Dropbox Two-Step Verification: Hands On

Online services are enabling additional security by checking your identity via SMS or a mobile app. Here's how it works.

Two-step account verification is a hot topic after hackers nearly wiped out the digital life of tech journalist Mat Honan recently, and Dropbox is the latest online service to enable the added security measure.

Two-step verification requires you to input a randomly generated security code in addition to your username and password before you can access your account. The code is typically sent to you via SMS or generated by a smartphone app such as Google Authenticator for Android, iOS, and BlackBerry.

Two-factor authentication is supposed to make it much harder for hackers to gain access to your account. Even if the bad guys can guess your password, figuring out a constantly changing special code will make it much harder to break in.

Keep in mind that while two-step verification should stop hackers from getting through the front door, there's no guarantee that your service provider will have all of its own security holes plugged. For four hours in June 2011, for example, Dropbox mistakenly left all user accounts wide open with no password protection whatsoever. 

Nevertheless, two-step verification is still an added layer of security that could protect some of your more precious files stored in Dropbox such as family photos or business documents. If you'd like to give the new Dropbox feature a try, here's a look at how to enable the feature on your account.

First, a Warning

Dropbox's current implementation of two-step verification is in experimental mode and is recommended only for users who don't mind confronting buggy software or unexpected problems. If you don't like dealing with PC hassles, do not try this feature in its current state. Dropbox says it plans to roll out optional two-step verification to all users in the near future.

Get Experimental

The first thing you need to do is get the latest experimental build of the Dropbox desktop app from this page on the Dropbox forums. Dropbox offers .exe and .dmg downloads available for Windows and Mac OS X respectively, and either a 32- or 64-bit tarball for Linux users. 

Before you install your version of Dropbox, you need to quit the current version of the desktop app running on your PC. This varies depending on your operating system. Windows users need to right-click the Dropbox icon in the taskbar and select "Exit." Then you can install the new version of Dropbox as you normally would.

After the experimental build is installed, sign in to Dropbox online using this link, which will let you enable two-step verification on your account.


The link above should take you directly to your Security settings. If it doesn't, click on your name in the upper right-hand corner and from the drop-down menu select Settings. On the next page, click on the Security tab.

Scroll down to the bottom of the security section until you see the Account sign in section. You should see an option that says Two-step verification Disabled. Click on (change) and enter your password if prompted.

Get Started

Next, a pop-up window will appear asking you to start the activation process for two-step verification by clicking on Get started. Then you'll be asked whether you want to receive two-step verification codes via SMS or a mobile app. For our purposes, we'll choose the mobile app option.

Dropbox two-step verification supports several third-party authentication apps including Google Authenticator (Android, iOS, BlackBerry), AWS Virtual MFA from Amazon's Appstore for Android, or Authenticator for Windows Phone

Enable and Get Your Code

You'll then be asked to enable the authentication app by scanning a QR code or getting a secret key you can enter manually.

If your phone supports it, scanning the QR code is the faster option.

The process is almost over, but we're not quite there yet.

Once you've scanned the QR code or added your Dropbox account to the smartphone app manually, you have to enter a six-digit code from your authentication app to make sure everything is working properly. 

After enabling your authentication app, Dropbox will display a 16-digit code that you need to copy down to a secure place such as an encrypted file or a plain piece of paper kept in a safe place.

This code is your back-up should you lose your phone and become unable to authenticate a sign-in to your Dropbox account.

Using the 16-digit code will give you emergency access to your account and allow you to disable two-step verification.

After you've copied the code, you're all set-up with two-factor authentication.

Test It

If you want to make sure everything is working properly, try unlinking your desktop account and re-linking your account. This will basically sign you out of Dropbox on the desktop and will not erase your files.

To unlink on Windows, right-click on the Dropbox icon in your taskbar, select "Preferences>Account>Unlink This Computer." Dropbox will disappear and then reboot asking you to sign in. After you've entered your username and password, you should now see a request for a two-step verification code.

Going Forward

You will have to use a two-step verification code whenever you want to log into the Dropbox site or enable the service's desktop app on a new computer. In my tests, two-step verification did not affect the Dropbox smartphone apps for Android and iOS. It's not clear if the new security feature will also be extended to mobile apps once the feature moves out of the experimental phase.

Connect with Ian Paul (@ianpaul) on Twitter and Google+, and with Today@PCWorld on Twitter for the latest tech news and analysis.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ian Paul

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place