Following in the footsteps of Google and other services, Dropbox this weekend enabled two-factor authentication to bring enhanced security to its users.
While Dropbox was not among the services compromised in the well-publicised attack on Wired’s Mat Honan earlier this month, the service has suffered from at least one security breach in recent months. Adding two-factor authentication is one way to make your connection to the service—which for many users is an increasingly important part of their workflow—more secure.
As with Google’s implementation, Dropbox’s two-factor authentication relies on two separate elements: something you know (a password) and something you have (in this case, a separately generated code). While the combination of these two elements doesn’t guarantee your security, it does make it much harder for a potential hacker to gain access to your account.
To enable Dropbox’s two-factor authentication, you’ll want to make sure your desktop client is using version 1.5.12 or later. Since, at the time of this writing, 1.5.12 is a preview release, you’ll need to download it from the Dropbox forum and install it on all the computers you use with the service.
Once you’ve installed the newest version, visit the Dropbox website, click on your name in the top right corner, and select Settings. Then click on the Security tab.
In the bottom left of the screen, right under the Forgot password? link, you’ll see an option for Two-step verification (it’s a term used interchangeably with two-factor authentication). By default, it should read Disabled, but clicking on the Change button will open a dialog box that explains the system and a link that will explain it in further detail; click on the Get Started button to begin the process.
You’ll first be prompted to enter your current password, for security reasons. After that, you’ll be given two options: receive security codes via a text message to your phone, or use a mobile app. Each option has its own virtues: If you’re using a non-smartphone, you’ll probably want to opt for standard text messages. However, smartphone users will likely be better served by a mobile app, since it can work even when your phone isn’t connected to the network.
If you choose text message, you’ll be asked to provide a phone number to which codes will be sent whenever you sign in to the Dropbox website or link a new device to your account. Once you’ve entered the phone number, you’ll receive a text message with a six-digit code, which you’ll use to verify that yes, that is the phone you meant to use. You’ll then be provided with a 16-character emergency backup code which can be used to disable two-step verification just in case you can’t access your phone for some reason. It’s best to write this down and stow it somewhere secure where you can get at it (and especially where it’s not stored in Dropbox itself). Click Enable Two-step Verification, and you’re all set.
Mobile app users have a few additional options. Dropbox supports a number of different authenticator apps, including Google Authenticator for Android, iPhone, and BlackBerry; Amazon AWS MFA for Android; and Authenticator for Windows Phone 7.
The easiest way to set up an app is to fire up your authenticator app and use your phone’s camera to scan the two dimensional barcode that Dropbox provides. If you’re using Google Authenticator, launch the app and click on the + button in the bottom right corner; then tap the Scan Barcode button and line up the crosshairs with the barcode Dropbox provides.
Alternatively, you can also manually enter your account’s secret key by clicking on the link that Dropbox offers. Follow the same instructions as above, but instead of scanning the barcode, enter the information that Dropbox provides you into the Account and Key fields.
Once you’ve entered that information, the authenticator app will provide you with a six digit code that refreshes every 30 seconds. Enter that code to verify that you’ve correctly linked your authenticator app with your account, and Dropbox will provide you with the 16 character backup code, which you should store someplace safe, in case of emergency (again, not in your Dropbox). Then click the Enable Two-step Verification button, and you should be ready to go.
(Advanced users also have the option to generate codes via the command-line OATH tool, but you’ll likely want to leave that alone unless you’re very comfortable in Terminal.)
The login line
Now, every time you log in to your Dropbox account on the Web, you’ll be prompted to enter a six-digit code that you’ll receive from either a text message or your mobile app. On computers where you’re the only user (or where you trust all the users), you can check the Trust this computer checkbox, which means that you will not be prompted to enter a code when logging in via that computer.
Unlike Google’s two-factor authentication, Dropbox doesn’t require you to create application-specific passwords for every piece of software that wants to use your account. However, you can still monitor which apps are currently linked to your Dropbox by going to the Settings section of your account on the Dropbox website and clicking on My apps. You’ll see a list of the programs that currently have access to your Dropbox, the level of their access, and an option to unlink any of them.
While two-factor authentication doesn’t assure complete and utter security for your Dropbox account, it does make it considerably harder for an attacker to compromise your account and, by extension, your files. And while it may require a certain degree of added complexity, that’s not a bad tradeoff for peace of mind.