"We were already planning to roll out optional two-factor authentication to all of our users later this year," said Evernote spokeswoman Ronda Scott via email. "We are accelerating those plans now."
Evernote warned all users Sunday via email that the company had suffered a security breach, after the company's operations and security team "discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service."
Attackers appeared to have accessed a list of Evernote users' usernames, email addresses and passwords, which the company described as being "protected by one-way encryption," saying they were both salted and hashed. In what the company described as "an abundance of caution," Evernote officials opted to reset all users' passwords to prevent attackers from using the passwords -- many of which they would likely have decrypted, given enough time -- to access users' accounts.
[ Want to know about better alternatives to passwords? See Kill Passwords: Hassle-Free Substitute Wanted. ]
How quickly might attackers have decrypted the passwords? According to news reports, Evernote used the MD5 cryptographic algorithm to hash passwords before storage. But most security experts consider MD5 to be a poor choice for securing passwords, because it's relatively easy to crack, meaning that Evernote's password security wouldn't likely have stopped attackers for long.
What will two-factor authentication bring to the Evernote security equation? "It probably wouldn't have helped at all in terms of them getting hacked, but should they have another security breach in the future where passwords are exposed and encrypted for instance, it would stop attackers from getting access to those accounts," said Graham Cluley, senior technology consultant at Sophos, speaking by phone.
The Evernote breach has once again focused attention on the poor security offered by passwords, especially for services that store sensitive personal or corporate information.
By adopting two-factor authentication, Evernote would join a growing list of online service providers that have done the same thing, including Amazon Web Services, Dropbox, Facebook, Google and Gmail, LastPass, Microsoft SkyDrive and Xbox Live, PayPal, Yahoo Mail, and a number of financial services websites.
Those sites typically deliver two-factor authentication in one of three ways: as a hardware fob that generates a one-time code, as a smartphone app that creates a one-time code, or by sending a one-time code as a text to a user's mobile phone. Some businesses offer more than one option. Game-maker Blizzard, for example, sells a $6.50 hardware token, while also offering a free smartphone app. Notably, it already requires users -- when real money is involved in games -- to use one or the other.
One notable holdout from the list of online service providers that offer two-factor authentication is Twitter, which suffered a breach at the end of January which compromised up to 250,000 accounts. At the time, Bob Lord, Twitter's director of information security, said that "our investigation has thus far indicated that the attackers may have had access to limited user information -- usernames, email addresses, session tokens and encrypted/salted versions of passwords -- for approximately 250,000 users."
In the wake of that breach, while Twitter made no official announcement, it posted a job listing for an engineer with two-factor authentication development experience.
As Twitter's job listing suggests, Evernote's move to implement two-factor authentication won't be a case of the company simply flipping a switch to suddenly activate it for all users; it will require integration work as well as investment to ensure that it's both secure and easy to use. "It's obviously a little more effort, but a company like Evernote right now needs to secure its users' trust," said Cluley.
