Home / GitHub Page

Two-Factor Authentication

I would like to see implementation of 2FA (Two-Factor Authentication) for login to Joplin. Evernote has this feature. I use Evernote for client documentation and personal data, so I want to ensure my data is safe. I know Joplin has encryption on the sync location, but using SMS or Google Authenticator on login would add an extra layer of security. I started using Joplin as a “Plan B” in case Evernote ever shuts down with all my data. Joplin is very close to Evernote in functionality, so I make a habit of exporting new and edited notes from Evernote and importing them into Joplin to keep Joplin up to date. I’m fine with that. Just better secure Joplin and I’m fine with the app.

There is no login into Joplin.

The only credentials that are needed are the ones for the sync target. Or do you mean you want Joplin to allow you to use 2FA for Dropbox, OneDrive, and Nextcloud?

I doubt that this will happen. e.g. the Nextcloud app doesn’t use 2FA either. It is specifically stated in the docs that if 2FA is enabled on the server, an access token has to be created to login with an app.

That’s the point, a login or some type of (optional) front-end security would be a welcome, and IMHO, necessary addition.

I run my business on Evernote and have several hundred client notes with very sensitive information. I wasn’t worried about the sync account, the data is unreadable when I look at it in Dropbox, and I did encrypt it. I’m worried that
someone with unauthorized access to my devices can see the notes in Joplin. That’s not possible with Evernote because they wouldn’t have my Evernote credentials, and even if they did, Evernote supports SMS 2FA which I use, so without the code generated to
my phone, they couldn’t get in. Evernote also synchronizes using the same account, so there’s no problem on the back-end.

I’m using Joplin as a current archive of my Evernote notes in case Evernote suddenly shuts down or my Evernote notes are no longer accessible for any reason. I’m keeping one copy of Joplin on a single PC with limited Internet access.
I have to as a result of it being so open.

Otherwise, I think it’s a terrific Evernote alternative. I’m just surprised there’s no front-end security at all.

This has been discussed a lot on github and on this forum.

If someone has physical access to your machine/device, you have much bigger problems. Joplin will be the least of your problems.

Even, if you were to have a login to the Joplin app, the data would still not be encrypted on your local disk.

On the other side, there are options to make it highly secure locally. But please note - security always has the drawback of adding complexity to your workflow.
You could create an encrypted container (TrueCrypt, VeraCrypt, luks, cryptsetup, …) and place the Joplin files in the container. Then you have to create a link from your default profile directory to the container.
That’s pretty much it.

I don’t know how evernote stores the data on your local device, but Joplin does so in clear text.

If you search this forum, you will find endless discussions on this topic, where the developer also explained the reasoning.

1 Like

Evernote stores data locally in files that don’t appear to me useful outside of the app. I agree, using encrypted containers would be awkward. I think the risk is more if I used Joplin on my mobile devices. Of course, they have their
own security, and I can wipe them remotely if they were lost, so maybe I’m over-worrying! But another optional app-level security layer would still be welcome. Thanks for discussing this with me!

Evernote uses 2FA for the connection to the Evernote server(s).
With Joplin you are using files stored locally on your PC.

To be honest, I don’t know how the locally stored Evernote files are protected. By some discussion forums there is no encryption at all of Evernote local files.

Security is hard job. Is not easy to work on high quality encryption.

Leave Joplin coders to focus on Joplin features and leave security for coders working on security projects.

On my company PC I’m using VeraCrypt encrypted virtual disk to store local files secure.
I recommend to do it the same way to achieve high quality encryption of your data.

1 Like

Apps and security go together.

What I was referring to was front-end access to Joplin by anyone with access to the computer Joplin runs on. I just want the ability, like in Evernote, to have login credentials, combined with 2FA, to limit access to seeing the notes.
That’s even more important on a mobile device. Granted, 2FA must be complex to implement, so I’d accept just login credentials for some front-end security. So far as I can tell, there is nothing readable locally in Evernote and Joplin.

I have already mentioned in a previous post that Joplin stores the local notes in clear text.

I have also explained that your Evernote login is not necessarily secure. Yes it is secure for syncing your local notes with the evernote server, but not for securing your local notes.

You are mixing up a few things here. The connection to sync targets is also secure in Joplin (just not 2FA), unless you use http. The notes are encrypted on the sync target, if you choose to use E2EE.
Joplin does not provide some useless local app login, which has been - as I’ve also mentioned in my first reply - discussed a hundred times before. You can search tfor these discussion on this forum and in the gh issues.

Would like to correct slightly your information.

  1. 2FA for Evernote is for accessing evernote.com server, not for encryption of your notes. If you are using just web client, all your notes are only on Evernote servers and yes, your notes are protected behind the password.

  2. If you are using Windows application, this app is using the Evernote servers as a primary source of notes as well. Just to allow access offline too, it replicates all notes to local storage - SQLite database.
    This database is unencrypted (checked on my local Windows installation). If you are skilled enough, open the file with suffix .exb by SQLite tool and read table fts - all your notes are over there.

  3. Joplin is using exactly the same approach for storing data. Everything is in SQLite database unencrypted.

  4. Just because your Evernote app is asking for the password it doesn’t mean your locally stored Evernote data are encrypted and safe. It prevents just dumb people to read it directly through the application.

  5. (not using 2FA for Evernote, cannot check) Is your mobile application asking for 2FA every time you open it? Or only during the installation on a new phone or (maybe) after phone restart?

  6. I’s pretty hard to work on a big project in your free spare time without any financial reward (tell your partner you will not take care about children but code the whole evening…). I’m really glad for this project and I’m grateful to all the people participating in this project.

  7. There are ( could be) various security requirements. Somebody demands to protect application access by auth, somebody demands to encrypt notes on the disk and s.o. It could be solved by Joplin coders (and not solving other requirements/bugs).
    Or all security requirements can be solved by already existing solutions.
    .
    Do you want encrypted notes on the disk? Choose any of existing file(s) encryption tools.
    Do you want to protect application access? Choose any of the existing tools protecting by password any passwordless application (some systems can do it as native functionality).
    And then, if auth and/or encryption will become more and more demanded by users, coders can consider to include it internally to Joplin.

  8. There are a lot of other alternatives, maybe solving your requirements better than Joplin. That’s the beauty of selection. https://www.slant.co/options/24561/alternatives/~joplin-alternatives

2 Likes