The online storage and file-sharing site Dropbox is rolling out two-step security authentication in the wake of high-profile security breaches affecting Dropbox users and other cloud-based companies. The company announced the news via one of its community tech forums. Two-step verification, offered by sites like PayPal, adds an extra layer of protection to an online account by requiring an additional security code that is sent to the user’s phone by text message or generated using a mobile authenticator app. “We’d like to give our loyal forum viewers a chance to try it out first,” the post said.
Once enabled, Dropbox will require a six-digit security code in addition to the user’s password whenever they sign in to Dropbox or link a new computer, phone or tablet. Dropbox gives users the option of using a third-party authenticator application, with support for apps on Google Android, Apple iOS, BlackBerry and Microsoft Windows Phone devices. For security reasons, users will then be asked to re-enter their password to confirm the decision to enable two-step verification. Once this is done, the user is given the choice to receive the security code by text message or to use the aforementioned mobile apps.
If users choose to receive the security codes by text message, whenever they successfully sign in to Dropbox using their password, a text message containing a security code will be sent to their phone. For mobile apps, any app that supports the Time-based One-Time Password (TOTP) protocol should work, including Google Authenticator (for Android devices, iPhone and BlackBerry smartphones), Amazon Web Services (AWS) Multi-Factor Authentication (MFA) (for Android), and Authenticator (Windows Phone 7). Before enabling two-step verification, users receive a special 16-digit backup code.
The company asked trial users to ensure they have the latest forum build (1.5.12) installed before visiting a specific URL link to try out the feature. The link will then send users to the security tab for the account, where in the “account sign in” section near the bottom of the page, users will find the two-step verification option. Users can start the setup process by clicking on the “(change)” link. “We’d appreciate it if you would unlink & relink your account after enabling two-step verification, and report your experiences in this thread,” the post requested.
The company’s investigation into the security incident earlier this summer revealed that usernames and passwords stolen from other Websites were used to sign in to a number of Dropbox accounts, including one belonging to a Dropbox employee that contained a “project document” with user email addresses. According to the company, the document is believed to have been used to launch the spam campaign. Following the breach, Dropbox users in Holland, Germany and the United Kingdom began reporting on a Dropbox user forum that they were receiving spam for gambling sites. The ensuing complaints led to suspicions that Dropbox had been hacked.