Evernote Turns On Three New Security Features, Including 2-Factor Authentication, After Major Breach In February

After Evernote, the personal note-taking app with 60 million+ users, got slammed with a security breach in February 2013, today the company is turning on three new features to give users better control over their accounts: two-step verification, access history and authorized applications listings. Two-step authentication will eventually get rolled out to all users, but a spokesperson tells TC that at first it will be only be rolled out to Premium (paying) users first, to make sure that the experience is right.

“Evernote Premium users are the most engaged so it made sense to start there,” she says. “With feedback from our Premium users, we’ll be best prepared to address questions and concerns as we continue the roll out to our larger user base.”

Unlike the gradual roll out of two-factor authentication, access history and authorized app lists are getting turned on for everyone from today.

The move to add more security and access controls comes after a breach that was bad enough to force Evernote to require password changes from its 50 million users (now numbering over 60 million), but not, according to CEO Phil Libin, serious enough that users’ data and payment details were accessed.

Evernote’s two-step verification — the most important of these three new services getting introduced today — had been in the works already, but plans to roll it out got accelerated after the February incident: today is the fruition of that attempt.

Like other two-step user authentication systems rolled out by Twitter just last week, Evernote’s service will be SMS-based, and it will be optional for all users. That is to say, if you are an Evernote user and don’t want to take the extra step to prove who you are every time you need to log in, you do not need to.

This is what the screen will look like in your settings to turn on the new features:

evernote desktop screen interface 1

Once you have turned two-factor verification on, whenever you are signed out of your account or need to re-enter your password for other purposes, you will get a six-digit code sent to you by SMS — an example of how it looks on the iPhone is illustrated above. That code in turn is required in a new sign-in screen:


The need to re-enter a password shouldn’t come up regularly for users: it’s something that is typially required when you sign into Evernote on the desktop or install it on a new device. The code itself is generated by the Google Authenticator app, or users can get it by SMS, Evernote says in a blog post.

Drawbacks: for those of you who tend to forget passwords and reminders, two-step authentication may not be your security solution. Evernote says that it will provide users who turn on the feature a one-time set of backup codes “for when you’re traveling,” but it is also notes that “if you lose access to your secondary access method, you run the risk of permanently locking yourself out of your account.”

And in reality, for some users, two-step may end up being many steps. Evernote also notes that some apps on its platform will simply stop working until you create specific application passwords for each of those apps. These can be set also in Evernote’s security settings page, along with two-factor authentication.

Two other security features. While the main focus today for a lot of security of cloud-based services like Evernote’s is on two-factor authentication, the other two features getting turned on are also significant steps in how the company is helping users better control their data on the Evernote platform — an important confidence booster for users as Evernote continues to grow and seek out an ever-more essential position in how people use the service to organize and run their lives.

The authorized apps list — which lets users see all the apps linked to their Evernote account, and revoke access if they wish to — in all honesty, is probably something that Evernote should have been offering to users up to now, given that this has been a feature for other services like Twitter and Facebook for some time now. What it does underscore is how Evernote is starting to become significantly more focused on its own position as a platform for other services, as much as a place for people to store notes and other information using Evernote’s own, homegrown features.

The access history, meanwhile, which lets users check out each time Evernote has been used over the past 30 days (think of it as Evernote’s “bank statement”), is a useful feature for those who suspect that their accounts have been accessed by others. It covers all versions of Evernote, regardless of platform, and tracks by both location and IP address.