Evernote beefs up security with two-factor verification

Following in the footsteps of Dropbox, Facebook, Google, Twitter, Apple and LinkedIn, the online note-taking and archiving service announced that it is offering users the option to implement extra layers of security. First of all, when a user turns on two-factor verification and logs into an account, it will require a six-digit code that is sent to a phone by SMS or via an app like Google Authenticator.

The two-step verification is available for Evernote Premium and Evernote Business users for now, but the company does plan to open it up to free account users eventually.

The company also said that it has built in some usability safeguards. For instance, partner apps and integrations, as well as Evernote Touch for Windows 8, will stop working. But users can create a special application password for each app in order to avoid headaches. And, those using Evernote mobile apps who keep a user logged in typically will only need to enter the code once, when installing the app. Users can also use a set of back-up codes if traveling or if the mobile device isn’t available.

“Two-step verification is not for everyone, but it does make accounts that use it more secure,” the company said.

Meanwhile, Evernote has launched an Access History feature, which shows users a running list of every time your account was accessed over the past 30 days. “This list includes all the versions of Evernote that you’ve used along with locations and IP addresses,” the company said. “If you ever suspect that your account was accessed without your knowledge, you can check the history.”

As a third security measure, the company is offering the ability to set authorized applications. “We want you to open an Evernote app and then quickly accomplish your task,” it said. “To make that possible, we rarely ask you to sign in. That helps you get your work done, but can be a problem if you lose your phone or computer. Now, you can revoke any version of Evernote from your Evernote Web Account Settings. Once revoked, an app will request a password the next time its launched.”

In March, hackers made their way into the Evernote system. Neither user content nor customer payment details were accessed, but they gained access to usernames, email addresses and passwords. The passwords were hashed and salted, but the company erred on the side of caution.

Later in the same month the cloud-based service was found to be used for malware control. A trojan known as BKDR_VERNOT.A “retrieves its C&C server and queries its backdoor commands in the notes saved in its Evernote account,” explained Trend Micro researcher Nikko Tamaña. “The backdoor may also use the Evernote account as a drop-off point for its stolen information.”


What’s hot on Infosecurity Magazine?