't going to be released until into 2014.  What's the rush?
 
It's always the case that great work goes into something internally for months or even years before you talk about it, hard as that might be.  It sucks but great products and ideas die on the hard rocks of optics, logistics, timing and messaging.
 
Will you attract enough Glass wearing new premium customers in the Glass explorer program to make up for the potential risks to some difficult to quantify number of the existing paid base?

 
At the end of the day, I trust that users are going to understand (though I totally understand if we also cause a grumble from time to time) that there is a research and development component to everything we do--Glass included--and that these kinds of R&D projects can reside alongside product updates, and that they will also live alongside unfulfilled feature requests that receive their updates through less official means until they are ready to be announced.  We're also quite aware that Glass doesn't presently have a large userbase, nor can it even attempt to achieve one until 2014--but that shouldn't prevent us from talking about our work with it, or positioning the work we are doing with it at present. One of the promises of Evernote is to work well, and natively, on most of the devices you use to gather information--the paths and senses to your external brain--and the idea that we're starting to work with wearable technology, that we are looking ahead to devices that users may eventually own, is just as key to us as a company as it is to ensure that we're getting present features and needs taken care of and ensuring the stability of what's been pushed out thus far.
 
One other point--the Glass announcement should also should not be viewed in a vacuum.  Taken alone, sure, you can make the argument that we should be holding off or threading the needle a certain way, but it's an article that's part of an entire weeks worth of news.  On the 16th we also pushed out a post referencing a third party application, and an announcement concerning the launch of the YXBJ Business offering.  Experimental work on Google Glass occupies a fraction of the news we've pushed out this past week and month that impacts users across a number of key areas.

Finally, I think we can agree that the rollout of Two Factor is an entirely different animal from a post talking about the work we've done thus far with Glass.

 

You've got a lot in there, hopefully I've responded to a bit of it here.  I want to emphasize that I understand the core point you are making here--that we can do better at threading that needle when it comes to marketing, and that general user reaction to these kinds of posts may hurt us in the long run more than it helps us, which you are making as someone who is interested in improving the product and being generally helpful.

Link to comment
  • Level 5

Thanks gbarry, not sure we'll get closer in philosophical agreement, but I do appreciate and respect the response, and I'll conclude that tangent.

In other news, since I brought it up previously as a sub point in needed authentication transparency, with Google references, I'm very happy to see the xauth bits and the Applications tab in Evernote.com account settings.
That's exactly what's needed.  Nice work EN.
Unless I missed other progress, that just leaves web authentication login activity as outstanding. We can currently see Evernote browser plugin login activity, which is great. We just need to be able to see logged in and recent browser sessions now. So hopping that's part of the 2factor work.

Link to comment
  • Level 5*

So the backup codes, it says not to put them in Evernote. I have no other method to reliably store info. I am now frozen like a deer in the headlights in the setup process.  :D

Link to comment

If you're locked out of your Evernote account, you won't be able to get to it, eh? :)

 

Kind of like if someone stores their password manager data in a cloud & they don't remember the password to get to it to restore it.  :o  

Link to comment
  • Level 5

Ed, then why not just *get* another method of saving them.

LastPass functionality for this use is free.

Save them in a secure note. They'll be well encrypted separate from Evernote. Yet they're available to be synced across all your logged in browsers, and you can also use google Authenticator 2 factor authentication to protect them.

Link to comment

Archived

This topic is now archived and is closed to further replies.


×
×
  • Create New...