Online file-backup and storage service Dropbox has begun offering a two-step authentication feature to help users beef up the security of their accounts. The promised change comes less than a month after the compromise of a Dropbox employee’s account exposed many Dropbox user email addresses.
Dropbox users can take advantage of the new security measure by logging in at this link, and then clicking the “Security” tab. Under account sign in, click the link next to “Two-step verification.” You’ll have the option of getting security code sent to your mobile device, or using one of several mobile apps that leverage the Time-based One-Time Password algorithm.
If you’re already familiar with the Google Authenticator app for Gmail’s two-step verification process (available for Android/iPhone/BlackBerry) this is a no-brainer: When prompted, open the app and create a new token, then use the app to scan the bar code on your computer screen. Enter the key generated by the app into your account settings on the site, and you’re done. Other supported apps include Amazon AWS MFA (Android) and Authenticator (Windows Phone 7).
Note that DropBox users will need to download the latest version of the Dropbox client (1.4.17 on Windows/Mac) to access their files via the Dropbox desktop software interface after enabling two-step authentication.
Some readers have asked which method of two-step verification is more secure: Text message or mobile app? Text messages are perhaps faster and easier, but they introduce yet another potential avenue of compromise: The mobile provider. In a recent attack against the chief executive of Cloudflare, for example, miscreants were able to break into the executive’s Gmail account even though he had instructed Google’s 2-step verification feature to send codes to his phone. That attack succeeded because the miscreants were able to trick a customer service representative at his mobile phone provider — AT&T — into forwarding his messages to another account.