Dropbox now secured using cheap U2F tokens
- 14 August, 2015 05:36
Dropbox's 400 million users can now secure their accounts using Universal 2nd Factor (U2F) USB security keys such as Yubico's Yubikey covered previously by Techworld. The service has had two-factor authentication for a while but this is the first time hardware tokens have been an option.
The benefit is that instead of having to enter security numbers sent via SMS to phones users simply plug in the USB token and press a small button. Everything else is done automatically. As well as being easier, theoretical man-in-the middle attacks on smartphones using rogue apps are no longer a worry.
What does this security do? User names and passwords are vulnerable to compromise. This adds a second 'factor' in the form of a physical token
Who is it for? The security conscious but enterprises will also be interested
What do I need? A FIDO Alliance U2F-compliant token from such as the YubiKey. This costs $15 or £12.99 and can be used with other services such as Google, Salesforce, LastPass
Any other requirements? Dropbox's security keys require Google Chrome version 38 or higher
Alternatives: Codes can also be sent via old-style SMS but that requires a charged mobile phone to hand
Any issues with tokens? You need to carry the token around. We can't see any option to whitelist access from a specific computer as is the case with Google account access
And SMS? This is simpler in some respects but we noticed that the SMS code is delivered in a confusing way using two numbers. Some people will plug in the wrong one before noticing their mistake
What about logging in from a mobile with no USB port? Yubikey offers the more advanced Yubikey Neo which offers this via NFC
A good day for security? Yes, two-factor is always better than no two-factor and tokens are a good way to enable this