While I hate to admit it, I’m still unable to ditch Evernote and move my entire life over to Notion. There’s still one thing holding me back: Security.
It’s 2021 and Notion still doesn’t support two-factor authentication (natively) and it still lets its administrators access user files — two massive, unsurmountable no-nos. Consider this an open letter to Notion, pleading it to add both of these things to the roadmap. You have built a truly remarkable tool, but you’re stifling it.
I’m not just writing this as a personal user. I’ve seen businesses outlaw Notion on the basis it isn’t secure. Asana, Trello and Evernote aren’t subjected to the same treatment. I don’t blame them, either. Who wants to store privileged information in a location that can be accessed by an outsider with the click of a button?
You may argue that Notion employees can only access Workspaces after retrieving explicit permission from the user and that all of their movement is tracked, but I don’t think that’s enough. There’s nothing stopping someone going rogue and ceasing the opportunity to sell information to a customer’s competitor.
People have done a lot worse for a lot less.
To be clear, I’m not saying that there shouldn’t be a support network for users. I don’t disagree with support staff accessing Workspaces in some instances. What I do think though is that customers need more control. They need the option to have data encrypted not only in transfer and at rest as it is now but end-to-end too.
Then, when someone is in need of a little assistance they can flick a switch in the backend, enter a secret key to confirm their identity (not today, pesky hackers), and unencrypted their Workspace at rest opening the door to support personnel after granting them explicit permission to browse the files to help resolve an issue.
But this is only half of the problem. What good is keeping data out of reach of Notion employees when someone else can access your entire account by cracking your password. That’s because Notion doesn’t support two-factor authentication. Sure, there is a workaround, but you shouldn’t need to go out of your way to find it.
The fact of the matter is in 2021 there’s absolutely no reason for an online service to disregard two-factor authentication. It’s everywhere. Amazon, Facebook, Google, Twitter… You name it, it’s got it. So how does a workspace tool that wants to be trusted with personal information, trade secrets, and everything in between, not?