In an email released by Evernote to its nearly 50 million customers on Sunday, the company made news by detailing an attack they had suffered and its insistence that all users reset their passwords. In the aftermath of this attack, the company has announced today that they will be joining Amazon Web Services, Dropbox, Facebook, Google and Gmail, LastPass, Microsoft SkyDrive and Xbox Live, PayPal, Yahoo Mail, along with numerous financial related web sites in implementing two factor authentication.
Evernote did not believe that users passwords had been decrypted, but because of their reliance on the MD5 cryptographic algorithm to hash passwords before storage, it seems the company felt that it was just a matter of time before the hackers would have been able to access user information.
“We were already planning to roll out optional two-factor authentication to all of our users later this year,” said Evernote spokeswoman Ronda Scott via email. “We are accelerating those plans now.”
While it is unlikely that two factor authentication would have stopped the attack itself, it would certainly have made this mandatory password reset unnecessary as users would have had considerably more protection than they do presently.
Typically, two factor authentication is delivered by one of the following means: a hardware fob that creates a one-time code, a smartphone app that creates a one-time code, or as a text message sent to the user containing a one-time code. Video game makers, Blizzard, have even gone so far as to insist their users use one of the two means listed here for authentication in all real money games.
One notable company missing from the list of two factor authenticators is Twitter. Following an attack in January, Bob Lord, Twitter’s director of information security, said “our investigation has thus far indicated that the attackers may have had access to limited user information — usernames, email addresses, session tokens and encrypted/salted versions of passwords — for approximately 250,000 users.” While Twitter is absent from this list, it is clear that they are working towards this end. Though they made no official statement, following the attack Twitter did post a job opening that required engineers with two factor authentication experience.
What this means to Evernote and Twitter users is that this is not a matter of flipping a switch, it will require integration into each of their networks. In order to retain user trust, they better get cracking now, before getting cracked again.