This is the 2nd post in a 2-part series on Evernote 2 factor authentication. The first post (here) explains what 2 factor authentication is and why it is good. And then this post points you to a Rick Broida eight step set-up procedure for Evernote’s 2 factor authentication at PC World, and then … adds a few instructions where I *suspect* people might experience confusion.
Step 1:
Hardest part of any step by step is the first step. Rick’s first step is to sign into your Evernote account. If you do not yet have an Evernote account, you will need to go to Evernote and sign up, before you can turn on 2 factor authentication. Click here to do so.
Also, you will need some way to read a QR code on your phone. So if you have an Android phone go here and pick a free QR Code reader and install it on your phone. If you have an iPhone click here.
Step 6:
Rick’s step-by-step flows smoothly until he gets to step 6 where account verification rear’s its head.
Account verification is simply using the 2nd factor in 2 factor authentication. Evernote has set up two ways to verify your identity when you open Evernote in a fresh computing environment (new computer, new phone, web-surfing-in-from internet cafe, etc.). Either authentication method you choose, you will begin the authentication process by opening Evernote and seeing this:
Way1: text messaging.
If you choose text messaging to obtain your 2nd factor, when you attempt to log into Evernote, you’ll see the above screen, and then wait with your phone in hand, to receive the 6 digit code.
Way2: using Google’s app for authentication (for Android, iOS, and Blackberry).
If you choose to obtain your 2nd factor via a Google app (which I showed in the previous post) you will need to pick up your phone, start the Authenticator App, and then copy the 6 digit number for Evernote from the phone into the dialog box on the screen above. Here is what I see (because I use 2 factor authentication on Gmail as well as on Evernote):
Both ways produce the same 6 digit code, no big deal. Only difference is how you receive the code.
Discussion:
Day to day, using Google authenticator on your phone is the best way to go because:
Google’s app is *instant* while text messages takes extra time
Text messages have a likelihood of disappearing in direct proportion to the urgency with which you need to access your information.
So, the more urgent it is for you to get into Evernote, the more likely your text authentication code will be lost.
Authenticator apps are clean, you open them and look at your code. Text apps are spaghetti monsters.
BUT…
Evernote has positioned text messaging as a premium service. Wait, what? Perhaps texting is the premium service because if you use text messages you will not have to install Google Authenticator on your phone? I don’t know. My advice is to set up Google Authenticator on your phone. How?
Setting Up Google Authenticator for Evernote:
Step 1: ON YOUR COMPUTER Go to Google’s Authenticator install page and read the step-by-step for installing Google Authenticator on your phone (Android, iOS, Blackberry).
Step 2: ON YOUR COMPUTER Log into Evernote via web browser, go to account settings, security summary …
Step 3: Click on Google Authenticator and you will see this dialog box:
then click on the appropriate operating system for your phone. Here is what I see when I click on Android:
Now, take a picture of the QR code (*Note* This QR Code will not work for you, each QR code is specific to one Evernote account). And your Evernote 2nd factor authentication key will be added to your Google Authenticator account.
THERE!…
OK, I *think* I’ve got all the confusions to setting up 2 factor authentication in Evernote, covered. If not, email me ([email protected]) and let me know what I missed!
The efficiency/security tradeoff has changed! Well for me at least. Until now I’ve deliberately risked using Evernote as my reference filing system, knowing that if someone guessed my password I would be hosed. The “Evernote deal” seemed to be capturing the value of increased efficiency now, at the price of possibly getting hacked later.
This “Everyone has been hacked. Now what?” attitude is calculated. Our IT infrastructure is what it is. I may be hacked and not know it. As long as I can use Evernote to keep track of my stuff, do I really care? If I start obsessing about my net-connected infrastructure too much, the profit of using computers will quickly become a loss. I mean it is pretty clear why all my computers have been so slow all these years: the NSA! Hacking! Botnetting!
Locks were invented to keep honest people honest. Determined criminals find ways in.
So I’m excited to start trying out Evernote’s two-factor authentication: A padlock for Evernote.
What is it?
Two factor authentication is one step up in security, from using username+password protection. In two factor authentication your password is used same as normal (the username+password is factor 1 of 2) and then a second special password is used in addition (the special password is factor 2 of 2).
The idea is that while a criminal can easily guess your username from defaults (Unix “admin” or Windows “Administrator” or your email address), and then either steal or “break” your password. A criminal will need to go to a whole new level of effort in order to get your phone. What makes stealing the phone essential is that the special password changes every few seconds on the phone. But I am digressing into the next question about 2 factor authentication: How does it work?
How does it work?
The special password generated on your smart phone is dynamic. It changes every 60 seconds. To find your dynamic password, you use the Google Authenticator app on a smart phone. Here is what Google authenticator looks like on my smart phone:
So when you need to authenticate into Evernote, you start Google Authenticator, and then you see your password of the current moment. Here is what I see on my Google Authenticator:
The red arrows point to countdown timers showing you how much longer the 6 digit passwords will work to authenticate you into Evernote/Google.
So, because the passwords are constantly changing, a casual criminal will have to obtain your phone, and then break into it (you do have your cell phone password protected don’t you :-) to log into your account.
QUESTION: Do I have to authenticate every time that I start Evernote on my computer?
ANSWER: No
We now come to the how does it work … hands and knees perspective. In a wonderful BYTE magazine article in 1989 Peter C. Olsen articulated a theory of how to hire programmers: send them to Africa and tell them to hunt elephants, and then watch the algorithm they use.
*Note* that assembly language programmers execute the basic algorithm … on their hands and knees. So in the rest of this article I’m going to emulate an assembly language programmer in trying to go slow, be very careful, to take each step one at a time.
What were we taking about? Oh yes, authentication. You will have to authenticate to Evernote when:
Case 1: Logging into Evernote from the web. Here is the log-in screen you’ll see using evernote web: Note that you can check the box and not have to re-authenticate for a month on the computers you use to access Evernote web. But, if you log into Evernote from friends computers, you will have to have your phone available from now on.
Case 2: Setting up Evernote on a computer for the first time (duh). Here is what the dialogs look like on a Mac:First, the normal dialog asking for factor 1 (Username+Password) Next, a pop up dialog asking for the factor 2 (from Google Authenticator on my phone): Note that the new dialog asking for the number gives you a hit with a phone icon with Google Authenticator’s thumbnail graphic. You type your 6 digit number in here and then you enter Evernote as usual.
Case 3: After you log out of your Evernote account on your computer. *Note* I had never logged out of my Evernote account before playing with Evernote two factor authentication. So this will likely be no big deal. After enabling two-factor authentication I tried to trick Evernote into annoying me by asking for authentication. I quit Evernote, restarted, re-booted, etc. and Evernote did not ask me to authenticate. *Note* two factor authentication is smart but not paranoid.
Case 4: After you log out of Evernote on your spouse’s computer. *Note* anything that can go wrong will. If you turn on two factor authentication and share your evernote account with someone, you will have to authenticate for them on their computer, or they will be locked out of Evernote at the most inconvenient time. Plan on it.
This is all the cases I can see where Evernote users will have to authenticate. Note, if I have missed a case, email [email protected] and let me know, I’ll add your case to this list.
What is the strategy?
2013 was the year of security on the internet. We are all red queens now, our security skills and infrastructure are going to have to run, in order to keep us in a place where computers remain profitable to use. The strategy of introducing two factor authentication is a step in the direction towards keeping computing profitable for its users.
Will computing ever be secure? Probably not. There are too many evil geniuses. In a way the deal of using computers will always be a bet on the value of using technology today, against the eventuality of being hacked. Should this deter us from using two factor authentication? No. We are stupid not to use very slick, very simple tools that at the least, will shift bad hackers to softer targets.
What are the objections?
Objection: “I will have to authenticate every time I use Evernote!”
The reality is no. You will have to authenticate to Evernote every time you change the computing environment where you are using Evernote.
When you get a new computer.
When you log in to Evernote from a coffee shop or a friend’s computer.
Or when you give another person access to your Evernote data store.
Or when it has been 30 days since you last authenticated via the web.
*Note* I personally think that Evernote’s marketing communications on this two factor authentication objection, are confusing. If I were Evernote I would have said:
“Evernote’s 2 factor authentication works just like Google’s 2 factor authentication.”
The average user will authenticate about once a month during the first year they use 2 factor authentication.
Signalling that people can re-use what they learned getting Google authentication working, and that we are all marching into a common, reasonable, computer security future.
Objection: “Evernote two factor authentication is too hard for a normal person to set up!”
Probably false. Two factor authentication is a new use model for end users to learn. But, it is not if we end users will need to learn to set up two factor authentication. It is a when.
My next blog post will be a step-by-step on setting up Evernote two factor authentication on Macintoshes with Android phones (A totally recessive combination I admit!). Take a peek at that next week and see what you think. I’m a marketer, I set up 2 factor authentication. As any enginerd will tell you “If a marketeer can set it up, any user can!”
Objection: Anyone who steals my phone will have access to my Evernote account.
True … if you do not have your phone password set. :-) But, this is true even without two-factor authentication today! If your phone is wide open, and you have logged into evernote before you lose the phone, whoever has your phone has access to everything in Evernote.
Personally, I find Evernote on my Android to be about .6 of the way to a 1.0 that is compelling to use. My short term security plan with Evernote is to take Evernote off my phone.
Then, if someone steals my phone, they will have access to my special password (authentication factor 2), but will still have to guess/break my Username+Password. My theory is that when I notice my phone is gone (God’s way of telling you to get a new Android phone! :-) I’ll log into Evernote on my computer, change the password, and then log into my remote wipe on Android and zap the phone. Safe! Or at least, safe enough.