Dropbox ups its security with two-factor authentication

27 Aug 2012

Having discovered a security breach in July that compromised some users’ email addresses and passwords, Dropbox is intent on making its cloud storage service more secure. Today, that means the introduction of two-factor authentication.

In August, when the security breach was confirmed, Dropbox laid out plans for enhanced security going forward. These included automated mechanisms to spot suspicious activity, a new Security tab added to the settings menu where users can check all log-ins to their accounts, and optional two-factor authentication.

The two-factor authentication process requires users to provide two proofs on sign-in or when linking to a new device: the user’s password and a six-digit security code. This option is disabled by default but comes highly recommended by Dropbox, particularly in the wake of numerous high-profile hacker attacks.

If enabled, users will be given the option to receive access codes either by SMS or via a mobile app. Any mobile apps using time-based one-time password (TOTP) protocol, such as Google Authenticator, will work.

Users that opt in to the SMS service may be subject to carrier charges for each message received. Those using a mobile app authenticator may be able to generate codes even when cellular or data services are unavailable.

Should a user ever find themselves locked out of their account due to two-factor authentication (if their phone is lost or stolen, for example), a 16-digit back-up code is issued by Dropbox on set-up. Users will need to keep this safe as it will be the only way to gain access to their account without two-step verification.

Elaine Burke is the host of For Tech’s Sake, a co-production from Silicon Republic and The HeadStuff Podcast Network. She was previously the editor of Silicon Republic.