How to configure Dropbox's two-step authentication

  • Dan Moren (
  • 27 August, 2012 16:34

Following in the footsteps of Google and other services, Dropbox this weekend enabled two-factor authentication to bring enhanced security to its users.

While Dropbox was not among the services compromised in the well-publicized attack on Wireds Mat Honan earlier this month, the service has suffered from at least one security breach in recent months. Adding two-factor authentication is one way to make your connection to the servicewhich for many users is an increasingly important part of their workflowmore secure.

As with Googles implementation, Dropboxs two-factor authentication relies on two separate elements: something you know (a password) and something you have (in this case, a separately generated code). While the combination of these two elements doesnt guarantee your security, it does make it much harder for a potential hacker to gain access to your account.

The setup

To enable Dropboxs two-factor authentication, youll want to make sure your desktop client is using version 1.5.12 or later. Since, at the time of this writing, 1.5.12 is a preview release, youll need to download it from the Dropbox forum and install it on all the computers you use with the service.

Once youve installed the newest version, visit the Dropbox website, click on your name in the top right corner, and select Settings. Then click on the Security tab.

In the bottom left of the screen, right under the Forgot password? link, youll see an option for Two-step verification (its a term used interchangeably with two-factor authentication). By default, it should read Disabled, but clicking on the Change button will open a dialog box that explains the system and a link that will explain it in further detail; click on the Get Started button to begin the process.

Authenticate, authenticate

Youll first be prompted to enter your current password, for security reasons. After that, youll be given two options: receive security codes via a text message to your phone, or use a mobile app. Each option has its own virtues: If youre using a non-smartphone, youll probably want to opt for standard text messages. However, smartphone users will likely be better served by a mobile app, since it can work even when your phone isnt connected to the network.

If you choose text message, youll be asked to provide a phone number to which codes will be sent whenever you sign in to the Dropbox website or link a new device to your account. Once youve entered the phone number, youll receive a text message with a six-digit code, which youll use to verify that yes, that is the phone you meant to use. Youll then be provided with a 16-character emergency backup code which can be used to disable two-step verification just in case you cant access your phone for some reason. Its best to write this down and stow it somewhere secure where you can get at it (and especially where its not stored in Dropbox itself). Click Enable Two-step Verification, and youre all set.

Mobile app users have a few additional options. Dropbox supports a number of different authenticator apps, including Google Authenticator for Android, iPhone, and BlackBerry; Amazon AWS MFA for Android; and Authenticator for Windows Phone 7.

The easiest way to set up an app is to fire up your authenticator app and use your phones camera to scan the two dimensional barcode that Dropbox provides. If youre using Google Authenticator, launch the app and click on the + button in the bottom right corner; then tap the Scan Barcode button and line up the crosshairs with the barcode Dropbox provides.

Alternatively, you can also manually enter your accounts secret key by clicking on the link that Dropbox offers. Follow the same instructions as above, but instead of scanning the barcode, enter the information that Dropbox provides you into the Account and Key fields.

Once youve entered that information, the authenticator app will provide you with a six digit code that refreshes every 30 seconds. Enter that code to verify that youve correctly linked your authenticator app with your account, and Dropbox will provide you with the 16 character backup code, which you should store someplace safe, in case of emergency (again, not in your Dropbox). Then click the Enable Two-step Verification button, and you should be ready to go.

(Advanced users also have the option to generate codes via the command-line OATH tool, but youll likely want to leave that alone unless youre very comfortable in Terminal.)

The login line

Now, every time you log in to your Dropbox account on the Web, youll be prompted to enter a six-digit code that youll receive from either a text message or your mobile app. On computers where youre the only user (or where you trust all the users), you can check the Trust this computer checkbox, which means that you will not be prompted to enter a code when logging in via that computer.

Unlike Googles two-factor authentication, Dropbox doesnt require you to create application-specific passwords for every piece of software that wants to use your account. However, you can still monitor which apps are currently linked to your Dropbox by going to the Settings section of your account on the Dropbox website and clicking on My apps. Youll see a list of the programs that currently have access to your Dropbox, the level of their access, and an option to unlink any of them.

While two-factor authentication doesnt assure complete and utter security for your Dropbox account, it does make it considerably harder for an attacker to compromise your account and, by extension, your files. And while it may require a certain degree of added complexity, thats not a bad tradeoff for peace of mind.