Dropbox Adds 2 Factor Authentication

dropbox_iconDropbox added support for two factor authentication earlier this week.  This is a great step in securing Dropbox data but I wonder if the less technically immersed will understand exactly what this means for them.  It’s one thing to know that two factor authentication is a good thing but something entirely different to know why.  And since it actually requires more effort to access user data a times, it is also important to understand why this extra effort is worth its weight in gold.

Anyone who banks using an ATM machine is already well versed in the concept, whether they know it or not.  Every ATM transaction uses two factor authentication.  Each transaction requires a banking card, something that the user has in their possession, and each transaction requires every user to enter their PIN code, something that the users knows.  Anyone trying to access a bank account via the ATM but lacking either one of these requirements simply is not allowed access.

The same functionality can now be added to Dropbox, though in a slightly different implementation.  Normal access to a Dropbox account is authenticated via a login, also known as a username and password combination.  This is considered more traditional security.  It is something that the user knows.  But the potentially fatal flaw here is that anyone who knows the login information can access the entire contents of the Dropbox account.  And since it is a Dropbox account, this means that data can be accessed from anywhere in the world.  So, should a users login information be compromised by a virus or malware, or even a disgruntled trusted friend, this means that anyone with that login information has access to the contents of the Dropbox from anywhere on the planet.  Ouch.

So a better way to secure an account such as Dropbox is to add an additional authentication requirement.  In addition to something that the users knows, the account login, a seconds bit of information is required: something that only the appropriate account holder has in their possession.  In most cases the second factor used is a mobile phone (cell phone).  This means that, with two factor authentication enabled, before a user can access a Dropbox account they must enter the login information (username and password) and enter a code that is texted to them in near real time via their cell phone.  Only someone passing both of these requirements gains access to the Dropbox.

If this sounds like a bit of a hassle, it can be!  But there is a price to be paid for security.  And arguably, this is a small one.  Dropbox engineers have made efforts to ensure the extra inconvenience is as minimal as possible.  For example, a users that is installing the Dropbox client on a computer for the first time only needs to use two factor authentication once, when first configuring the Dropbox client.  It is not necessary to authenticate every time the computer is rebooted.  The same is true for the Dropbox app on a smartphone.

Accessing the Dropbox account from the web is a different story.  With two factor authentication enabled, every time the user is required to enter a login they are also required to enter a 6 digit code that is sent to their mobile via text message.  Since the Dropbox web site lacks the security intrinsic to a desktop workstation, this extra precaution is logical and well justified.  But users you routinely access their Dropbox via the web browser should be aware that this extra step will be a bit more daunting when it becomes necessary to login for the 3rd time on a given afternoon.  That said, as always, users who login and leave the browser logged in for extended periods of time will not have to deal with the multiple authentication steps.

Two factor authentication does change the way we access our Dropbox.  It has ramifications that reach out to all of the 3rd party developers who have integrated their products to use Dropbox as a storage location for their apps data.  For example, the iPhone app PlainText stores all of its files on Dropbox.  So does Day One.  Users installing these apps and configuring them to use Dropbox for the first time will be required to provide not just the Dropbox account login credentials but also the 6 digit code sent to them via text message via their mobile before the app will have access to Dropbox.  Since many apps are not designed to go through this extra step, Dropbox engineers have come up with a workaround.  The user will enter their account username and password as normal.  But the password will be rejected.  At the same time, a single use password is texted to the users mobile phone.  This password is more complicated than the previously mentioned 6 digit pin.  It is actually an alphanumeric password.  The user will need to replace the password previously inserted into the password field with the single use password texted to the mobile.  Using the normal username and this single use password, the app will be allowed to authenticate with the Dropbox account and gain access without requiring the apps developers to modify it in order to leverage the extra layer of security Dropbox is providing.

As much as two factor authentication is a boon to security, wisely Dropbox has made the feature optional.  Users that don’t require the higher level of security, don’t store sensitive information in their Dropbox, don’t own a smartphone, or are simply not technically sophisticated enough to deal with the second factor authentication need not enable the feature at all.  In that case Dropbox will continue to function as it always has.  Simply login using the tried and true username and password combination.

So how do we enable two factor authentication?  It’s a very simple process, but it can only be done via the Dropbox web page right now.  First login to the Dropbox site, then click on your name in the upper right corner of the screen.  A menu will drop down.  Click on Settings.  Next click on the Security tab at the top of the page, then scroll down to the Account Sign In section.  Look for the Two-Step Verification option.  It takes only a single click to engage.

2_fact_auth_option_dropbox

Hopefully users will understand the benefits provided by this second factor authentication.  Dropbox is hardly new to the party.  This methodology is already commonplace at banking web sites, optional at Paypal.com, and mandatory at high security government and private installations.  All things considered, it is very simple.  Bringing this type of authentication to the web, and Dropbox in particular simply seems daunting at first glance.  But it is really nothing new!

One Response to Dropbox Adds 2 Factor Authentication
  1. Milton Ashford Reply

    This is an especially important move for Dropbox and its users. If a Dropbox becomes compromised, it becomes a potential vector for just about anything to make its way onto a users computer or mobile device. Since Dropbox automatically distributes its files across all devices attached to an account, a would be bad guy who gains access could drop an executable on to the DB server via the web browser and be assured that it would propagate around to all of the accountholder’s machines. Instant ownage!

    Compromising a Dropbox can have far reaching effects. This should have been in place a long time ago. All the same, better late than never!

    Great post. Thanks!

Leave a Reply

Your email address will not be published. Please enter your name, email and a comment.