Risk
6/4/2013
09:29 AM
50%
50%

LinkedIn, Evernote Add Two-Factor Authentication

Will LinkedIn and Evernote improve upon Apple and Twitter two-factor security systems, which have been widely criticized?

10 Top Password Managers
10 Top Password Managers
(click image for slideshow)
Both LinkedIn and Evernote last week announced that effective immediately, they would begin offering two-factor authentication (2FA) for users. If enabled, the optional feature requires users to log in with their username, password and a one-time code either sent in a text message to their registered mobile phone number or generated using an app such as Google Authenticator.

The two businesses' approaches differ slightly. Evernote, for example, said it offers two-factor authentication via a six-digit code sent to the mobile phone number registered to the account. "This code is delivered to your mobile phone via text message or, if you prefer, generated by an app that runs on your smartphone, such as Google Authenticator," said Seth Hitchings, VP of platform strategy at Evernote, in an Evernote blog post. "We'll also give you a set of one-time backup codes for when you're traveling."

The security feature is currently available only for paid users. "Two-step verification is initially available to Evernote Premium and Evernote Business users only," said Hitchings, who recommended that users update all of their Evernote applications to the latest version before activating it. "Once we've optimized our processes and feel comfortable with our ability to support a wide audience, we will make it available to all users," he said.

Evernote has also implemented -- for all users -- an "access history" feature, which will list the IP address and geographic location of all account access for the past 30 days. "If you ever suspect that your account was accessed without your knowledge, you can check the history," said Hitchings.

[ Want to become a LinkedIn power user? Read LinkedIn Tips: 10 Ways To Do More. ]

LinkedIn announced Friday that it too would offer two-factor authentication, though so far only via a six-digit code sent via SMS. "Turn on two-step verification for your account now by going to Settings, selecting the Account tab and clicking Manage security settings option," Vicente Silveira, a director at LinkedIn, wrote in a blog post. He also suggested that additional behind-the-scenes access controls are already in place, noting that "all LinkedIn accounts are already protected by a series of automatic checks that are designed to thwart unauthorized sign-in attempts."

The moves by Evernote and LinkedIn to offer some form of two-factor authentication came the same month that Twitter began offering two-step verification, although early feedback on its system has been mixed. Other businesses, including Google and Facebook, have offered the security feature for some time.

In the case of Evernote and LinkedIn, the move to two-factor authentication was driven by both businesses suffering data breaches that put passwords at risk. A breach of at least 6.5 million LinkedIn passwords was discovered in June 2012, after an attacker uploaded some of the password hashes to a hacking forum, seeking advice on how to crack them.

Evernote, meanwhile, announced in March 2013 that it had suffered a database breach in which attackers obtained usernames, as well as hashed and salted versions of users' passwords. The company immediately forced all 50 million users to reset their passwords and promised to accelerate two-factor authentication implementation plans.

And if password hashes are exposed in the future? For any Evernote or LinkedIn user who'd activated two-factor authentication, attackers wouldn't be able to automatically access their account and steal data. But that's not the case with every two-factor -- aka two-step -- verification system.

Take Apple iCloud. "In its current implementation, Apple's two-factor authentication does not prevent anyone from restoring an iOS backup onto a new (not trusted) device," said Vladimir Katalov, CEO of Moscow-based Elcomsoft, in a recent blog post. "In addition, and this is much more of an issue, Apple's [two-factor] implementation does not apply to iCloud backups."

As a result, any attacker who knows a target's Apple ID and password could restore any iOS device backup onto a fresh device, then access that information without ever having to provide a one-time code. "Of course you're in trouble if your ID (any one, not just Apple's) and password is leaked," Katalov said. "But that's where 2FA should help, and that's why because most of the services are implementing it nowadays."

Attackers targeting information stored in iCloud is no trivial matter. According to court records, for example, accused LulzSec collaborator Donncha O'Cearrbhail intercepted the dial-in credentials for a transatlantic conference call between the FBI and its overseas cyber-crime counterparts, boasting to the hacktivist Sabu that he'd hacked "into the iCloud for the head of a national police cybercrime unit." O'Cearrbhail allegedly added: "I have all his contacts and can track his location 24/7."

To be fair, Apple hasn't ever suggested that its two-factor security system works for iCloud. As noted in the Apple ID two-step verification FAQ: "Turning on two-step verification reduces the possibility of someone accessing or making unauthorized changes to your account information at My Apple ID or making purchases using your account."

Until Apple extends two-factor authentication to iCloud, Katalov said iOS users who use Apple's service for backup or data storage are more vulnerable to data breaches than they should be. Then again, the same holds true for other services that are still refining their two-factor authentication systems, or not yet offering it to all users.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ramon S
50%
50%
Ramon S,
User Rank: Apprentice
6/5/2013 | 11:50:00 AM
re: LinkedIn, Evernote Add Two-Factor Authentication
How do you use this two factor authentication without a cell phone?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2004-2771
Published: 2014-12-24
The expand function in fio.c in Heirloom mailx 12.5 and earlier and BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an email address.

CVE-2014-3569
Published: 2014-12-24
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshak...

CVE-2014-4322
Published: 2014-12-24
drivers/misc/qseecom.c in the QSEECOM driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain offset, length, and base values within an ioctl call, which allows attackers to gain privileges or c...

CVE-2014-6132
Published: 2014-12-24
Cross-site scripting (XSS) vulnerability in the Web UI in IBM WebSphere Service Registry and Repository (WSRR) 6.3 through 6.3.0.5, 7.0.x through 7.0.0.5, 7.5.x through 7.5.0.4, 8.0.x before 8.0.0.3, and 8.5.x before 8.5.0.1 allows remote authenticated users to inject arbitrary web script or HTML vi...

CVE-2014-6153
Published: 2014-12-24
The Web UI in IBM WebSphere Service Registry and Repository (WSRR) 6.3.x through 6.3.0.5, 7.0.x through 7.0.0.5, 7.5.x through 7.5.0.4, 8.0.x before 8.0.0.3, and 8.5.x before 8.5.0.1 does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.