How to configure Dropbox's two-step authentication

Following in the footsteps of Google and other services, Dropbox this weekend enabled two-factor authentication to bring enhanced security to its users.

While Dropbox was not among the services compromised in the well-publicized attack on Wireds Mat Honan earlier this month, the service has suffered from at least one security breach in recent months. Adding two-factor authentication is one way to make your connection to the servicewhich for many users is an increasingly important part of their workflowmore secure.

As with Googles implementation, Dropboxs two-factor authentication relies on two separate elements: something you know (a password) and something you have (in this case, a separately generated code). While the combination of these two elements doesnt guarantee your security, it does make it much harder for a potential hacker to gain access to your account.

The setup

To enable Dropboxs two-factor authentication, youll want to make sure your desktop client is using version 1.5.12 or later. Since, at the time of this writing, 1.5.12 is a preview release, youll need to download it from the Dropbox forum and install it on all the computers you use with the service.

Once youve installed the newest version, visit the Dropbox website, click on your name in the top right corner, and select Settings. Then click on the Security tab.

In the bottom left of the screen, right under the Forgot password? link, youll see an option for Two-step verification (its a term used interchangeably with two-factor authentication). By default, it should read Disabled, but clicking on the Change button will open a dialog box that explains the system and a link that will explain it in further detail; click on the Get Started button to begin the process.

Authenticate, authenticate

Youll first be prompted to enter your current password, for security reasons. After that, youll be given two options: receive security codes via a text message to your phone, or use a mobile app. Each option has its own virtues: If youre using a non-smartphone, youll probably want to opt for standard text messages. However, smartphone users will likely be better served by a mobile app, since it can work even when your phone isnt connected to the network.

If you choose text message, youll be asked to provide a phone number to which codes will be sent whenever you sign in to the Dropbox website or link a new device to your account. Once youve entered the phone number, youll receive a text message with a six-digit code, which youll use to verify that yes, that is the phone you meant to use. Youll then be provided with a 16-character emergency backup code which can be used to disable two-step verification just in case you cant access your phone for some reason. Its best to write this down and stow it somewhere secure where you can get at it (and especially where its not stored in Dropbox itself). Click Enable Two-step Verification, and youre all set.

Mobile app users have a few additional options. Dropbox supports a number of different authenticator apps, including Google Authenticator for Android, iPhone, and BlackBerry; Amazon AWS MFA for Android; and Authenticator for Windows Phone 7.

The easiest way to set up an app is to fire up your authenticator app and use your phones camera to scan the two dimensional barcode that Dropbox provides. If youre using Google Authenticator, launch the app and click on the + button in the bottom right corner; then tap the Scan Barcode button and line up the crosshairs with the barcode Dropbox provides.

Alternatively, you can also manually enter your accounts secret key by clicking on the link that Dropbox offers. Follow the same instructions as above, but instead of scanning the barcode, enter the information that Dropbox provides you into the Account and Key fields.

Once youve entered that information, the authenticator app will provide you with a six digit code that refreshes every 30 seconds. Enter that code to verify that youve correctly linked your authenticator app with your account, and Dropbox will provide you with the 16 character backup code, which you should store someplace safe, in case of emergency (again, not in your Dropbox). Then click the Enable Two-step Verification button, and you should be ready to go.

(Advanced users also have the option to generate codes via the command-line OATH tool, but youll likely want to leave that alone unless youre very comfortable in Terminal.)

The login line

Now, every time you log in to your Dropbox account on the Web, youll be prompted to enter a six-digit code that youll receive from either a text message or your mobile app. On computers where youre the only user (or where you trust all the users), you can check the Trust this computer checkbox, which means that you will not be prompted to enter a code when logging in via that computer.

Unlike Googles two-factor authentication, Dropbox doesnt require you to create application-specific passwords for every piece of software that wants to use your account. However, you can still monitor which apps are currently linked to your Dropbox by going to the Settings section of your account on the Dropbox website and clicking on My apps. Youll see a list of the programs that currently have access to your Dropbox, the level of their access, and an option to unlink any of them.

While two-factor authentication doesnt assure complete and utter security for your Dropbox account, it does make it considerably harder for an attacker to compromise your account and, by extension, your files. And while it may require a certain degree of added complexity, thats not a bad tradeoff for peace of mind.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Dan Moren

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place