Evernote To Introduce Two-Factor Authentication

Following a security breach on the weekend, the developer of popular note-taking and organisation software Evernote has announced plans to speed up the introduction of two-factor authentication (2FA) for its services.

Earlier, the company chose to reset passwords for 50 million accounts, after an attacker was able to gain access to account information stored on the platform, such as user names, emails and encrypted passwords. This situation could have been prevented if 2FA was available.

Learning from mistakes

On Saturday, Evernote initiated a “service-wide password reset”, after the security team discovered a “coordinated attempt to access secure areas of the Evernote Service”.

An investigation launched by the company soon discovered that an unidentified party was able to gain access to account information. Evernote found no evidence of hackers accessing private user content or payment details. All of the passwords were subsequently reset, and users informed of the breach in an email.

According to spokeswoman Ronda Scott, Evernote was always planning to introduce optional security measures to its services. However, following the attack, the company will be “accelerating those plans”.

Two-factor authentication is an authentication method which requires the presentation of at least two out of three factors: a knowledge factor (such as a password or PIN), a possession factor (such as a keycard or a smartphone) or an inherent factor (like a fingerprint or eye iris pattern).

It is unlikely the attackers would be able to use the stolen data, since Evernote, abiding by good security practices, ‘hashed’ and ‘salted’ its passwords. “If this was performed correctly, then users should not be concerned about their passwords being compromised. Evernote took the right steps to reset everyone’s password too,” commented Mark Bower, VP for Product Management at Voltage Security.

“Very likely there was a Java or zero day exploit leading to system penetration. Maybe an insider opened a malicious email from spear phishing. We may never know, but once again it shows that what was once considered the impenetrable barrier, the enterprise perimeter, is now just a semi permeable membrane only as good as the weakest link,” he added.

Earlier this month, Twitter posted a job listing, looking for a software engineer in product security, with experience in areas such as “multifactor authentication and fraudulent login detection”. This prompted rumours that the microblogging platform could be looking to join the ranks of Dropbox, Facebook, Google, PayPal and other companies which have already implemented 2FA.

How well do you know Internet security? Try our quiz and find out!