Google Authenticator required for EN 2-factor authentication?

[aws 0]

I'm new to the idea of 2-factor authentication and I want to set it up for my Evernote account. In the 2fa setup process, I got as far as entering my phone number and a back-up phone number, and I was then prompted to do something with Google Authenticator on either iPhone or Android or Blackberry. It seemed like unless I did that, I couldn't go on with the 2-factor authentication setup. However, I have an old iPhone (a 3G) on which I have iOS 4.2.1, and I'm guessing that's the most recent version of iOS that the phone is compatible with. But  Google Authenticator requires Apple iOS 5.0 or later. So I have several questions:

(1) Does this mean that I can't set up 2-factor authentication for my Evernote account unless I get a phone that Google Authenticator is compatible with?

(2) Why do I need Google Authenticator for 2-factor authentication anyway -- that is, why isn't supplying my phone number and a backup phone number sufficient for 2-factor authentication? -- isn't the first factor my password and the second factor the code that is sent to one of my phone numbers?

(3) More generally, I don't really understand how Google Authenticator works and what it's for. Can someone please explain this in simple terms?

(4) Does Evernote 2-factor authentication not work with Windows Phone?

Thanks for any assistance you can provide.

[ScottLougheed 1,316]

I can address question 3 in a pretty basic way (I am no expert at all).

 

The temporary code is generated from a "seed" number that is assigned to your account. This seed number is the starting point for generating random 6-digit codes every 20 seconds. So there is a server sitting there just ticking away, producing a new 6-digit code every 20 seconds. When you want to authenticate, a text message is sent to you with whatever code was just generated at the top of the 20 second mark. 

 

GA is a replacement for receiving a text message. The benefit of having it in an application rather than receiving a text message is that if you are in a location with poor cellular reception where a text message may be delayed or never received, you can still authenticate (since these applications do not require a network connection). If you work in the basement of a building and need to log in, no problem. 

 

This works by essentially storing that seed number (the root of your random number generation) on your device, so that the server and your device are both ticking away the 6-digit codes ever 20 seconds, and since they share the same seed, the codes are always the same on the server and your device. 

 

 

What google authenticator (and other, similar applications/services like Authy, which is my go-to for 2-factor and works with anything Google Auth does) does is generate a temporary password every 20 seconds or so, rather than send you a temporary code in a text message. 
 

A user opens up the GA or Authy application and the application essentially says "this is the number the server has for the next 20 seconds, type it in now", so you type the number into the box, it checks it against the server, and as long as you typed it in correctly and haven't run out of time, success! 

 

The idea behind this is that it is more secure than a username and password (even a complex password). For example, if someone were to know your password, perhaps because you gave it to them, or because a server was hacked and passwords were revealed, without 2-factor auth, that user would have immediate access to your account. 
 

However, with 2-factor, even with your user name and password, they'd ALSO need your device (the second factor) to log in. Simply typing your user name and password is not enough. They need that device. So if they are a hacker on another continent, they obviously aren't in a position to nab your cellular phone. Since you have to log into Evernote to change two-factor settings, such as the associated device/phone number, a hacker/thief couldn't even add their own device because they can't log in in the first place. 

 

It was a long time ago I set up two-factor for Evernote so I can't remember if you can NOT use GA. I suspect you should be able to set it up with GA and just use text messaging. I'll set up a test account and see how it goes. 

 

Now, that is my very layperson explanation, but I hope it gives you the gist. For a more technical (and more accurate) explanation there's this wikipedia article:

http://en.wikipedia.org/wiki/Google_Authenticator

[ScottLougheed 1,316]

Hmm just tried this with a test account and it looks like there's no way around setting it up with Google Authenticator (or Authy). Seems a bit odd because this essentially means only users with relatively up-to-date smartphones could use 2-factor with EN...

 

Not sure what the solution is other than to not use two-factor auth. If this is the case, then I'd recommend using a password manager like LastPass or 1Password (my favourite) to produce great passwords. Not a total replacement for two-factor, but a hell of a lot better than "123456789"...

[aws 0]

Hi Scott,

Thanks for the explanation about Google Authenticator. So it sounds like for 2fa, the first factor is my password, and the 2nd factor is one of the following: either a six-digit code that I get from Evernote in a text message on my cell phone, or a six-digit code that I get from Google Authenticator. So, to log on to Evernote, I type in my password, and then I type in the six-digit code that I get either from Evernote (as a text message) or from Google Authenticator, and that authenticates me. Is that correct? Is there a point in the logon process where I choose to get the six-digit code either from Evernote or from Google Authenticator?

Thanks!

[ScottLougheed 1,316]

You bet, you've pretty much got the idea down pat!

 

Just tested this. 

It looks like when you are prompted for the 6 digit code, you can select "I need help getting a verification code", then you can say "send to ###-###-####" and you'll get a text with code. 

 

The trouble I see, coming from your position, is that it would seem based on my testing that just setting up the 2-factor seems to require Google Authenticator, even though you could, from the looks of it, never ever use it, and instead rely solely on texts. If you are unable to install GA on your older device, you may be stuck. If this is the case, you should contact Support and let them know, because I think that it is unreasonable to limit 2-factor to those with up-to-date smartphones.

[Adjusting 276]

 Is there a point in the logon process where I choose to get the six-digit code either from Evernote or from Google Authenticator?

 

Yes and no.

If you're logged into the web client, you can change your setting (Text vs Authenticator) at any time.

If you've chosen Authenticator, at login time you have the option of having a verification code sent to you via a text message. (Click the "I need help with getting a verification code" link, then click the 'Send a code' button).

[Adjusting 276]

The trouble I see, coming from your position, is that it would seem based on my testing that just setting up the 2-factor seems to require Google Authenticator

 

Google Authenticator is only required when setting up 2 factor for free users. Premium users can set it up with only text messages.

[ScottLougheed 1,316]

 

The trouble I see, coming from your position, is that it would seem based on my testing that just setting up the 2-factor seems to require Google Authenticator

 

Google Authenticator is only required when setting up 2 factor for free users. Premium users can set it up with only text messages.

 

Ah, that would explain it. My test account is a free account.  Thanks for clarifying. 

[aws 0]

If you're a premium user and you set up 2fa with only text messages, can you set it up with Google Authenticator later (assuming that at some point in the future I have a phone that can use Google Authenticator)? The reason I ask is that there will be times when I am out of the country (USA) when I won't be able to receive text messages. And so at those times I would want to use Google Authenticator, because the way I understand it, you don't need a web or wireless connection to be able to get a 6-digit code from Google Authenticator.

[Adjusting 276]

If you're a premium user and you set up 2fa with only text messages, can you set it up with Google Authenticator later 

 

Yes, you can switch between the two options at any time.