I’m a big fan of 2 factor security for critical information stored online (in the “cloud”). After the attempted hacking on Evernote back in March, I made the following resolutions regarding the security of my online data:
Clearly this issue has made me re-consider aspects of my own approach to information security, and has reinforced others. I recommend that everyone do the same, and take at least the following actions:
Use only reputable services that provide 2-factor authentication for cloud storage of personal, sensitive or confidential data;
Have a personal password management policy that includes never re-using passwords, and never using dictionary passwords. Use of an app like 1Password, LastPass or similar may help.
At the time I wrote that post, Google and Dropbox were the main services to have implemented 2 factor security, and it’s been pleasing to see that other services have commenced implementation of 2 factor security, including App.net, Apple , Facebook, Fastmail (my email host of choice) and Twitter , and most recently, Evernote.
I was initially disappointed with what I first read about Evernote’s 2 factor security implementation because the first blog post I read indicated the implementation was SMS based. However, on reading Evernote’s blog post I saw they indicated a choice of SMS or authentication with Google Authenticator.
I’ve set Evernote 2 factor up using Google Authenticator , and am delighted that my major online services have at least begun implementation of 2 factor support. Fastmail, Evernote and Dropbox are the most important for me, and they each have good 2 factor support. The main piece still missing (for me) is iCloud, although the data stored there is less security critical.
Evernote’s implementation works well, but is only for Evernote Premium users at this time. A couple of important things should be borne in mind when implementing it (or for that matter, any 2 factor security system).
- Ensure that you have updated the corresponding app (or apps) on every device before implementation; and,
- Save the backup codes provided in a secure repository (print the out or save them in a secure location like 1Password).
Evernote’s latest security updates also includes a couple of additional things (available for all users) – Authorised Applications (and the ability to revoke access remotely) and Access History.
Hop to it. With this implementation, Evernote (the best online repository of stuff) is now even better.
So far, Apple’s implementation seems to be a bit of a lame duck, because it doesn’t seem to do very much. I’ve not actually seen it request a code since the initial setup, and it doesn’t seem to be connected (at this time) to iCloud or the iTunes/App Stores. ↩
Twitter’s implementation has been quite critically received, primarily because authentication is by SMS and doesn’t allow multiuser capability (like Facebook). ↩
I have moved away from many of Google’s app and services. At the time I originally wrote this post, I was using Google Authenticator, but now use Authy instead. It’s a nice little app for the job (update 29/8/13). ↩