Dropbox going two-factor, becoming de facto

Dropbox's decision to offer users two-factor authentication on top of their user ID and password reflects a growing trend among web service providers, experts say.

Dropbox, an online file-sharing service, introduced the second security layer on Monday as an option. To turn on the feature, users have to go to the security tab in their account settings and enable two-step verification in the "account sign in" section.

The option was released nearly four weeks after Dropbox was hit by an embarrassing spam attack that stemmed from the theft of an employee's password. The credential enabled the hacker to steal a number of user email addresses and send them ads for gambling sites. The addresses belonged to European users.

The use of two-factor authentication is growing among service providers as numerous high-profile breaches increase user awareness of the need for better security.

For example, Google has made it available to Google Apps subscribers. "We anticipate that more and more users, both corporate and consumer, will want to utilize their mobile device for secure access to either their own or corporate applications," Sally Hudson, analyst for IDC, said in an email.

[See also: SaaS, IaaS and Paas - A security checklist for cloud models]

The market for mobile enterprise security software, which would include two-factor authentication, is expected to reach nearly $2.5 billion in 2016 from $682 million last year, according to IDC. That amounts to a compound annual growth rate of 30%.

Other experts contacted by email praised Dropbox's decision. Andrew Wild, chief security officer for Qualys, said he had already enabled the feature on his personal account. "I'm pleased that Dropbox is offering an enhanced authentication option and I'd like for more web services to do the same," he said.

Jon Oberheide, co-founder and chief technology officer of Duo Security, said Dropbox "killed two birds with one stone" in launching the new service. "It serves as a reaction to their breach to increase consumer confidence, as well as implements a feature that businesses have been demanding from cloud storage vendors." (Duo Security is a two-factor authentication service provider.)

Dropbox is giving users the choice of having a six-digit one-time password texted to their mobile phones, or generated using a mobile authenticator app, such as Google Authenticator or Amazon Web Service's MFA.

The code supplied from either option would be necessary to complete the login process after entering a user ID and password.

Besides the recent spam attack, Dropbox has had other missteps with security. About a year ago, the company accidentally turned off password authentication for all its users for four hours before the snafu was discovered.

In May 2011, a security researcher at the University of Indiana filed a complaint with the Federal Trade Commission (FTC), claiming the company exaggerated the level of encryption used to secure customer data. The company denied the allegations.

Nevertheless, Dropbox is still seen by many industry observers as primarily a consumer service. "Strengthening authentication options is important, but enterprises require more than just strong authentication for a file-sharing SaaS (software as a service) to be considered enterprise ready," Wild said.

Those features would included the ability to manage and control credentials across multiple services and the ability to pull activity data to monitor document flow and security events, such as an unusual number of login failures.

Businesses also need to be able to block and control sharing of sensitive information.

Read more about access control in CSOonline's Access Control section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place