Evernote launched two-factor authentication for its premium and business-level customers today, three months after getting hacked. It will roll out the feature to all users once it feels comfortable that there are no pressing bugs.
In March, Evernote was hacked, exposing over 50 million users’ information including usernames, hashed passwords, and email addresses. The company sent out emails to all of its users warning them to change their passwords and the passwords of any external accounts that used the same one.
So, it launched two-factor authentication, which means you’ll log in to your account with both your password and a six-digit code. The code can be sent either through text message or you can hook up your Evernote account to Google Authenticator, an app which refreshes these codes periodically. Some two-factor authenticators require that you have an extra piece of hardware, such as an RSA dongle, but that is not the case with Evernote.
Evernote is in line with many other concerned companies launching two-factor authentication. Major tech companies Apple, Microsoft, and Twitter have all implemented the security measure within the last few months. But security experts such as PhishMe chief executive Aaron Higbee and OneID chief security officer Jim Fenton are concerned two-factor might be spreading a false sense of security.
On top of that, Evernote has introduced “Approved Applications.” These are the variety of devices that you’ve approved Evernote to run one. Once Evernote has that approval, the company will “rarely” ask you to login because it wants your experience to be relatively barrier-free. If you lose your phone, however, and the application is still approved, it’s at risk for being compromised by the thief. A new dashboard, accessed through the Web Account Settings page, allows you to see and revoke any of these devices.
Alongside that, you can also now see every time you access an Evernote app. This information is available through Evernote’s new Access History dashboard. The dashboard will show the type of app, such as “Evernote for Mac;” the date the app was used; and where the person was when they accessed the account, including the device’s IP address. If anything is fishy on this dashboard, you can head back to the approved applications and start revoking permissions.
Both Approved Applications and Access History are available to all users today.