Two step verification freaks me out

[Paul A. 613]

Is anyone else not comfortable with the way Evernote has implemented two step verification?  As far as I can tell, Evernote only allows one phone number (no backup phone number), and if you lose access to your backup codes and primary phone and phone number, there's absolutely no way to get back into your account.

 

I can think of so many scenarios where a user could temporarily or even permanently lose access to their account:

• A fire, theft, flood, or other natural disaster could easily destroy phone and backup codes, locking someone out for days until they could procure a new phone with the same phone number.
• A "number port" can go wrong, resulting in the phone being unable to receive text messages for days or weeks
• A mobile phone number on a business account could be lost if the small business you work for goes belly up unexpectedly
• The phone company could cancel your service due to a billing snafu, or TOS violation
• And many, many more

Yes, many of these are unlikely.  And yes, individually, these can be mitigated in many different ways.  But when the stuff really hits the fan and two or more happen simultaneously?  What then?  Permanent loss of access to all your stored knowledge in your Evernote account?

 

Contrast that with Google's approach, who was a pioneer in offering two factor authentication to the masses.  Google offers:

• Google authenticator support (same as Evernote)
• Backup codes (same as Evernote)
• Two phone numbers to be used for text message one time passwords (OTP) in case you have no access to Authenticator or your primary phone number (not the same as Evernote)
• The ability to receive an automated phone call to either phone number with your OTP in case of no SMS access (not the same as Evernote)

So far, I'm feeling much better.  But wait, it gets better.  If you have any issues getting into your account, Google supports:

• The ability to sign into a computer that you designated as "trusted" and generate new backup codes or update your two-step verification settings
• The ability to have a voicemail left on one of your two phone numbers with your OTP.  If you can remotely dial into your phone's voicemail, you can pick up the OTP and get back into your account.

And perhaps most importantly, if all else fails:

• Google offers an account recovery form, where a human being works with you manually to verify your identity and get you back into your account.

 

The net result is that I feel confident that Google has my back.  I won't lose access to my account if I take even minimal precautions, and if I do lose access to my account because the worst happens or I didn't take even minimal precautions, Google will work with me to recover my access.

 

In contrast, Evernote seems to say sorry, you are out of luck.  This approach strikes me as flawed, and it will eventually cause some Evernote users major problems, if it hasn't already.  

 

I welcome any thoughts on this.  Does EverNote's approach worry anyone else?

 

 

 

P.S.  Microsoft, who might be Evernote's biggest competitor with OneNote, offers similar account recovery features to Google.

[ScottLougheed 1,316]

Well, indeed there is room for improvement, but in all honesty, a lot of things would have to go wrong simultaneously to actually result in you being locked out of your account. 

 

1) You could need to lose physical access to a device that was approved to keep you logged in (like you personal laptop which you might tell Evernote to "remember"). 

2) You'd need to lose physical access to an approved verification device 

3) A phone you have authorized to receive txt codes to (if you aren't using Google Authenticator or Authy) would have to be bungled (E.g., phone # Problem)

4) You'd need to lose your recovery codes 

 

For me, My recovery codes are stored in my password manager (1Password), which is backed up on three computers, local external drives, and two off-site backups (total of 6 locations, 2 are offsite). so they will not be lost except in the apocalypse. So even if 1, 2, and 3 all occur, which is unlikely anyway, I'd still have the recovery codes. 

 

If you are really concerned about the two-factor process, don't use it for Evernote and opt for the next best thing and use a complex, randomly generated, unique password. A password manager like 1Password or LastPass would be an asset here (and they are also very useful when using two-factor too). 

 

If you are concerned about phone number losses, you can use Google Authenticator, or my personal favourite: Authy. 

[jbenson2 2,147]

 

If you are really concerned about the two-factor process, don't use it for Evernote and opt for the next best thing and use a complex, randomly generated, unique password. A password manager like 1Password or LastPass would be an asset here (and they are also very useful when using two-factor too). 

 

 

Super comment - thanks for adding it. 

 

I am moving to central Maine and there is zero reception for my T-Mobile phone there.

So I will have to get a new service (and phone).

 

I presume there is a way to move the 2 factor authentication from one phone to a new phone, but I don't want to take the chance on risking the entire setup with a keystroking mistake. So I stick with huge random generated passwords managed by LastPass.

[ScottLougheed 1,316]

 

 

If you are really concerned about the two-factor process, don't use it for Evernote and opt for the next best thing and use a complex, randomly generated, unique password. A password manager like 1Password or LastPass would be an asset here (and they are also very useful when using two-factor too). 

 

 

Super comment - thanks for adding it. 

 

I am moving to central Maine and there is zero reception for my T-Mobile phone there.

So I will have to get a new service (and phone).

 

I presume there is a way to move the 2 factor authentication from one phone to a new phone, but I don't want to take the chance on risking the entire setup with a keystroking mistake. So I stick with huge random generated passwords managed by LastPass.

 

In a situation like yours where you can anticipate a move like this, I think the best plan would be to disable two factor NOW, and re-enable it once you have settled in Maine with a new provider and phone#. I believe re-setting it up like this allows you to change your number (the key here, of course, is being able to disable 2-factor BEFORE you lose access!).

 

But yes, really freaking strong passwords is also good and how I roll with many of my services too.  

[Paul A. 613]

Well, indeed there is room for improvement, but in all honesty, a lot of things would have to go wrong simultaneously to actually result in you being locked out of your account. 

 

<SNIP>

 

For me, My recovery codes are stored in my password manager (1Password)...

 

<SNIP>

 

If you are really concerned about the two-factor process, don't use it for Evernote and opt for the next best thing and use a complex, randomly generated, unique password. A password manager like 1Password or LastPass would be an asset here (and they are also very useful when using two-factor too). 

 

Thanks for your thoughts.  I completely agree that a lot of things would have to go wrong, but every second of every minute of every day a lot of things are going wrong somewhere in this world.  Whether through carelessness or extreme bad luck, it's going to happen to an Evernote user at some point, and it boggles my mind that there isn't a "failsafe" way to get back into your account.  I don't know whether Evernote has designed their two-step verification system so that it's physically impossible for them to recover someone's account, or whether they simply don't have the process or manpower to handle manual account recovery requests, but either way, it seems misguided.

 

As for your suggestion, funnily enough, I'm a 1Password user myself, so I already have the long complex password covered.  Storing the codes in 1Password itself is an interesting idea, although that is reducing the security of your Evernote account slightly (if your 1Password were ever compromised e.g. via a keylogger, the attacker would have both your Evernote password and your OTP codes).

 

 

 

 

 

I am moving to central Maine <SNIP>

 

In a situation like yours where you can anticipate a move like this, I think the best plan would be to disable two factor NOW, and re-enable it once you have settled in Maine with a new provider and phone#. I believe re-setting it up like this allows you to change your number (the key here, of course, is being able to disable 2-factor BEFORE you lose access!).

 

<SNIP>

 

 

This is a perfect example of the fragility of Evernote's two-step system.  Evernote (at least by virtue of its marketing) wants us to store our lives in Evernote, and many people have done so, because the core product is so good (I saw one forum member mentioning they had over 30k notes!)  

 

Consequently, there should never be a risk of being permanently locked out of our accounts.  It's simply not acceptable.  The system needs to be robust enough that it can tolerate any number of life events, both the foreseeable and unforeseeable, without the risk of permanent data loss.

[ScottLougheed 1,316]

Where else would you suggest storing your recovery keys that is safer than 1Password? Paper? sure, but that is easily compromised, lost, or damaged. A file one the hard drive? That's more easily compromised than 1Password.... 

 

As for keylogging, if a keylogger compromised 1Password, it would compromise every single account in 1Password. Then again, for those who do not use 1Password, a keylogger would still compromise any account the user happens to access by manually signing in (and unlike devoted 1Password users, these users are very much more likely to recycle passwords across accounts, meaning even those they don't access may get compromised if they share passwords and email address logins), so I don't see a terribly significant difference. A keylogger is also just as likely to compromise any other digital means of storing your recovery codes, as well as to capture the recovery process (including resetting your password). Honestly if you have a keylogger on your system, your pretty much toast no matter what. 

[Paul A. 613]

Scott, agreed on the keylogger - you're pretty much toast at that point.

 

Bumping this to see if anyone else wants to weigh in?

[mdk1 69]

Scott, agreed on the keylogger - you're pretty much toast at that point.

Bumping this to see if anyone else wants to weigh in?

You're paranoid about a situation that's extremely unlikely to ever happen. Seriously, did you read the other comments? Do you realize all of the things that would need to happen at the same time for you to permanently be locked out of your Evernote account? I'm sure you could tighten your tinfoil hat and come up with some bizarre scenario, but it's not going to happen.

[DutchPete 247]

As for keylogging: use an anti-keylogging app such as KeyScrambker.

[westmc44 0]

You've asked for some replies taken:

A fumbling end user such; can being led to an uncommon dead-end unfold when told and bungle instructions, incorrectly.

Bet so cute fun; tonight, am uncertain whether the dedicated efforts made by me, myself had been successful.

Please allow me to explain further: 

(There are no excuses, had not fully aroused from slumber while planning my actions.)

1) Logged myself in

2) chose to enable the 2-step verification & entered email address

3) received & verified email identity

4) answered the question asking for code

5) gave up personal cellphone# 

6) trying to enter 2nd contact phone#(used non-cell... oops)

website recounted message stating: 2-step is not enabled

Refused me the security because didn't use another cellphone, huh?