Source: Bill Meade taken in Boise ID
The efficiency/security tradeoff has changed! Well for me at least. Until now I’ve deliberately risked using Evernote as my reference filing system, knowing that if someone guessed my password I would be hosed. The “Evernote deal” seemed to be capturing the value of increased efficiency now, at the price of possibly getting hacked later.
This “Everyone has been hacked. Now what?” attitude is calculated. Our IT infrastructure is what it is. I may be hacked and not know it. As long as I can use Evernote to keep track of my stuff, do I really care? If I start obsessing about my net-connected infrastructure too much, the profit of using computers will quickly become a loss. I mean it is pretty clear why all my computers have been so slow all these years: the NSA! Hacking! Botnetting!
Locks were invented to keep honest people honest. Determined criminals find ways in.
So I’m excited to start trying out Evernote’s two-factor authentication: A padlock for Evernote.
What is it?
Two factor authentication is one step up in security, from using username+password protection. In two factor authentication your password is used same as normal (the username+password is factor 1 of 2) and then a second special password is used in addition (the special password is factor 2 of 2).
The idea is that while a criminal can easily guess your username from defaults (Unix “admin” or Windows “Administrator” or your email address), and then either steal or “break” your password. A criminal will need to go to a whole new level of effort in order to get your phone. What makes stealing the phone essential is that the special password changes every few seconds on the phone. But I am digressing into the next question about 2 factor authentication: How does it work?
How does it work?
The special password generated on your smart phone is dynamic. It changes every 60 seconds. To find your dynamic password, you use the Google Authenticator app on a smart phone. Here is what Google authenticator looks like on my smart phone:
So when you need to authenticate into Evernote, you start Google Authenticator, and then you see your password of the current moment. Here is what I see on my Google Authenticator:
The red arrows point to countdown timers showing you how much longer the 6 digit passwords will work to authenticate you into Evernote/Google.
So, because the passwords are constantly changing, a casual criminal will have to obtain your phone, and then break into it (you do have your cell phone password protected don’t you :-) to log into your account.
QUESTION: Do I have to authenticate every time that I start Evernote on my computer?
We now come to the how does it work … hands and knees perspective. In a wonderful BYTE magazine article in 1989 Peter C. Olsen articulated a theory of how to hire programmers: send them to Africa and tell them to hunt elephants, and then watch the algorithm they use.
*Note* that assembly language programmers execute the basic algorithm … on their hands and knees. So in the rest of this article I’m going to emulate an assembly language programmer in trying to go slow, be very careful, to take each step one at a time.
What were we taking about? Oh yes, authentication. You will have to authenticate to Evernote when:
- Case 1: Logging into Evernote from the web. Here is the log-in screen you’ll see using evernote web:
Note that you can check the box and not have to re-authenticate for a month on the computers you use to access Evernote web. But, if you log into Evernote from friends computers, you will have to have your phone available from now on.
- Case 2: Setting up Evernote on a computer for the first time (duh). Here is what the dialogs look like on a Mac:First, the normal dialog asking for factor 1 (Username+Password)
Next, a pop up dialog asking for the factor 2 (from Google Authenticator on my phone):
Note that the new dialog asking for the number gives you a hit with a phone icon with Google Authenticator’s thumbnail graphic. You type your 6 digit number in here and then you enter Evernote as usual.
- Case 3: After you log out of your Evernote account on your computer. *Note* I had never logged out of my Evernote account before playing with Evernote two factor authentication. So this will likely be no big deal. After enabling two-factor authentication I tried to trick Evernote into annoying me by asking for authentication. I quit Evernote, restarted, re-booted, etc. and Evernote did not ask me to authenticate. *Note* two factor authentication is smart but not paranoid.
- Case 4: After you log out of Evernote on your spouse’s computer. *Note* anything that can go wrong will. If you turn on two factor authentication and share your evernote account with someone, you will have to authenticate for them on their computer, or they will be locked out of Evernote at the most inconvenient time. Plan on it.
This is all the cases I can see where Evernote users will have to authenticate. Note, if I have missed a case, email email@example.com and let me know, I’ll add your case to this list.
What is the strategy?
2013 was the year of security on the internet. We are all red queens now, our security skills and infrastructure are going to have to run, in order to keep us in a place where computers remain profitable to use. The strategy of introducing two factor authentication is a step in the direction towards keeping computing profitable for its users.
Will computing ever be secure? Probably not. There are too many evil geniuses. In a way the deal of using computers will always be a bet on the value of using technology today, against the eventuality of being hacked. Should this deter us from using two factor authentication? No. We are stupid not to use very slick, very simple tools that at the least, will shift bad hackers to softer targets.
What are the objections?
Objection: “I will have to authenticate every time I use Evernote!”
The reality is no. You will have to authenticate to Evernote every time you change the computing environment where you are using Evernote.
- When you get a new computer.
- When you log in to Evernote from a coffee shop or a friend’s computer.
- Or when you give another person access to your Evernote data store.
- Or when it has been 30 days since you last authenticated via the web.
*Note* I personally think that Evernote’s marketing communications on this two factor authentication objection, are confusing. If I were Evernote I would have said:
- “Evernote’s 2 factor authentication works just like Google’s 2 factor authentication.”
- The average user will authenticate about once a month during the first year they use 2 factor authentication.
Signalling that people can re-use what they learned getting Google authentication working, and that we are all marching into a common, reasonable, computer security future.
Objection: “Evernote two factor authentication is too hard for a normal person to set up!”
Probably false. Two factor authentication is a new use model for end users to learn. But, it is not if we end users will need to learn to set up two factor authentication. It is a when.
My next blog post will be a step-by-step on setting up Evernote two factor authentication on Macintoshes with Android phones (A totally recessive combination I admit!). Take a peek at that next week and see what you think. I’m a marketer, I set up 2 factor authentication. As any enginerd will tell you “If a marketeer can set it up, any user can!”
Objection: Anyone who steals my phone will have access to my Evernote account.
True … if you do not have your phone password set. :-) But, this is true even without two-factor authentication today! If your phone is wide open, and you have logged into evernote before you lose the phone, whoever has your phone has access to everything in Evernote.
Personally, I find Evernote on my Android to be about .6 of the way to a 1.0 that is compelling to use. My short term security plan with Evernote is to take Evernote off my phone.
Then, if someone steals my phone, they will have access to my special password (authentication factor 2), but will still have to guess/break my Username+Password. My theory is that when I notice my phone is gone (God’s way of telling you to get a new Android phone! :-) I’ll log into Evernote on my computer, change the password, and then log into my remote wipe on Android and zap the phone. Safe! Or at least, safe enough.
See you then!