Dropbox upgrades security with two-factor authentication

Users who desire a higher level of security can enter a one-time passcode

The file-sharing utility Dropbox is now offering two-factor authentication, a system that makes it much harder for hackers to capture valid credentials for a person's account.

Dropbox, one of the most widely used web-based storage services, said last month it planned on introducing two-factor authentication after user names and passwords were stolen from another website and used to access accounts.

While it is relatively easy for hackers to obtain a person's user name and password using malware and social engineering, it is much harder for them to intercept one-time passcodes, although it is possible. The codes, sent by SMS (short message service) or generated by a device, expire quickly.

Users will first need to upgrade their client to version 1.5.12. The feature can be turned on through Dropbox's website on the "security" tab in a person's account settings. Users can opt to receive the six-digit code sent by SMS to their mobile phone when a new device is used to access their account.

A valid code can also be obtained by using an application that supports the Time-Based One-Time Password protocol, such as Google Authenticator, Amazon AWS MFA or Authenticator, according to Dropbox. Apple users can opt to generate a code from the terminal application using the OATH tool, Dropbox said.

While setting up two-factor authentication, users get a 16-digit backup code that can be used to unlock their account if they lose their phones and can't obtain codes through SMS or an application.

Dropbox users have reported a few problems on the company's forum, but were generally positive. Dropbox employee "Dan W." wrote on the forum that since SMS codes expire in about a minute, the company is working to make SMS deliveries faster, as well as adding new carriers.

"In the meantime, if SMS delivery is slow, I recommend using an offline app instead," he wrote.

Dropbox is also working on a feature for users to "untrust" their current browser or all other browsers, which would mean a code would be required upon the next attempted login. Dan W. wrote that "in the meantime, for testing purposes, you can untrust a computer by deleting Dropbox cookies."

Send news tips and comments to jeremy_kirk@idg.com

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts