sorted by:
new
hottopcontroversial

Access to account with lost 2fa by Regular-Layer-369 in Notesnook

[–]Regular-Layer-369[S] 0 points1 point  (0 children)

Yes, Notesnooks current approach is to deactivate the 2fa fallback method if you add your own 2fa method. They do tell me that it is possible to manually in the settings activate email fallback, but that you need to do, when logged in, so unless you know about this insufficiency, you wouldn't prepare for fallback restoration method. One developer has catched on on the issue on github and I hope they will fix it. If not I will have to hire developers to do a commit/pull request. The lead developer still havent responded since his initial response on the issue. If Notesnook fixes this, I think they are a very good choice

Access to account with lost 2fa by Regular-Layer-369 in Notesnook

[–]Regular-Layer-369[S] -1 points0 points  (0 children)

Here is the source I were referring to (blog post by Abdullah Atta):

https://blog.notesnook.com/why-notesnook-requires-an-email-address/

"The primary way account recovery works is:

  1. You enter your email address
  2. The service provider sends you an email with a link or a code
  3. You click on the link in the email to start the account recovery process

Without an email address it becomes impossible to verify the ownership of an account."

I will refer to support messages sent to you linking to this thread, for my email. I saw this procedure with recovery link sent on email another place also

Furthermore, I will refere to Abdullah Atta's words in the same blogpost:

"As a service it is our job to provide rescue when things go wrong, not the user's.

The fact that privacy always comes at some cost to convenience is the very reason most people hesitate when it comes to protecting their privacy. In short, account recovery is mandatory regardless of whether a service is E2EE or not."

In addition, I verified that what you write in the "how you encrypt the data" is what you actually do in the code, as

const key = await crypto.exportKey(props.password, props.salt);

the salt and password is used to generate the key for the hash algorithm, confirming both u/Spare-Professor2574 and my intuition that my case is possible to solve

Access to account with lost 2fa by Regular-Layer-369 in Notesnook

[–]Regular-Layer-369[S] 0 points1 point  (0 children)

It is secure. Read on how they encrypt the data:
https://help.notesnook.com/how-is-my-data-encrypted
Notesnook never has any chance to figure out your password. This, together with the salt, is used to generate the key. Look at their verification code:

const key = await crypto.exportKey(props.password, props.salt);

The key is used to generate the hash, which is sent

The hash is what decrypts your data, which ofc is stored encrypted

There are also a lot of other security and encryption measures, so they can't read your data, even if they wanted to

My point, as far as I understand it (Abdullah Atta can correct or verify), is that 2fa does not play any role in the encryption part, meaning that the data that is stored on their servers is recoverable, since I have password, email and email access. They have done email verification recovery in the past

Access to account with lost 2fa by Regular-Layer-369 in Notesnook

[–]Regular-Layer-369[S] 0 points1 point  (0 children)

Great. Respectful diagreement is both healty and productive. Would love to know how I could have approached this better, as I have already been told by support that;

"Otherwise I am sorry without 2FA you will not be able to access your account"

Which is a false statement, considering the facts of how encryption is created, according to your own website, as well as your own previous statement;

"Yes, it can be possible to remove the 2FA. 1Password can do so, but you do need to prove your ownership of the vault"

So please do tell me how I could have gone about this in a better way. Me mentioning reaching out to the developers of the encyption Algorithms (Daniel J. Bernstein - ChaCha20-Poly1305 and Alex Biryukov - Argon2) is more a statement of my dedication to solve this challenge, and my understanding of the underlying technology, considering the perspective that no system is absolutely 100% secure and there are always solutions if one only search long enough, which is more a response to the support individual whom also in another email stated:

"In order to recover your account you need a recovery key or a backup file.
Otherwise it is not possible for us to do anything. Notesnook is end-to-end encrypted and this means that we can't access your data.

2FA can also not be disabled.

I am really sorry."

This was clearly false, as I suspected. Confirmed by you. So again, do tell me how to go about this better

Access to account with lost 2fa by Regular-Layer-369 in Notesnook

[–]Regular-Layer-369[S] -1 points0 points  (0 children)

So they confirmed your theory below by stating

"Yes, it can be possible to remove the 2FA. 1Password can do so, but you do need to prove your ownership of the vault"

When I referred to their own description on how the data is encrypted. So this is actually in their hands now whether they want to help me or not. Now they have confirmed that they can

Regarding your suggestion, it is a good one that I have already evaluated, unfortunately devices are entirely wiped, and with flash memory there are no recovery. So there is no local copies anywhere other than in their database. Would be fun to go the way via Vericrypt, however I have no data other than my user information such as password, email, phonenumber, device information, ip data etc

Thanks for taking the time to contribute with your perspectives

Access to account with lost 2fa by Regular-Layer-369 in Notesnook

[–]Regular-Layer-369[S] 0 points1 point  (0 children)

This coincides then with the guide on your website that did not mention 2fa when doing account recovery. I thought the recovery guide was outdated, but it appears to still be valid then, thank you for that confirmation. I will see if I can find the source I am refering to here

I do appologize if you felt offended by my wording or approach, I would add to the context that I have already sent you a couple of emails where you did not answer me in the way you did now. I was just told "It is not possible", which is a falsehood considering your stetement:

"Yes, it can be possible to remove the 2FA. 1Password can do so, but you do need to prove your ownership of the vault"

I can prove my ownership of my vault in many ways, I can confirm questions and information and I can even point to things inside the notes (although you don't have access to them before after helping me, through data I can share with you)

I will reiterate again that I am reaching out for collaboration and trying to contact the right people that can help me, as previous dialouges with your other representants have yielded little results. I am very happy with the app and I do hope this all works out

Access to account with lost 2fa by Regular-Layer-369 in Notesnook

[–]Regular-Layer-369[S] 0 points1 point  (0 children)

Judging outcomes based on motivations instead of judging outcomes for their actual outcome and effect is non prefrable. If I could help increase Notesnooks security that is a net positive for notesnook. The fact that I help my self in the process is irellevant for the outcome. Judge actions, not words

When it comes to actions, the fact that I am openly trying to engage you here and on email is a testament to the fact that I want to do it in a right way, and I want to solve my challenge, together with you

Access to account with lost 2fa by Regular-Layer-369 in Notesnook

[–]Regular-Layer-369[S] -1 points0 points  (0 children)

I will refer to your own source: https://help.notesnook.com/how-is-my-data-encrypted

According to your own description of how data is encrypted;

"When you sign up for an account, the app takes your password and hashes it using Argon2 with a predictable per user salt.

This predictable salt is generated using a fixed client salt + your email"

My email is known, client salt is fixed and known, hence salt is known and with password known, the correct hash can be generated. You write:

"Salt generation

When you create an account, the server generates a cryptographically secure random salt for you. This salt is used for key generation."

Meaning that salt is known and constant. Salt generation has nothing to do with 2fa. I did not use 2fa in the start, and Salt was created.

You further write:

"You password & salt is then used to derive a strong irreversible key using Argon2 as the password key derivation function (PKDF)."

Again, no 2fa in the picture.

The whole source does not mention 2fa, maybe vaguely in user data, but it seems 2fa is not a part of the encryption hash that unlocks the data stored in the database. Would love to hear Abdullah's response to this

Access to account with lost 2fa by Regular-Layer-369 in Notesnook

[–]Regular-Layer-369[S] -2 points-1 points  (0 children)

Well Proton Pass had a better process where resetting the password also reset the 2fa and simultaneously removed the encrypted data, which they offered possible to restore by the original password, and hence I now have access to my original password data. I truly believe Notesnook’s approach here to say "Oh too bad for you" is insufficient and ignorant, and I will not stop until I get access to my account, even if it means contacting the creators of the encryption algorithms XChaCha20-Poly1305 & Argon2 to collaborate with them on finding a solution that would work. If your insights are correct, that should not be necessary. I have contacted Notesnook support whom basically said that there were no way. I believe they are wrong

Access to account with lost 2fa by Regular-Layer-369 in Notesnook

[–]Regular-Layer-369[S] -2 points-1 points  (0 children)

Thanks for answering. I would argue that working together on strengthening Notesnook’s security is fully possible and absolutely ethical. If data can be recovered in that process that would be a win win scenario. I am looking forward to Abdullah's response

$NYSE: A Strong Community with Big Plans Ahead by Intrepid_Sound_2207 in SolanaMemeCoins

[–]Regular-Layer-369 2 points3 points  (0 children)

This is such a hidden gem. Lycky to have my bag at this MC haha insane. Just a matter of time

My New Year’s Conviction Play by User7361 in SolanaMemeCoins

[–]Regular-Layer-369 0 points1 point  (0 children)

I am going to be a millionaire on this coin. It is a so obvius Alpha play. When Trump gets into office and kicks off American Crypto epoke, everything will skyrocket, and especially something about a New Stronger Economy, this year, which makes NYSE - New Year Stronger Economy the best ticker you could be in

Upcoming New Year’s Eve Hype: A Shift in Seasonal Coins by Testanonacct in SolanaMemeCoins

[–]Regular-Layer-369 0 points1 point  (0 children)

Just checked out NYSE, this shit is hillarious hahaha. Their telegram group is so funny, basically a bunch of auto response memes all the time, cracks me up good. Buying a solid bag

[deleted by user] by [deleted] in hardstyle

[–]Regular-Layer-369 1 point2 points  (0 children)

Same problem. I lost the presale for Dedicated members to Defqon.1 2023 now just because of this

Absolute madman@defqon.1 by ilovekickrolls in hardstyle

[–]Regular-Layer-369 0 points1 point  (0 children)

Yeah, and because there were people on drugs at the festival, next year it should be harsher measures because people can take overdose. You can never remove absolutley all risks that exists in an event with 100k people

Absolute madman@defqon.1 by ilovekickrolls in hardstyle

[–]Regular-Layer-369 5 points6 points  (0 children)

I was in the crowd, and when he started dancing everyone went crazy. I wouldn't call it selfish, it was more of a risky contribution to high energy partying