Browsed by
Tag: 2 Factor

Evernote Introduces 2 Factor Support (and more)

Evernote Introduces 2 Factor Support (and more)

I’m a big fan of 2 factor security for critical information stored online (in the “cloud”). After the attempted hacking on Evernote back in March, I made the following resolutions regarding the security of my online data:

Clearly this issue has made me re-consider aspects of my own approach to information security, and has reinforced others. I recommend that everyone do the same, and take at least the following actions:

  1. Use only reputable services that provide 2-factor authentication for cloud storage of personal, sensitive or confidential data;

  2. Have a personal password management policy that includes never re-using passwords, and never using dictionary passwords. Use of an app like 1Password, LastPass or similar may help.

At the time I wrote that post, Google and Dropbox were the main services to have implemented 2 factor security, and it’s been pleasing to see that other services have commenced implementation of 2 factor security, including App.net, Apple [1], Facebook, Fastmail (my email host of choice) and Twitter [2], and most recently, Evernote.

I was initially disappointed with what I first read about Evernote’s 2 factor security implementation because the first blog post I read indicated the implementation was SMS based. However, on reading Evernote’s blog post I saw they indicated a choice of SMS or authentication with Google Authenticator.

Evernote implements 2 factor security, and more

I’ve set Evernote 2 factor up using Google Authenticator [3], and am delighted that my major online services have at least begun implementation of 2 factor support. Fastmail, Evernote and Dropbox are the most important for me, and they each have good 2 factor support. The main piece still missing (for me) is iCloud, although the data stored there is less security critical.

Evernote’s implementation works well, but is only for Evernote Premium users at this time. A couple of important things should be borne in mind when implementing it (or for that matter, any 2 factor security system).

  1. Ensure that you have updated the corresponding app (or apps) on every device before implementation; and,
  2. Save the backup codes provided in a secure repository (print the out or save them in a secure location like 1Password).

Evernote’s latest security updates also includes a couple of additional things (available for all users) – Authorised Applications (and the ability to revoke access remotely) and Access History.

Hop to it. With this implementation, Evernote (the best online repository of stuff) is now even better.


  1. So far, Apple’s implementation seems to be a bit of a lame duck, because it doesn’t seem to do very much. I’ve not actually seen it request a code since the initial setup, and it doesn’t seem to be connected (at this time) to iCloud or the iTunes/App Stores.  ↩

  2. Twitter’s implementation has been quite critically received, primarily because authentication is by SMS and doesn’t allow multiuser capability (like Facebook).  ↩

  3. I have moved away from many of Google’s app and services. At the time I originally wrote this post, I was using Google Authenticator, but now use Authy instead. It’s a nice little app for the job (update 29/8/13).  ↩

Apple’s Two-Step Verification has a good security backup

Apple’s Two-Step Verification has a good security backup

I was quite excited when I awoke this morning to find news that Apple has released 2 Factor authentication for Apple ID. Apple seems to have done a good thing and built this into a “trusted device” upon which you use a feature in the Find My iPhone app, or receive an SMS each time you try to log-in. Sounds like a great approach, and it doesn’t surprise me that Apple chose not to use the Google Authenticator.

Apple 2 Factor

Following the attempted hack on Evernote, I made a determination that online service I use for personal/private/confidential “stuff” should support 2 factor authentication. Heck, if Facebook could do it, what was stopping Evernote and Apple. Very quickly App.net rolled out 2 factor support, and today was Apple’s turn. This was all part of my (perhaps peremptory decision to return to return to Google, something that following this and the GReadier debacle I am quickly reconsidering.

I went to the Apple ID site to set up two-step verification, and immediately was asked to answer security questions. It’s been a while, and for some reason I didn’t record these in 1Password. Having had more than 1 best pal at school, I went for the backup plan, and had a password reset sent out to my alternate email address.

Of course, I setup new security questions, and then went in and changed my alternate email address to one that is not linked or forwarding to any other email address I have. I took the opportunity to really tighten the hatches.

Next I went back to complete the setup of the two-step verification process, and almost immediately received a block telling me to wait three days. They also mass emailed every linked email address I had.

I guess that I had just changed a lot of security settings, and this raised an alarm at Apple that perhaps I might be hacking, and potentially locking someone else out from their account, a la the Mat Honan saga. So I think that Apple has paid a good bit of attention to the process to ensure that unintended consequences are minimised. Three days gives plenty of time for a real owner to get an email and intervene if necessary.

So at this stage I can’t provide a full review, but one thing that I noted from Katie Floyd’s post is that the two-step verification doesn’t (yet) support iCloud services, such as Documents, Calendar, email, etc. I assume (hope) these will come shortly, but will require a lot of apps to be updated. Today’s initial release was a good test for Apple, as the only app that needed to be updated was Find My iPhone.

Don’t forget to check out my list of web services that support 2 factor authentication.

2 Factor Security

2 Factor Security

Following the attempted security hack on Evernote, I determined that I would:

Use only reputable services that provide 2-factor authentication for cloud storage of personal, sensitive or confidential data

With more and more services like App.net and Apple joining Google, Dropbox and Facebook in enabling 2 factor support, I thought it would be cool to have a list of the online services that support 2 factor authentication security.

Let me know if you find updates or note any missing services.

Evernote’s password hack, and the security of your stuff in the cloud

Evernote’s password hack, and the security of your stuff in the cloud

Like all Evernote users, today I received an email (and blog post) advising that there has been an attempted security attack to their system, and that they have force-changed all user passwords:

Evernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.

As a precaution to protect your data, we have decided to implement a password reset.

I am a heavy Evernote user, and put a lot of stuff up there – from basic research to business records. I love that I can easily find my key information so easily. They have solid apps for OSX and iOS (although they have been increasinly buggy lately), and a good browser based system to get at my information from anywhere. I love having my stuff in the cloud so I can get at it whereever I am.

For the past couple of weeks I was teaching a PADI Instructor Development Course in Fiji and on several occasions I was able to quickly get to records that I needed but didn’t have with me through my iPad or MacBook Air. Too easy.

Lately I’ve been wondering about the wisdom of having all my eggs in one basket. I trust the Evernote team, and as a Premium User I have a paid account. But my concerns are two-fold:

  1. If Evernote ever goes away (unlikely, but still a risk), what will happen to my data.
  2. Evernote has to be ever-vigilant for hacking attempts, and they have to win 100% – hackers only have to win once in a blue moon.
  3. As Evernote’s servers are not in Australia, my data may be legally accessed by a foreign government without warrant!

So it was good to see the following paragraph:

In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.

The next paragraph, while honest and direct, certainly gave me pause to continue to consider the future of my information storage:

The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts, and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)

Just yesterday (before the email went out), I downloaded a copy of DEVONthink, an OSX app that does many of the same things – allowing you to store snippets and documents, easily find them, OCR them, etc. Using DropBox you can sync data between multiple Macs, and there is an iOS app. The latter feels a bit clunky, and looks like you need to sync via Wifi. I hope Dropbox sync is coming soon to that, because my iPad is rapidly becoming my main on-the-go device.

There has been a lot of debate about Evernote vs. DEVONthink, and there are very passionate people on both sides, with some very persuasive reasons for their approach. Evernote’s cloud based storage is both it’s greatest feature and it’s biggest drawback, depending on your perspective. I had planned to use DEVONthink side-by-side with Evernote for a couple of weeks to get a feel for which (if either) is the better approach for me. I still will, but I think I’ll move more sensitive info straight away.

Back to the security issues. I have waiting for a while for Evernote to introduce 2-factor authentication. Google has had this for some time, and Dropbox also introduced 2-factor security in 2012, following similar hacking attempts.

Evernote needs to implement 2-factor security as a matter of urgency.

While I am at it, Apple also needs to implement 2-factor security for their iCloud services as a matter of urgency, particularly if they want Documents in the Cloud to be taken seriously.

Going forward, my personal rule is that 2-factor authentication is a threshhold feature for any cloud based service that I use to store any thing I would consider proprietary or sensitive, let along confidential. I recommend you consider the same approach.

Evernote’s team made some additional excellent suggestions for security:

  • Avoid using simple passwords based on dictionary words

  • Never use the same password on multiple sites or services

  • Never click on ‘reset password’ requests in emails – instead go directly to the service

The first 2 should be an absolute given, but it’s clearly not the case. The third one has tricked most people at least once, making the first two even more important.

Most people I know have a password management strategy that consists of three passwords:

  • a simple “throwaway” password they reuse on most websites
  • a more secure one for some selected sites
  • a most secure one for banking, finance, health, etc

In all three cases, most people re-use the same passwords, perhaps with minor variations.

The hackers know this and have setup ways of “sniffing” passwords. One way is to setup a rogue site, and when users try to sign on, they take the username and password and throw that at other sites, knowing that they will often get a hit. Even if they only get 1% success, they have a starting point. Mat Honan of Wired magazine’s own case teaches us that once a hacker gets “in” at a low level, they can use that information to gradually get full access to your life.

So you need to ensure you don’t re-use passwords, and that those passwords must not be simple. When it comes to hacking and security, most hackers are way better at hacking than users are at securing.

This is where my next rule of web security kicks in – I use 1Password to generate a separate password for each and every site I visit. Of course there are a lot of sites I visited before using 1Password, so once those sites are in 1Password, I can from time-to-time go through and manually change those passwords, starting with the passwords that are least secure.

Whilst on 1Password, I’d recommend that if users want cloud access, they store the 1Password file in a Dropbox account, not iCloud, because of the fact that Dropbox has implemented 2-factor security.

I also have a category of sites that require the highest security, so I have those sorted together into a group in the 1Password app, and I change those passwords twice a year when the clocks change with Daylight Savings (an idea I got from MacSparky).

Clearly this issue has made me re-consider aspects of my own approach to information security, and has reinforced others. I recommend that everyone do the same, and take at least the following actions:

  1. Use only reputable services that provide 2-factor authentication for cloud storage of personal, sensitive or confidential data;
  2. Have a personal password management policy that includes never re-using passwords, and never using dictionary passwords. Use of an app like 1Password, LastPass or similar may help.

The “be alert, not alarmed” approach is the right one. We users need to recognise that information security is a moving target, and that balancing convenience, ubiquity and security is a constantly changing challenge. We need to reevaluate our balance regularly!

\