cwb

That's a little brief, no? They both work. When I used it, SMS wasn't as reliable. Sometimes on Evernote's side, other times I know SMS is subject to delays from my carrier. All in all, it seems like a lame system compared to the alternatives. Google Authenticator mode works great with Evernote, so that's what I use. Actually the protocol, I left Google's actual authenticator app for one of the many better alternatives - HDE OTP in my case. Just turn it on in your Evernote account settings. You're walked through setup.

Ok, got it. Isn't that already essentially addressed on the mobile client with PIN support? Now if we're talking about bringing that over to the desktop side, it sounds appealing, except that somewhere near half of the users I've read posting requests in that area know that the data can still be read on the back end, either in the same account looking at the Evernote folder and sqlite database itself, or the same from another admin level account on the same computer. Adding local per note/notebook side encryption then serves both halves of the feature request. It blocks both in-evernote and out-of-evernote read attempts. And this is completely separate from any discussion of the evernote server side handling/non-handling/awareness of the encryption. This would be local client encryption only, with data decrypted on every authenticated read (be that the Evernote user, or a sync operation).

Sadly no, a password prompt and auto-timeout (as is in place in mobile EN clients with premium account) has nothing to do with the needs enumerated in this thread. That's not to say it's not worthwhile, even in addition to encrypted notes/notebooks (be it local, remote, local and remote - non-key-escrowed), but it just addresses the requests of other use cases in other threads. For now breath is likely best conserved until EN releases what they already have baking in the oven and we kick it around a bit.

It's not supposed to be... It exposes the weak link of software second factor. It can be cloned (at least at setup). So yes, a little pre-knowledge and effort is required because you're slipping off the designed path. It goes against the tenants of secure authentication to have duplicated authenticators. So you got it in 1. It's not supposed to be user friendly to do.

Sure you can. When the QR code is presented program it into multiple authenticators. I saved the setup QR code into an encrypted note in lastpass. So Ican setup a new authentication device if/as needed. This would generally be less secure except that I have Lastpass geographically restricted and second factor secured with a Yubikey.

It might be a subtle point but I think a PIN might be better than a "password". Just like on the mobile devices. I wouldn't want someone getting carried away thinking there's any security behind that. I do want to deny casual use if someone is granted brief access to my desktop, without having the hassle of logging in and out of Evernote in the desktop client. But all of the data is still there for the gleaning if you look at the backend. For that, there's no substitution for encryption. It's not hard and doesn't have to add noticeable overhead.

The authenticator does work well. Just an FYI, there are a few other free and paid OTP apps which are interoperable. One I've settled on is HDE OTP Aesthetics aside, one thing I liked was the ability to add a pin, so that it's use is restricted.

It was indeed intended to show that we shouldn't be myopic on NSA surveilance of US based data centers. You should assume that you're subject to metadata (if not more) surveilance where-ever you are. Note that the UK collects more metadata than the US (though through agreement, they share access to one anothers data) http://www.wired.com/threatlevel/2013/06/gchq-tapped-200-cables/ They aren't going to say anything about the spy taps they have on foreign undersea cables, but that's been known for a very long time. So you have to assume that your data is being sifted over by: Your own government, plus any they have intelligence agreements withThe governments of any countries your packets pass throughThe governments of any enemies of your government through clandestine undersea taps (if ours are doing it, one has to assume some likelihood it happens the other way)Being inside or outside the US, with a data center inside or outside the US, likely makes very little difference. The only recent news here is that it's recently become news to some people (and perhaps the getting of a renewed sense of the scope creep enabled by moores law). Act accordingly. Though the horse left the barn on that requirement long ago. http://en.wikipedia.org/wiki/Operation_Ivy_Bells http://www.nytimes.com/2005/02/20/politics/20submarine.html?_r=0 Using encryption now, just flags you for permanent archiving: http://www.forbes.com/sites/andygreenberg/2013/06/20/leaked-nsa-doc-says-it-can-collect-and-keep-your-encrypted-data-as-long-as-it-takes-to-crack-it/

No worries there. Last year they announced building a datacenter in China. No Prism access there.

The current version (Build ID: 78f7d0f see "options") works fine, but perhaps your installed version needs an update. Your options in preferred order would be to: Redownload and install the latest version generate an application passwordPoint being, both old and new clients can work with 2 factor, nothing's left out in the cold. But it's certainly better to use the latest 2 factor aware versions.

There is no tie into your Google Account(s) at all. The Authenticator has Google in the name because they wrote it. You can add and remove whatever sites to the Authenticator you want, that support it. For example it's trivial to add Google Authenticator support to your own WordPress blog. And LastPass has Google Authenticator support. There is no interaction with Google servers at all. As for SMS, I would think EN has built the costs into their business model if they rolled out that as the default. But you could switch to the Google Authenticator if you want to be thrifty. The side benefit there is that it doesn't have to be a phone even. It could be an ipod/ipad type device without a data connection. It not as secure but you can even put it on a backup or spouses device as well (accomplished by having both Google Authenticators present and scan the QRCode image at the same time during setup). In a sense it breaks my usual IT tenant of 1:1 tie-ing of credentials to people, but essentially my wife and I are one.