Jump to content

(Archived) Mandate 2FA?


Recommended Posts

  • Level 5*

Is there a way as the Admin of our business account to mandate two factor authentication for our account so everyone has to enable it?

Link to comment
  • 3 weeks later...

Two-step verification is a great feature! As an admin I agree it's important we be able to manage compliance if our business requires that users maintain two-step verification. In my opinion, the features would include:

  1. Company-wide setting (checkbox) to require two-step verification to use business features. If disabled (even after it's enabled), business notebooks are no longer visible to the user until two-step verification is re-enabled
  2. If two-step verification is required, send email reminders to users' business email addresses who need to enable two-step verification 
  3. A column in the Admin User List that shows the state of each user's two-step verification setting (visible regardless of whether two-step verification is required company-wide) 
  4. Ability to export the user-list including business email and two-step verification setting so admins can report compliance and communicate (visible regardless of whether two-step verification is required company-wide)

Thoughts?

Link to comment
  • Level 5*

I can understand the desire to have 2fa enabled for all employees, but if I were an employee, I'd be pretty rankled about being forced to log into my personal account a certain way just because it is linked to my business notes. I think a more effective solution would be something like David said: 2 step verification to view the business stuff. I think that seems fair.

Otherwise, you'll see people (like me) who create an entirely separate account just to link up with the business, rarely login, and find the whole thing to be quite troublesome. That's no good for anyone.

Link to comment
  • Level 5*

I can understand the desire to have 2fa enabled for all employees, but if I were an employee, I'd be pretty rankled about being forced to log into my personal account a certain way just because it is linked to my business notes. I think a more effective solution would be something like David said: 2 step verification to view the business stuff. I think that seems fair.

Otherwise, you'll see people (like me) who create an entirely separate account just to link up with the business, rarely login, and find the whole thing to be quite troublesome. That's no good for anyone.

When you use personal accounts on business property (computers, phones, etc) you are subjecting yourself to certian restrictions.

And if you don't like that, then don't link your personal account to the business account. Get another personal account that you effectively don't use at work and just user your personal account at home.

 

On company time on the company dime, company policies take precedence.

Link to comment
  • Level 5*

I can understand the desire to have 2fa enabled for all employees, but if I were an employee, I'd be pretty rankled about being forced to log into my personal account a certain way just because it is linked to my business notes. I think a more effective solution would be something like David said: 2 step verification to view the business stuff. I think that seems fair.

Otherwise, you'll see people (like me) who create an entirely separate account just to link up with the business, rarely login, and find the whole thing to be quite troublesome. That's no good for anyone.

When you use personal accounts on business property (computers, phones, etc) you are subjecting yourself to certian restrictions.

And if you don't like that, then don't link your personal account to the business account. Get another personal account that you effectively don't use at work and just user your personal account at home.

 

On company time on the company dime, company policies take precedence.

Let me clarify. Under the scheme you propose, even when I am not on business property I would still be subject to the restrictions you are suggesting. I am strongly opposed to this kind of intrusion on my personal life, and I think many other users would probably resist the idea of being forced to use 2fa just to look up their grocery lists (for example).

If your proposed solution for people who resist this is to create a new account, doesn't this undermine the entire Evernote Business model? After all, if I am not hooking it up to my personal account (the current setup), then there isn't any point in this Evernote Business integration. I am guessing that many people would find it quite a hassle to juggle multiple accounts (I do). It certainly won't work well on those company phones, either, where you can only conveniently be logged into one account at a time (especially on iOS -- Android at least has multiple users, though that isn't terribly convenient either for using Evernote).

Why are you against my suggestion of requiring 2fa to access business account data? Wouldn't this solve your problem (wanting to keep the data secure) and my problem (being forced to use 2fa for my personal account)?

Link to comment
  • Level 5*

I don't see how 2fa is an intrusion. The only site that is annoying with 2fa is www.evernote.com itself because it only remembers you for 1 month. My clients (Windows Phone, iOS, Windows) have never had to log in a 2nd time, so the grocery list issue is only a problem in the theoritical situation where you head to the grocery store, buy a new phone, install Evernote, then head to the grocery store and open up Evernote.

 

Could they split it where 2FA was requred for one but not the other? Sure. Nothing is impossible. However, right now, ENB is inextricably tied to a personal account. You cannot get ENB without a personal account. I'd rather see EN spend their time fixing the myriad of issues with the EN5 beta, or the number of longstanding issues with ENB before spending time with that.

Link to comment
  • Level 5*

I don't see how 2fa is an intrusion. The only site that is annoying with 2fa is www.evernote.com itself because it only remembers you for 1 month. My clients (Windows Phone, iOS, Windows) have never had to log in a 2nd time, so the grocery list issue is only a problem in the theoritical situation where you head to the grocery store, buy a new phone, install Evernote, then head to the grocery store and open up Evernote.

 

Could they split it where 2FA was requred for one but not the other? Sure. Nothing is impossible. However, right now, ENB is inextricably tied to a personal account. You cannot get ENB without a personal account. I'd rather see EN spend their time fixing the myriad of issues with the EN5 beta, or the number of longstanding issues with ENB before spending time with that.

If 2fa works that smoothly, then I guess it isn't a problem, but my understanding is that you had to input your data anytime you logout of your account, and I think a lot of users do that. Please correct me if I am wrong there. I don't have enough experience with the 2fa to say, and if it really isn't something they'd have to do often, then I concede the point.

I have no idea what kind of technical challenges would be involved in having a 2fa login for access to Evernote Business accounts that require it. It seems to me that this would be ideal, but I'll leave a decision like that to the developers.

If we get into prioritizing Evernote resources, then I've got a bunch of things I'd like to see! But, that is a topic for a whole other thread.

Link to comment
  • Level 5*

 

I don't see how 2fa is an intrusion. The only site that is annoying with 2fa is www.evernote.com itself because it only remembers you for 1 month. My clients (Windows Phone, iOS, Windows) have never had to log in a 2nd time, so the grocery list issue is only a problem in the theoritical situation where you head to the grocery store, buy a new phone, install Evernote, then head to the grocery store and open up Evernote.

 

Could they split it where 2FA was requred for one but not the other? Sure. Nothing is impossible. However, right now, ENB is inextricably tied to a personal account. You cannot get ENB without a personal account. I'd rather see EN spend their time fixing the myriad of issues with the EN5 beta, or the number of longstanding issues with ENB before spending time with that.

If 2fa works that smoothly, then I guess it isn't a problem, but my understanding is that you had to input your data anytime you logout of your account, and I think a lot of users do that. Please correct me if I am wrong there. I don't have enough experience with the 2fa to say, and if it really isn't something they'd have to do often, then I concede the point.

I have no idea what kind of technical challenges would be involved in having a 2fa login for access to Evernote Business accounts that require it. It seems to me that this would be ideal, but I'll leave a decision like that to the developers.

If we get into prioritizing Evernote resources, then I've got a bunch of things I'd like to see! But, that is a topic for a whole other thread.

 

 

I cannot imagine anyone logging out of their phone's account or desktop account. If you are on business, you have premium features, so you can PIN lock it if desired, or lock your phone or desktop. 

 

On the web, sure, but the web sucks for 2FA because it constantly forgets who you are anyway, but I'd wager that is a small SMALL percentage of users that are Web users vs an OSX or Windows client.

Link to comment
  • Level 5*

I don't have any numbers, but my impression from the forums, and from talking with people is that a lot of people habitually log out of apps. It's not my thing, but I can see why they do it. If you have multiple accounts, as I do, it is also a necessity. Some people seem to do it because of security concerns, and others because they share devices with family members. It's one of those things you see a lot of, but may not do yourself.

Link to comment
  • Level 5*

I don't have any numbers, but my impression from the forums, and from talking with people is that a lot of people habitually log out of apps. It's not my thing, but I can see why they do it. If you have multiple accounts, as I do, it is also a necessity. Some people seem to do it because of security concerns, and others because they share devices with family members. It's one of those things you see a lot of, but may not do yourself.

 

That would really  surprise me. We have 30 people here on EN and I've not told them how to work at all and none of them log out.

 

Besides, even on the apps with 2fa, EN for WIndows doesn't require it every time. I switch between my business/personal combo to a 2nd freebie account that Windows allows at will. No reauthentication or password, EN just remembers my stuff and switches.

 

It would be different on iOS of course as those clients don't support multiple logins, but I've logged out and back in trying to resolve an issue and it doesn't redo the 2FA. 2FA seems to remember the device, and that is fine. The point of 2FA isn't to be a PITA, it is to prevent Slavyev in Hackistan from logging into my account by a brute force password attack, not to prevent someone from accessing my data if they obtain physical access to my existing authorized devices. That is what local passwords/PINs are for.

Link to comment
  • Level 5*

I don't have any numbers, but my impression from the forums, and from talking with people is that a lot of people habitually log out of apps. It's not my thing, but I can see why they do it. If you have multiple accounts, as I do, it is also a necessity. Some people seem to do it because of security concerns, and others because they share devices with family members. It's one of those things you see a lot of, but may not do yourself.

 

That would really  surprise me. We have 30 people here on EN and I've not told them how to work at all and none of them log out.

 

Besides, even on the apps with 2fa, EN for WIndows doesn't require it every time. I switch between my business/personal combo to a 2nd freebie account that Windows allows at will. No reauthentication or password, EN just remembers my stuff and switches.

 

It would be different on iOS of course as those clients don't support multiple logins, but I've logged out and back in trying to resolve an issue and it doesn't redo the 2FA. 2FA seems to remember the device, and that is fine. The point of 2FA isn't to be a PITA, it is to prevent Slavyev in Hackistan from logging into my account by a brute force password attack, not to prevent someone from accessing my data if they obtain physical access to my existing authorized devices. That is what local passwords/PINs are for.

I'll take your word for it regarding the ease of using 2fa, and I'll try to test it out more to get a better sense of how it works in various situations on various devices.

Link to comment
  • 1 month later...

Thanks for posting, we've seen this request before and will add a +1 to it.

 

I tend to side with EdH and that most users on Mobile and Desktop tend not to sign out very often. I think especially with pin-lock on mobile (and fewer people doing account switching on mobile) we see more folks stay logged in

Link to comment

Archived

This topic is now archived and is closed to further replies.

Guest
This topic is now closed to further replies.
×
×
  • Create New...