Jump to content

Idea

I noticed that it doesn't seem possible to remove the primary phone number while two-step verification is enabled.  Unfortunately, that weakens the security of two-step verification, even when using an authenticator app.  

This Wired article provides a great overview of the weakness of SMS-based two-step verification and its vulnerability to "sim swap" type attacks:

https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication/

I'd love to see the ability to remove phone numbers as an override for authenticator-based two-step verification.  I'd also love to see Evernote adopt the U2F protocol for improved two-factor security:

https://www.yubico.com/solutions/fido-u2f/

 

  • Like 1

Share this post


Link to post

5 replies to this idea

Recommended Posts

  • 1

I have just purchased a U2F key and would like to start using it with evernote, what are the future plans for the added level of security?

  • Like 1

Share this post


Link to post
  • 0

Has this gained any traction?  SMS two-factor is insecure and google authenticator relies on your phone working...  I already use U2F FIDO with other accounts and it would be great to use it here too.

  • Like 1

Share this post


Link to post
  • 0

Agreed. Evernote, please remove the mandatory phone number for 2FA.

As for U2F. Modern password managers also generate 2FA (TOTP) codes. They also offer cloud syncing making you independent of devices.

Funnily, there is an inconsistency in their policy. You need premium for SMS 2FA. With basic you still need SMS for setup. BUT: during login you can select "help with 2FA" and there you can send a verification SMS, even with a basic account!

  • Like 1

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...