Jump to content

Two step authentication (e.g. via Google authenticator) and encryption


Recommended Posts

  • Replies 443
  • Created
  • Last Reply

+1 The more security there is, the better. Another excellent idea would be to have a limited account system - For example, you could have Evernote installed on your iPhone as well as your Android phone. What if it gets stolen? Basically all your notes are vulnerable to be read.

What I'm suggesting here in this new idea is not a two-factor authentication, but a limited account system where you can choose which folders are available to be edited without an extra login/confirmation.

However, this might get a little tedious and people might not like it, so perhaps this could be an opt-in option.

Link to comment

On personal devices like your phone/laptop/pc you should add your own security. Nothing should be accessible when it gets stolen not even limited!

(Although securing your phone can still be a pain.. but that’s another discussion :) )

Two factor authentication should kick-in when accessing your data from a public computer. Maybe with a separate password and a “single-use code” like Microsoft offers with logging into Hotmail..

Dear Evernote representatives, is there any change that Evernote is working on such a security feature??

Link to comment

We haven't started this in the 5 days since my last post, but a bunch of the executives at the company come from an enterprise government security background, so we're familiar with the issues involved and how we would approach this. It's a little more tricky for us than your average web site, since we have clients on many platforms, which would all need to implement this multi-factor security scheme for it to be meaningful.

Thanks

Link to comment
  • Level 5
Dave Engberg mentioned:

  • * an enterprise government security background
    * the issues involved
    * It's a little more tricky for us
    * we have clients on many platforms
    * would all need to implement this multi-factor security scheme

Reading between the lines:

Certainly there are some business users who will say they are more than willing to pay extra for all this.

From my perspective, I am very happy with the current premium pricing structure.

Link to comment

I guess I wasn't even thinking about the business model, more of the tech stuff. I just happen to have a background in this sort of thing, and it's a little more complicated for us.

Background, e.g.:

http://middleware.internet2.edu/pki05/p ... _cards.ppt

http://middleware.internet2.edu/pki05/p ... _cards.pdf

http://www.corestreet.com/about/library ... 53,396.pdf

Link to comment
Dave Engberg mentioned:

  • * an enterprise government security background
    * the issues involved
    * It's a little more tricky for us
    * we have clients on many platforms
    * would all need to implement this multi-factor security scheme

Reading between the lines:

Certainly there are some business users who will say they are more than willing to pay extra for all this.

From my perspective, I am very happy with the current premium pricing structure.

So am I regarding the pricing structure.

I'm quite afraid that Evernote might go into the path that Microsoft does with their software pricing model. ... I hope that we won't be seeing Evernote Home Premium, Business, and Ultimate any time soon.

Link to comment
  • 4 months later...

Two factor authentication would be quite an uplift to Evernote. There is no other feature that is more important to me at this point.

Google has done it in a very elegant way, that doesn't disable older devices and software versions from using the service, by use of special passwords that can be enabled and disabled one by one. Such an approach would allow Evernote to implement two factor authentication even though all platforms had not been updated yet.

Or the user could simply choose to log in via Goggle ID ..?

Link to comment
  • 4 weeks later...

I love Evernote. Such a simple concept, such a useful system! I have even gone paid and I am pretty mean about paying for computer software! :)

The stronger the security the more we can store there. At the moment I have stuff in TrueCrypt that I want to move into Evernote but I fear doing so Two factor authentication would be a big help.

Also can U make it so I can at least DECRYPT messages on my android device? I don't really need encrypt on Android.

PS Suggestion (maybe a stupid one) Let me logging with my google account I have two factor authentication turned on there and turn off my evenote login? But any way u folks can do it would be great.

Link to comment

+1 on two-factor authentication for Evernote. The Yubico/Lastpass example is a good one. I use it all the time and it is great. Plug the Yubikey in to any computer and it types in a long one-time password for you. On their website, you can enable each of your individual mobile devices not to require the Yubikey for log in as needed. Google Apps does a nice job as mentioned above providing individual passwords for clients that don't yet support two-factor authentication.

Link to comment

I prefer that Evernote concentrates on core functionalities such as improving search bar in Windows client (to bring it on the level of Android client's one), note linking..... For folks that would like to improve security there are specialized apps and services like lastpass, preyproject etc.

Link to comment
  • 3 months later...
  • 1 month later...
Given the amount of sensitive info that people are encouraged to store in EverNote, surely this should be a priority feature?

I know you can use encryption with EverNote, but that makes EverNote less useful.

IME, EN is very clear that their data is not stored encrypted & does not wholeheartedly encourage people to store "sensitive" data. Instead, they encourage you to do what you feel comfortable with.

Link to comment

From my perspective, I am very happy with the current premium pricing structure.

So am I regarding the pricing structure.

I'm quite afraid that Evernote might go into the path that Microsoft does with their software pricing model. ... I hope that we won't be seeing Evernote Home Premium, Business, and Ultimate any time soon.

Actually, having packages like what Microsoft would be pretty useful. I mean, a lot use evernote for business and specific business features and integration for that specific business version pack would be the right package for the right person. This also allows users to not pay for features they dont use, if they dont use it and theirs a package for it.

Link to comment
  • 1 month later...

I freaked out today when I saw that my Gmail account was accessed from the United States while I was nowhere close to the US.... I immediately changed passwords and turned on 2-step verification for my Google and Lastpass accounts.... I now fell than my Evernote account is less secured than it should be. And it is not a nice felling. Please implement 2-step verification through Google Authenticator of something similar. Thanks

Link to comment

I have also suggested this recently in a thread.

I don't know wether it is an unreasonable request. Perhaps the additional infrastructure it would take would be too costly, or however otherwise it might be difficult to implement such a system.

But Evernote is basically the only thing I use extensively on the internet that doesn't have a two-step verification system. At this point I certainly wouldn't have my mail just a password away from access. And I'm really glad that steam implemented steam guard before this latest row with the hacking.

As it is, a hacker that gets into any machine I use, whether physically or electronically could access and delete all my data and it is not clear that I would be able to stop it or even be notified that a breach was attempted. If a hacker also needed something i possessed, say my phone, that would change the situation significantly.

If it is too expensive to run such a system then maybe they could have it as an extra premium feature, like that newly announced extra upload GB's? There has to be some way of protecting our data.

Link to comment
  • 2 weeks later...

That thread leaves the question sort of unanswered. Also this thread was made with two factor verification, for individuals specifically, in mind.

As I've stated, I use no other service at all with this low of a security standard.

While I'm not expecting them to come up with something as polished as Googles system, keep in mind that a business like Blizzard Entertainment uses an advanced form of this configuration to protect their consumers game accounts (Indeed, for a GAME!).

Now Steam, by Valve, has recently adopted, and just in time, as sort of middle ground at least. Steamguard demands that, if you log in from a new machine, that you verify that machine from your e-mail address. Now that is very simple technology that just offers a layer of protection that is to be expected.

Now think of Evernote, who soon has almost as many users as Steam - and stores some of the most sensitive information on the web - could be fully and surreptitiously breached by just compromising a single password. I do adore Evernote but this is rather jarring. If Valve can do a simple verification guard system (that effectively piggybacks on the E-mails security measures) then I'm sure Evernote - now that they're expanding - could see themselves to just adding one layer of protection.

The Evernote concept is indeed to be the guardian of all your memories and thoughts (remarkably personal stuff). Would it be too much to ask for some moderate movement on this front?

Link to comment

The best way for Evernote to do this would simply be to develop an iOS / Android app that generates a code that you'll need to log in on a new machine (and to log in every 30 days). This is simple two factor authentication. There are already three Evernote apps on mobile so I think this ought to be next.

The steamguard I mentioned before is a system that requires the hacker to have access two at least two passwords:

"Steam Guard is an additional level of security that can be applied to your Steam account. The first level of security on your account is your login credentials: your Steam account name and password. With Steam Guard, a second level of security is applied to your account, making it harder for your Steam account to fall into the wrong hands.

When Steam Guard is enabled on your account, anyone attempting to login to your Steam account from an unrecognized computer must provide additional authorization. A special access code will be sent to your contact email address, and this code must be entered into Steam before your login is complete.

Once you've verified your email address with Steam, Steam Guard becomes available for your use. Once enabled, you will be required to access your email and provide the special access code from Steam Support when logging into Steam from any computer which we don't recognize."

From Steampowered.com

Valve didn't develop a mobile application just to log into steam (Steam isn't really a place people store very personal information) they just require you to know more than a single password. And since many people have advanced security options for their mail - steam becomes significantly more secure.

I would be more than happy if Evernote would only ask for an e-mailed code whenever you log in from a new machine, like steamguard. This means you are also alerted if someone else knows your Evernote password. As it is now, its impossible for me to know whether someone is accessing my account.

Now it is fairly common on these boards to say something in the vein of "if you don't like it - don't use it!" and it is true that I am rambling on about this, but this is only because I do really like Evernote. I've tried Onenote and Simplenote and I found them not quite up to snuff.

But since people are storing their memories here, and it will be progressively difficult 'move out' the longer you use it, I think we deserve to know soon what Evernote has in mind for security in the future.

I'm sort of working under the assumption that Evernote will get better security option down the line. I might be naïve but I took it the idea of "Remember everything" literally. On its face that would imply that people are putting in stuff that they have no business putting into a service that does not have the security options a e-mail might have.

I guess the question is, did I misunderstand what Evernote is? In that case I think we need some clarification before we use it to store highly personal information - and save that kind of stuff for say the gmail client, which has enough security for my satisfaction. I am truly not being facetious in asking this.

Link to comment

I guess the question is, did I misunderstand what Evernote is? In that case I think we need some clarification before we use it to store highly personal information - and save that kind of stuff for say the gmail client, which has enough security for my satisfaction. I am truly not being facetious in asking this.

In a nutshell, if you wouldn't email it, then don't put it in Evernote. this thread discusses the various aspects of Evernote & security. As discussed in that thread, there's more to "security" than logging in. And IMO, much if the responsibility is on the users, as it should be. IE use a strong password that is different for all your various logins, store your desktop database in an encrypted volume, don't use free wifi (where someone can use a keylogger or packet sniffer), etc. Additionally, Evernote's stance is that security is a very personal issue. IE I only put copies of our tax returns in Evernote after they are password encrypted. Yet at least one EN employee (Heather?) puts their taxes in EN w/o encrypting them. (shrug) We each have to decide what we feel comfortable with & that may include adding our own level of security on our end.

Link to comment

I guess the question is, did I misunderstand what Evernote is? In that case I think we need some clarification before we use it to store highly personal information - and save that kind of stuff for say the gmail client, which has enough security for my satisfaction. I am truly not being facetious in asking this.

In a nutshell, if you wouldn't email it, then don't put it in Evernote. this thread discusses the various aspects of Evernote & security. As discussed in that thread, there's more to "security" than logging in. And IMO, much if the responsibility is on the users, as it should be. IE use a strong password that is different for all your various logins, store your desktop database in an encrypted volume, don't use free wifi (where someone can use a keylogger or packet sniffer), etc. Additionally, Evernote's stance is that security is a very personal issue. IE I only put copies of our tax returns in Evernote after they are password encrypted. Yet at least one EN employee (Heather?) puts their taxes in EN w/o encrypting them. (shrug) We each have to decide what we feel comfortable with & that may include adding our own level of security on our end.

I would email it, that was the point.

The E-mail has enough security measures to my satisfaction. But Evernote does not meet that security standard for personal information. I could store such information on my mail client, but that would be structurally inconvenient.

That thread you linked to is about someone physically accessing his machine and not, as you said, how to gain the access credentials. I do not have that particular problem, and this thread is explicitly about access credentials, which is the lion share of the security concerns for many people.

Two factor authorisation - that you would need something I have on top of knowing the password, is employed in mail services, in banking, in social games (where personal information may be exchanged, such as Warcraft) and in social communities such as steam. That is what I would call the standard for private and personal information. All I want to know if Evernote plans to meet that standard, which the the tagline might suggest?

Maybe I'm asking Evernote to reveal features that they are not ready to reveal yet. But if Evernote does not even plan to offer the dual layer protection you would secure your e-mail behind, then there is the risk that many people, as evidenced by how often this comes up, are being led astray and find themselves unable to use this product after investing a long time in it.

Link to comment

That thread you linked to is about someone physically accessing his machine and not, as you said, how to gain the access credentials. I do not have that particular problem, and this thread is explicitly about access credentials, which is the lion share of the security concerns for many people.

It also discusses that your note are not encrypted on EN servers. Hence "if you wouldn't email it, don't put it in Evernote". I'm less concerned about anyone getting my password (b/c I don't use free wifi & have strong passwords & can change my password at any given time) than I am about a hacker getting into EN servers. I know they (EN) take the best precautions. But it even happened to Dropbox. This thread may be about access credentials. But my point is that there are IMO, greater concerns if you are putting "highly personal information" (your words) into Evernote.

Link to comment

It also discusses that your note are not encrypted on EN servers. Hence "if you wouldn't email it, don't put it in Evernote". I'm less concerned about anyone getting my password (b/c I don't use free wifi & have strong passwords & can change my password at any given time) than I am about a hacker getting into EN servers. I know they (EN) take the best precautions. But it even happened to Dropbox. This thread may be about access credentials. But my point is that there are IMO, greater concerns if you are putting "highly personal information" (your words) into Evernote.

I'm sorry but these are all near irrelevant arguments.

The probability of someone, wanting to pry in my account, to get into the Evernote servers and extract that information is basically not on the radar at all.

I haven't even changed my Steam password because I will know if someone is trying to access my account.

And if you do recall the Steam incident - they probably didn't get anything beyond forum information because it was an entire server they were hacking. That is millions of users of information to try to extract in a short period. The only reason you heard about the Dropbox hacking is because it is very rare for someone to hack into the server of a big software service, while single passwords are compromised all the time.

I'll put it like this - That someone is going to physically break into my desktop: Low probability - That someone is going to extract my database from the Evernote servers: Low probability

I would venture that 99% account breaches are from some form of phising, keylogging, maleware or misstakes and slip ups on the part of the user. I'd be surprised if even 1% were due to server attacks.

I hope you come to see that that there is a reason that Google, Banking and even game services didn't argue the way you do about security, pointing to the 1% to justify the absence of something that might help 99%. I would call that making the perfect the enemy of the good.

I'm fine about the 1%. All I want Evernote to do is the get the security standard up to that of an e-mail service.

Link to comment
  • 3 weeks later...
  • Level 5*

two-step verification with a password + security question would be ok. i don't want to have to get out my phone (google system). still, the only time i need a password is when i login to the website, which i rarely do, so it probably isn't much help. i have unique passwords for everything, they are long, and i change them all regularly, so i am not terribly concerned about stolen passwords. as long as evernote secures our passwords, salts them, and separates our credit card information, we ought to be ok. do they? that is more important than any two-step verification.

the problem with google is that it is the key to everything, and too many people share their passwords with it. a friend recently had a spurious charge and discovered that their amazon account had been hacked (two "refund"s of 500 through the seller account?), the hackers went into the google account, and they set all messages from amazon to go into the trash, and the trash to be deleted. it was quite nefarious ;)

anyhow, the hackers were successful (probably) because the friend used the same password on every site, even sketchy ones, and all the hackers had to do was get into the google account with this master password to start changing passwords to paypal and everything else, because gmail was used as the account for everything. two-step verification would have helped, but the real culprit was poor password practices.

Link to comment

I'm sorry but these are all near irrelevant arguments.

No, they are not.

The probability of someone, wanting to pry in my account, to get into the Evernote servers and extract that information is basically not on the radar at all.

Then it should be.

Link to comment
  • Level 5

Keep in mind that the Evernote cloud based system is less than 4 years old.

Evernote does react to pressing security issues. When Firesheep hit the malware stage, Evernote adopted SSL across the board for all users.

I would be surprised if Evernote doesn't already has two factor authentication on their roadmap. But don't hold your breath waiting for a confirmation. Evernote seldom comments on expected release dates. They've been burned in the past and now have a stricter announcement policy. There have been exceptions however. It would be nice if an Evernote employee said something short and sweet like this about two factor authentication.

Evernote has to balance a lot of competing priorities from their 20+ million users. Some people think two factor authenication is the most important issue facing Evernote. Other users have similar intense feelings about other topics. There is an avid group pushing for bullet-point improvements. Another group wants task management implementation. Another wants better text editing. Others want photo-editing capabilities.

Link to comment
  • 1 month later...

We recommend to our clients that they protect their smart phone with a 4 character password and set it to wipe their device if the password is entered incorrectly 3 or 4 times.

If the phone is lost or stolen and someone attempts to access it, EN, along with everything else is erased and the phone is disabled.

We also recommend using a web service which allows you to remotely disable and wipe the phone. The next time it is in a location where service is available, the device will erase and disable, whether there have been any failed password tries or not. The GPS continues to work and the phone's location is monitored and logged.

Our logic on the simple password is that it is highly unlikely, even with only 10,000 possible password combinations, that someone could guess the password in 3 or 4 tries.

Link to comment

The best way for Evernote to do this would simply be to develop an iOS / Android app that generates a code that you'll need to log in on a new machine (and to log in every 30 days). This is simple two factor authentication. There are already three Evernote apps on mobile so I think this ought to be next.

While I'm not expecting them to come up with something as polished as Googles system, keep in mind that a business like Blizzard Entertainment uses an advanced form of this configuration to protect their consumers game accounts

Evernote don't need to code their own app to generate the unique codes, they can just use the open source Google Authenticator app to generate the codes.

The code for adding support for Google Authenticator is quite simple http://www.brool.com/index.php/using-google-authenticator-for-your-website.

It should probably be an optional premium option, so those that don't want to use it don't have to.

Link to comment

I agree. If Lastpass, which is all about security, uses Google Authenticator guess it is good enough for Evernote too. I already have Google Authenticator app installed with Google and Lastpass accounts attached to it. Not sure if it is bullet proof but I feel comfortable when thinking that my account can be accessed only from machines I use.... But it seems that this is not a priority for Evernote as they have never commented on it.

Link to comment

It's sort of a shame that after a year of internal discussion they are still at the "if/when" stage. Then again this is the same company that began working on due dates a year ago and are still trying to figure it out.

Good to see some form of progress though. I mean they've built an entire app around food, perhaps they'll be circling back to their main product soon.

Link to comment
  • Level 5*

Honestly. It's actually a good thing that they're thinking this through. Just imagine the griping if they released something half-baked, or worse, something broken. And after all, it's not as if they've exactly stood still during the whole of last year. But what the heck, it's only their business and livelihoods at stake.

BTW, the Food app was developed by a different team than the core group (for example, see http://discussion.evernote.com/topic/22350-new-evernote-iphone-apps-in-the-app-store-food-hello). Just so you know. But if you want to believe that they haven't paid attention to their main product, go ahead.

Link to comment

It's sort of a shame that after a year of internal discussion they are still at the "if/when" stage. Then again this is the same company that began working on due dates a year ago and are still trying to figure it out.

Good to see some form of progress though. I mean they've built an entire app around food, perhaps they'll be circling back to their main product soon.

If they're still at if/when, then apparently it's never passed the "if" part. Apparently not a high priority to the EN team & it's their product, their choice. It certainly is not an indication they are neglecting their main product.

And, FYI, their main product is really the service, since no one pays for any of their clients. So anything that feeds their service is indeed supporting their main product. That whole razor/razorblade model.

Link to comment
  • 1 month later...

Hi there,

I continue to love Evernote and also continue to pour really private info into the service.

I'd really have a greater peace of mind if there were an option to require two-factor authentication for access to either the web or client-side apps. For those who are unfamiliar with two-factor authentication, it refers to security in which two pieces of identity proof are required: something you know (like a password) and something you have (a one-time-password dongle, numbers generated on a smartphone app, etc.). This way, even if someone guesses or brute-forces or otherwise discovers your password, they still can't access your account without your keychain dongle or your personal cell phone, etc.

http://en.wikipedia.org/wiki/Two-factor_authentication

And to learn more about how Google offers this service free to all its users, go here:

http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html

I can't stress highly enough how awesome this is and how much super-security it adds to accounts (so if you have any private info with Google, SIGN UP for 2fa!)

So, Evernote... could you please consider offering this? Thank you!!!

Link to comment
  • Level 5*

This has come up on the forums before. I don't think this is just a Windows issue. I think Evernote has said they are thinking about it.

Personally, I don't think it is needed, and I don't use it for Google. If you use a regularly changed, unique, long, and random password then a brute force attack will take the government's best servers several years to crack. If people just do that, why spend Evernote resources on adding this security feature?

Here is a freebie :)

9Jy84t5$9mX4PBM

Link to comment
  • Level 5

If you use a regularly changed, unique, long, and random password then a brute force attack will take the government's best servers several years to crack. If people just do that, why spend Evernote resources on adding this security feature?

Here is a freebie :)

9Jy84t5$9mX4PBM

Here is a site that generates a unique set of custom, high quality, completely random (maximum entropy) without any pattern, cryptographic-strength password strings. Click your web browser's "refresh" button a few times and watch the password strings change each time.

https://www.grc.com/passwords.htm

Link to comment
  • Level 5

I use LastPass to manage my passwords. Very long with upper case, lower case, numbers, and special characters.

I have some reservations about two factor authentication. I have it on my GMail account, and every 30 days, I am locked out so I try to locate the tiny authenticator icon on my Blackberry, get the 6 digit code, and get back to business.

My concern is that I will be switching to a new cell phone & cell provider in July. I am not looking forward to the inevitable problems I expect to encounter.

I'll probably try to cancel the two factor authentication a couple weeks before I make the phone switch.

Link to comment

GrumpyMonkey, yeah, I meant to post this in the Evernote Web forum. Oops.

re: picking a tough password enough in itself... I respectfully but heartily disagree. Here are all the instances in which that's Not Good Enough:

- You get phished and accidentally type in your password on a rogue site.

- You type your password while on an insecure wifi connection and it gets sniffed.

- You either get a keylogged installed on one of your own PCs or (this is apparently disturbingly common) a keylogger ends up on a PC you use on a cruise ship, in a hotel, at a youth hostel, etc and your password is compromised.

Perhaps you're one of those people who are super super super careful about where you type your password (e.g., not at EVERN0TE.COM), you never ever ever log into Evernote while using wifi in a cafe or hotel or anywhere but your home, you never ever log into Evernote on a PC that's not yours. But I would think those situations are actually very common for most.

jbenson, I can understand your concern, but -- as someone who has changed phones at least half a dozen times in the last year or two* and lived to tell about it with 2fa -- I have a key piece of advice: print out "backup codes" (you can do this from google.com/accounts). That way, even if you misplace your phone, as long as you have this slip of paper with your codes on it in your wallet, you're okay :)

*DISCLAIMER: I work for Google, but I don't work on anything related to 2fa, and I've very, very willingly turned 2fa on my personal @gmail account and urged family and friends to do the same.

Link to comment
  • Level 5

jbenson, I can understand your concern, but -- as someone who has changed phones at least half a dozen times in the last year or two* and lived to tell about it with 2fa -- I have a key piece of advice: print out "backup codes" (you can do this from google.com/accounts). That way, even if you misplace your phone, as long as you have this slip of paper with your codes on it in your wallet, you're okay :)

Thanks for the tip. [Evernoted]

6 different phones in the past 2 years - Wow!

I'd go broke if I tried that with my T-Mobile contract

Link to comment
.

Perhaps you're one of those people who are super super super careful about where you type your password (e.g., not at EVERN0TE.COM), you never ever ever log into Evernote while using wifi in a cafe or hotel or anywhere but your home, you never ever log into Evernote on a PC that's not yours. But I would think those situations are actually very common for most..

I make it a point to never use wifi that's not mine for these reasons. If I'm not at home, I use the 3G on my iPhone and/or tether my wifi device to my iPhone. Claiming "most" people do is much like saying "most" people leave their keys in their unlocked car & then being annoyed because some unscrupulous person stole their car. Let's be responsible for our own actions. You don't even have to be "super super super careful", just careful & use common sense.

Link to comment
  • Level 5*

GrumpyMonkey, yeah, I meant to post this in the Evernote Web forum. Oops.

re: picking a tough password enough in itself... I respectfully but heartily disagree. Here are all the instances in which that's Not Good Enough:

- You get phished and accidentally type in your password on a rogue site.

- You type your password while on an insecure wifi connection and it gets sniffed.

- You either get a keylogged installed on one of your own PCs or (this is apparently disturbingly common) a keylogger ends up on a PC you use on a cruise ship, in a hotel, at a youth hostel, etc and your password is compromised.

Perhaps you're one of those people who are super super super careful about where you type your password (e.g., not at EVERN0TE.COM), you never ever ever log into Evernote while using wifi in a cafe or hotel or anywhere but your home, you never ever log into Evernote on a PC that's not yours. But I would think those situations are actually very common for most.

jbenson, I can understand your concern, but -- as someone who has changed phones at least half a dozen times in the last year or two* and lived to tell about it with 2fa -- I have a key piece of advice: print out "backup codes" (you can do this from google.com/accounts). That way, even if you misplace your phone, as long as you have this slip of paper with your codes on it in your wallet, you're okay :)

*DISCLAIMER: I work for Google, but I don't work on anything related to 2fa, and I've very, very willingly turned 2fa on my personal @gmail account and urged family and friends to do the same.

Great response. I suppose I could fall prey to any of those scenarios, except that I don't usually use my Evernote password. My computer browser remembers it and so do all of my mobile devices. I don't remember when I last typed in my Evernote password. That isn't to say that everyone is like this, of course. I bet lots of users just type "password123" for all of their stuff. I'm thinking more about how Evernote ought to be spending their time.

I don't know how Evernote decides their priorities, but if it were me, this would not be high on my list. If they have the time and money to burn on this, then I wouldn't mind, even if I don't end up using it. But, it seems to me that there are so many other projects that really need to be tackled: beefing up the iOS app, fixing search inconsistencies, fixing formatting issues on the OSX / iOS platforms, etc., etc.

Link to comment
  • Level 5*

All previous discussion on this indicates that it isn't a high priority for them and so won't be arriving imminently. No security system is infallible, doesn't matter how many passwords you have, how long they are or where you store them. It's up to the user to balance out what data he wants to store in a service based on the security that is currently available.

Link to comment
  • Level 5*

jbenson2, consider ditching the key generating app and use SMS. That is what I do. now no matter what phone I have, Google sends me a code via SMS to key in. As long as my phone number doesn't change, the phone I have is irrelevant.

Link to comment
  • 4 months later...

I'll start this off by saying I ABSOLUTELY LOVE EVERNOTE...

I definitely agree with the OP here. While a lot of my data on Evernote isn't "super" confidential, it would ease my mind knowing that my info was protected by another layer of security with 2 factor authentication (2fa). I currently use it w/ various other services and its extremely easy.

This post on wired.com talks about a writer who was recently hacked. Yes, he could of done more to protect himself (for starters, he didn't have 2fa enabled on his google accounts). If you read it, you'd agree that apple & amazon were both at fault as well with their lack security measures. The hacker (he was only 19) hacked him because he wanted his twitter handle. That is all it took to be targeted.

Dropbox recently decided they're adding 2fa as a result of their security blunder. Evernote adding 2fa is a step in the right direction and tells me they take securing my private data extremely serious.

I hope Evernote considers this as it is extremely important that our data is protected. Its more important than any new feature they are in the process of developing. What good is this new feature if I'm not protected?

Link to comment
  • Level 5*

There are a lot of issues involved in each of these recent incidents (Matt Honan, Yahoo!, Linked-In, Dropbox, etc.). As Matt said, the most damaging thing about the attack was the data he lost, and I think Lifehacker (in the linked article above) got it wrong: 4 million factor authentication wouldn't have helped, because Apple opened the door and let the hacker inside. At best, it would have protected his Gmail account and stopped them from reaching their goal -- his Twitter account. Same thing for Dropbox last year when they exposed everyone's accounts by opening up every account to public access. Unfortunately, whenever your data leaves your laptop (anyone connected to the Internet faces this possibility) you are taking a risk.

Don't get me wrong. I wouldn't mind seeing two-factor authentication, so I am not writing against it. But, would I use it? I don't think so. I find it to be very tedious, and it pretty much ruins the convenience of working with cloud systems. So, I will probably continue trading security for convenience. Perhaps Evernote ought to begin by offering this as a premium feature to the security-concerned.

What can you do to protect yourself? These are some of the things I recommend. Security experts should feel free to jump in and tear the recommendations apart -- I am very open to suggestions for improving my personal security.

(1) Encryption

First of all, you can encrypt sensitive data before transmitting it to Evernote. It is easy to do, though, I admit, I am rather lazy about it myself, and I am thinking that I may need to be more vigilant. I'll probably go through my account over the next few days and encrypt any of the PDFs I have missed. It is a pain, but probably necessary.

(2) Strong Passwords

What else can you do? Create long passwords. Use random letters, numbers, and symbols. Use different passwords on every site. Change your passwords regularly. I recommend LastPass to keep track of it all, but you'll want to figure out the solution that works best for you (there are other competitors).

(3) Watch out for Cylons

Also, think like Commander Adama and resisting networking everything so that access to your Gmail account gives a hacker access to your entire life: use separate emails for professional, personal, and "cloudy" services. It is a pain, to be sure, but something I am slowly implementing myself.

To sum up: If you are encrypting sensitive data, using strong passwords, and have your accounts differentiated, I think it is very unlikely that you will be hacked. If/when Evernote institutes two-factor authentication, you will be in a strong position to take advantage of it. Still, in Matt's case (the reporter who got hacked) none of these security precautions would have helped much, because the hacker(s) were let in and erased his data. So, the most important thing of all is to: back up your data. I recommend Time Machine or a Windows equivalent.

Link to comment

(1) Encryption

First of all, you can encrypt sensitive data before transmitting it to Evernote. It is easy to do, though, I admit, I am rather lazy about it myself, and I am thinking that I may need to be more vigilant. I'll probably go through my account over the next few days and encrypt any of the PDFs I have missed. It is a pain, but probably necessary.

(2) Strong Passwords

What else can you do? Create long passwords. Use random letters, numbers, and symbols. Use different passwords on every site. Change your passwords regularly. I recommend LastPass to keep track of it all, but you'll want to figure out the solution that works best for you (there are other competitors).

(1) I don't want to use encryption, as that would prevent me using the cool EverNote features.

(2) Strong passwords (which I use) are difficult to remember and are a single line of defence (1FA). If the password is compromised (as happened with LinkedIn), hackers have access to your account. If 2FA is used, they don't have access to your account if the password is compromised.

So, EverNote should make 2FA available. It should be optional (as it is with GMail). People that want to use it will, and be secure. People that don't use it can share their data with the world :)

Link to comment

From the LifeHacker article:

Enable Two-Factor Authentication to Ensure No One Gets In

Mat didn't have his passwords "hacked" in the traditional sense of the word, so even with strong passwords, his accounts still would have been compromised. However, two-factor authentication could have stopped the whole thing from happening. Two-factor auth requires something you know (your password) and something you have (your phone), so when an intruder types in your password, she won't be let in unless she also types in a code sent to or generated by your phone, which only you have.

Takeaway lesson: Set up two-factor authentication on every account you can, like Google,Facebook, and other high-profile services. It's one of the best ways to protect yourself againstany kind of breach.

Link to comment

From the LifeHacker article:

Enable Two-Factor Authentication to Ensure No One Gets In

Mat didn't have his passwords "hacked" in the traditional sense of the word, so even with strong passwords, his accounts still would have been compromised. However, two-factor authentication could have stopped the whole thing from happening. Two-factor auth requires something you know (your password) and something you have (your phone), so when an intruder types in your password, she won't be let in unless she also types in a code sent to or generated by your phone, which only you have.

Takeaway lesson: Set up two-factor authentication on every account you can, like Google,Facebook, and other high-profile services. It's one of the best ways to protect yourself againstany kind of breach.

I'm pretty sure the EN folks understand 2fa. Whether they choose to implement it or not is anyone's guess. Repeatedly bumping up the thread by adding new posts every five minutes probably is not going to be a factor in the decision but rather an annoyance for those reading the board.

Link to comment
  • Level 5*

(1) Encryption

First of all, you can encrypt sensitive data before transmitting it to Evernote. It is easy to do, though, I admit, I am rather lazy about it myself, and I am thinking that I may need to be more vigilant. I'll probably go through my account over the next few days and encrypt any of the PDFs I have missed. It is a pain, but probably necessary.

(2) Strong Passwords

What else can you do? Create long passwords. Use random letters, numbers, and symbols. Use different passwords on every site. Change your passwords regularly. I recommend LastPass to keep track of it all, but you'll want to figure out the solution that works best for you (there are other competitors).

(1) I don't want to use encryption, as that would prevent me using the cool EverNote features.

(2) Strong passwords (which I use) are difficult to remember and are a single line of defence (1FA). If the password is compromised (as happened with LinkedIn), hackers have access to your account. If 2FA is used, they don't have access to your account if the password is compromised.

So, EverNote should make 2FA available. It should be optional (as it is with GMail). People that want to use it will, and be secure. People that don't use it can share their data with the world :)

(1) I agree. I don't want to use encryption either, because I like to be able to search my data. If it is in Evernote, then it is important to me and sensitve to begin with. If I just wanted an app to store useless data that doesn't matter to me, I'd use another service. However, the fact is that anything on a server is vulnerable to some degree. Encryption of especially sensitive data makes sense...

(2) The LinkedIn password debacle wasn't all that serious if you had a strong password. The hackers are probably still trying to figure it out. So, 1FA worked pretty well. 2FA would have been better. However, some of us are going to be too lazy to use it, so for those people I recommend following the steps I outlined. And, in the end, if LinkedIn, Apple, or Dropbox open up your account to a hacker, 2FA won't do you a bit of good.

I think 2FA will almost certainly be optional. Like I said, I am not against 2FA, but I am probably going to be too lazy to use it. Maybe, if I worked in a field that necessitated better security (I am a researcher, and I doubt there is more than a few dozen people in the world who could read the stuff I have in my account, much less find any use for it).

As for Lifehacker, I think they got it wrong, even if they have a video. What is the point of 2FA if Apple is going to give away access to your account? 2FA is fine, but it is only part of the solution, and not a magic bullet.

[EDIT:] I am probably wrong about a company overriding the 2FA. They would probably reset the password if the hacker managed to fool them, but the hacker would have to have your phone to complete the process.

Link to comment

As for Lifehacker, I think they got it wrong, even if they have a video. What is the point of 2FA if Apple is going to give away access to your account? 2FA is fine, but it is only part of the solution, and not a magic bullet.

It's a google video. It's pretty informative. If the service owner does give away your password, that is only one part. They still wouldnt be able to access your account without the 2nd physical device.

Link to comment
  • Level 5*

As for Lifehacker, I think they got it wrong, even if they have a video. What is the point of 2FA if Apple is going to give away access to your account? 2FA is fine, but it is only part of the solution, and not a magic bullet.

It's a google video. It's pretty informative. If the service owner does give away your password, that is only one part. They still wouldnt be able to access your account without the 2nd physical device.

I was thinking that Apple (or whoever you call) would reset your password and this would override the 2FA, but I guess (if their security is set up correctly) they could do that and require you to use the 2FA you had set up, so even if a hacker got through and fooled them, as long as they didn't have your phone, you'd be OK. Good point then.

Link to comment

I think 2Fa is a great idea and I would use it if it was implemented well. I personally like the way Google has set it up and I use it without much hassle. Ultimately, convenience does trump security and if something is too difficult or time-consuming it won't be utilized.

They could implement something like Facebook and Google do. Lastpass does it as well. I have a Yubikey token set up for my Lastpass account. It requires that I have the Yubikey in my possession to access all my passwords. I can authorize certain machines that I use daily to not require the Yubikey. So, it provides a higher level of protection since anyone trying to access my Lastpass account online would need the Yubikey but I don't need to use it everyday on my authorized machines. Google does a similar thing and allows me to authorize certain machines to not require the Google Authenticator every time (They do require that the Google Authenticator be used every 30 days to refresh the account).

Given the fact that so much of my data would be available through the web interface if someone were somehow able to obtain my password, I think it would give me peace of mind to know that at least it would require a second form of authentication (Something that I have in my possession not just something that I know) to get access to it. Evernote could have an option to enable two factor authentication using something like Yubikey or Google authenticator. once it is set up, the user could authorize certain machines to access his Evernote account. Then if a non-recognized computer or ipad/iphone tries to access it, it would be presented with a request for the second factor.

If something bad happens and some visible person like Mat Honan gets hacked and has his Evernote account breached through social engineering, it would be very bad for Evernote and I think 2Fa should be very high on the priority list.

Link to comment

I guess that the last two standing major services (ok, I might be exaggerating a bit) which store personal data but do not have two-factor authentication are Dropbox and Evernote. Recently, after a security breach, Dropbox has announced that they are working on security enhancements including the two-factor authentication. Come on Evernote, it is your turn to announce this feature. It is really hard to argue against beefing up security for services dealing with private notes and documents. You could offer it as a premium feature.Some of current premium users like me would be pleased and some of free account might be converted... and users who do not like it, do not have to use it...

Link to comment

Will there ever be a 2-step-authentication option for Evernote?

I really think that should be possible to keep all the data save. :ph34r:

Lastpass uses Googles 2-step-authentication so I think it's also possible for Evernote. B)

Let me know what you all think of this. :)

Link to comment
  • Level 5*

Will there ever be a 2-step-authentication option for Evernote?

I really think that should be possible to keep all the data save. :ph34r:

Lastpass uses Googles 2-step-authentication so I think it's also possible for Evernote. B)

Let me know what you all think of this. :)

Hi. Welcome to the forums!

I merged the thread you started with the existing thread on the topic.

Link to comment
  • Level 5*

Google already has 2-step-authentication, and DropBox recently announced that they plan to add it very soon.

Evernote, do you plan to step up to current security standards any time soon?

Link to comment

Perhaps one answer would be to implement SAML and then you could utilise a solution like http://www.onelogin.com/

We can already utilise onelogin with EN but in the end it's just filling in the password for you. With SAML you lock the cloud to this authentication method only and then the system becomes more like online banking....

Link to comment
  • 2 weeks later...

There are times that I need to access EN from the web at other computers eg: when I travel. For this reason I have resisted using Lastpass to generate an impossible password (I wouldn't remember it). Therefore, I am using a pass phrase (much longer than a password but easy for me to remember). I think that pass phrases are more secure than passwords.

Link to comment

@grivp Have you looked at onelogin.com

You can use it to access Evernote with 2 factor etc. Its not perfect as only apps/cloud services which are locked down to SAML only are fully secured, but it does mean you can happily access your EN on other peoples PC's etc without fear of key loggers etc.

Link to comment
  • Level 5*

There's no real argument here, and besides, this is a user forum. If Evernote has two-factor authorization in the works, they just may not be talking about it until it's ready to go, because that's their general policy.

Link to comment
  • Level 5*

Agreed. No argument against the feature. Heck, the more features the better (in general). However, with finite resources (time and manpower), I have lots of other priorities for Evernote myself. My "argument" is against people who think no two-factor authentication = exposed and naked in in the digital landscape. I think you could boil down my point to something very simple: you already have many protection "tools" at your disposal.

As I have mentioned here and elsewhere, good security practices will be a powerful defense against any unauthorized intrusion:

1. long

2. unique (not shared by other sites)

3. random

4. regularly changed

5. Set up an email account (choose one made up of random characters) tied only to your password manager (like Roboform or LastPass) and do not use the email for anything else (just the email to set it up, and then you won't need to log into it again)

6. Encrypt sensitive information in your account

7. Encrypt your hard drive

Link to comment
  • Level 5*

As I have mentioned here and elsewhere, good password practices will be a powerful defense against any unauthorized intrusion: long, unique (not shared by other sites), random, and regularly changed ones work well. In addition, if you have Evernote (and all of your other important sites) tied to a private email account you have shared with no one else, it is very unlikely that your information will be compromised. Finally, if you encrypt sensitive information in your account, even if someone managed to get into your account, they wouldn't find anything damaging.

GrumpyMonkey, you are missing the point. Single authentication is going to go away. It is no longer practical to use long random and regularly changed passwords. For example, everytime you change your password on the Windows Phone client, it erases all of your notes and settings, as if you had uninstalled EN and started over. Plus, I have EN installed on 6 clients (PCs and mobile). It is a major hassle to do a password change.

The old practices just aren't keeping up with hackers today. 2FA is the way to go, especially for a service that touts itself as your electronic brain.

I know you aren't advocating against 2FA - you are clear about that, but please, stop defending the status quo. I've seen to many companies defend the status quo until one of two things happen - it is definitively proved wrong, or the company goes out of existence.

Link to comment
  • Level 5*

As I have mentioned here and elsewhere, good password practices will be a powerful defense against any unauthorized intrusion: long, unique (not shared by other sites), random, and regularly changed ones work well. In addition, if you have Evernote (and all of your other important sites) tied to a private email account you have shared with no one else, it is very unlikely that your information will be compromised. Finally, if you encrypt sensitive information in your account, even if someone managed to get into your account, they wouldn't find anything damaging.

GrumpyMonkey, you are missing the point. Single authentication is going to go away. It is no longer practical to use long random and regularly changed passwords. For example, everytime you change your password on the Windows Phone client, it erases all of your notes and settings, as if you had uninstalled EN and started over. Plus, I have EN installed on 6 clients (PCs and mobile). It is a major hassle to do a password change.

The old practices just aren't keeping up with hackers today. 2FA is the way to go, especially for a service that touts itself as your electronic brain.

I know you aren't advocating against 2FA - you are clear about that, but please, stop defending the status quo. I've seen to many companies defend the status quo until one of two things happen - it is definitively proved wrong, or the company goes out of existence.

You are right. I didn't know the point was that single authentication was going away. If that is the point, then I can't really say, because I am not a prognosticator, and I will have to remain blissfully ignorant of 2FA's necessity :) I imagine it will come someday, but my point is that we are already well-protected. Moreover, I believe users also have to take responsibility for their data security, regardless of what Evernote decides about 2FA.

As for the specific methods I suggested, I have Evernote on six devices as well (not Windows phone) and I regularly change my password. Using a password service makes this a breeze. And, to the best of my knowledge, all of the intrusions that have been brought forth in this thread as evidence for the need for 2FA would have prevented just as effectively with my methods. That seems like a useful thing to point out.

There isn't much you can do in a case like Matt Honan's, when a company you trust gives out your password information. Presumably, Apple would have bypassed 2FA when they opened up his iCloud account. However, if Matt had been using a private email that he had not told anyone about (as I suggested above), he would have been fine. The hackers wouldn't have gotten past his iCloud account. Of course 2FA for Gmail would have protected him as well. My point is that even without 2FA you are well-protected.

You can take that for what it is worth, but rest assured that my support for better password practices will not affect Evernote's course of action one bit. I am sure they are well-aware of 2FA and its benefits. The question (in my mind) is whether they want to devote their resources to it. I am not convinced that they need to do it right now.

Link to comment
  • Level 5*

GrumpyMonkey, check out this article http://arstechnica.com/security/2012/08/passwords-under-assault/

It explains why hackers have a vast arsenal of data to work with now that passwords and hashes have been exposed (linkedin for example) - nothing related to the Matt Honan case. Sure, you can change your password, and should, but now that they know more how users think, they can tweak their code and it no longer becomes random brute force attacks. They are focused brute force attacks with millions of entries from databases they are building, and millions can be processed very quickly.

Link to comment

I won't post anything I think is 'too sensitive' to Evernote as I don't think the security is robust enough. AND Evernote wants ~$44/yr to add a passcode to it's app as additional 'security' (and I know some other options too) - LMAO for a app passcode! Now i WOULD consider paying $44/yr if it got me something like two-factor authentication along with the other upgraded features.

Link to comment
  • Level 5*

GrumpyMonkey, check out this article http://arstechnica.c...-under-assault/

It explains why hackers have a vast arsenal of data to work with now that passwords and hashes have been exposed (linkedin for example) - nothing related to the Matt Honan case. Sure, you can change your password, and should, but now that they know more how users think, they can tweak their code and it no longer becomes random brute force attacks. They are focused brute force attacks with millions of entries from databases they are building, and millions can be processed very quickly.

Yep. A good article. Thanks for that!

But, in the conclusion (page 4) it comes up with the same advice that I gave, right? Random, unique (don't use the same one on every site), long, and regularly changed passwords.

Link to comment
  • Level 5*

No, not technically. It says if you want your password to not be "trivial to break" and not be "toppled in a matter of hours" you should do that.

I want something virtually unbreakable, and encryption cannot get you there. 2FA can. I can give you my userID and password to my Gmail account and unless you knock me over the head and take my phone (and can crack my phone PIN), you still cannot get in my email. Someone sitting in Russia with their high powered computer cannot do it either - not unless they hack Google itself and bypass account authentication.

I think Evernote data falls under this umbrella. I don't want 2FA for EN forums, or other forums. It isn't that big of a deal. But email, EN data, Facebook and other sites with sensitive info, 2FA is the way to go. Dropbox just enabled it this week and I will be setting it up in the next few days.

Link to comment
  • Level 5*

No, not technically. It says if you want your password to not be "trivial to break" and not be "toppled in a matter of hours" you should do that.

I want something virtually unbreakable, and encryption cannot get you there. 2FA can. I can give you my userID and password to my Gmail account and unless you knock me over the head and take my phone (and can crack my phone PIN), you still cannot get in my email. Someone sitting in Russia with their high powered computer cannot do it either - not unless they hack Google itself and bypass account authentication.

I think Evernote data falls under this umbrella. I don't want 2FA for EN forums, or other forums. It isn't that big of a deal. But email, EN data, Facebook and other sites with sensitive info, 2FA is the way to go. Dropbox just enabled it this week and I will be setting it up in the next few days.

Again, I am not arguing against 2FA. I am clarifying what is available to us already.

As the article said, there is an exponential wall for brute force hacking. Let's say Evernote gets hacked and (assuming good password storage practices on Evernote's part) the hackers will have to work a bit to get the passwords. If you have a 20, 25,or 30 character password then the hackers will need weeks, months, or maybe years to break the password. If you follow the suggestions I made (regularly changing passwords), then you'll have changed your password long before they complete the process. If Evernote is not hacked, the process becomes even more lengthy, because Evernote blocks repeated, failed login attempts. It is, for all intents and purposes, unbreakable.

I agree that 2FA is more secure, but I want to emphasize to users that good practices (not just here, but on every site) will go a long ways towards protecting your data. We are still at the point where users have shockingly simple passwords shared with everything from banks to one-off sites that require accounts to do anything (a great way to gather sensitive information from users). I have seen it firsthand. Until 2FA comes, whenever that may be, users have tremendous power to protect themselves with just a tiny bit of effort.

Link to comment
  • Level 5*

As the article said, there is an exponential wall for brute force hacking. Let's say Evernote gets hacked and (assuming good password storage practices on Evernote's part) the hackers will have to work a bit to get the passwords. If you have a 20, 25,or 30 character password then the hackers will need weeks, months, or maybe years to break the password. If you follow the suggestions I made (regularly changing passwords), then you'll have changed your password long before they complete the process. If Evernote is not hacked, the process becomes even more lengthy, because Evernote blocks repeated, failed login attempts. It is, for all intents and purposes, unbreakable.

I agree that 2FA is more secure, but I want to emphasize to users that good practices (not just here, but on every site) will go a long ways towards protecting your data. We are still at the point where users have shockingly simple passwords shared with everything from banks to one-off sites that require accounts to do anything (a great way to gather sensitive information from users). I have seen it firsthand. Until 2FA comes, whenever that may be, users have tremendous power to protect themselves with just a tiny bit of effort.

So, to be able to access all our long, impossible to remember passwords that we change every 90 days (or whenever we remember to do it), how should we store them - something like Roboform, or a password locker program? I use Keepass, but not sure that is the best way. I am also presuming that for that I should use a complex password with a key file? Any other thoughts? I am not arguing against the additional security - I just want to know the latest thinking on the best way to implement it.

Link to comment

Archived

This topic is now archived and is closed to further replies.


×
×
  • Create New...