Improve defense against "sim swap" attacks

[Paul A. 609]

I noticed that it doesn't seem possible to remove the primary phone number while two-step verification is enabled.  Unfortunately, that weakens the security of two-step verification, even when using an authenticator app.  

This Wired article provides a great overview of the weakness of SMS-based two-step verification and its vulnerability to "sim swap" type attacks:

https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication/

I'd love to see the ability to remove phone numbers as an override for authenticator-based two-step verification.  I'd also love to see Evernote adopt the U2F protocol for improved two-factor security:

https://www.yubico.com/solutions/fido-u2f/

 

[TonyMTX 0]

+1

[luuuis 0]

Upvoted.

[MarkfromCanada 1]

Has this gained any traction?  SMS two-factor is insecure and google authenticator relies on your phone working...  I already use U2F FIDO with other accounts and it would be great to use it here too.

[boyddt 1]

I have just purchased a U2F key and would like to start using it with evernote, what are the future plans for the added level of security?

[eucalypto 2]

Agreed. Evernote, please remove the mandatory phone number for 2FA.

As for U2F. Modern password managers also generate 2FA (TOTP) codes. They also offer cloud syncing making you independent of devices.

Funnily, there is an inconsistency in their policy. You need premium for SMS 2FA. With basic you still need SMS for setup. BUT: during login you can select "help with 2FA" and there you can send a verification SMS, even with a basic account!