Dropbox Two-Step Verification: Hands On
Two-step account verification is a hot topic after hackers nearly wiped out the digital life of tech journalist Mat Honan recently, and Dropbox is the latest online service to enable the added security measure.
Two-step verification requires you to input a randomly generated security code in addition to your username and password before you can access your account. The code is typically sent to you via SMS or generated by a smartphone app such as Google Authenticator for Android, iOS, and BlackBerry.
Two-factor authentication is supposed to make it much harder for hackers to gain access to your account. Even if the bad guys can guess your password, figuring out a constantly changing special code will make it much harder to break in.
Keep in mind that while two-step verification should stop hackers from getting through the front door, there's no guarantee that your service provider will have all of its own security holes plugged. For four hours in June 2011, for example, Dropbox mistakenly left all user accounts wide open with no password protection whatsoever.
Nevertheless, two-step verification is still an added layer of security that could protect some of your more precious files stored in Dropbox such as family photos or business documents. If you'd like to give the new Dropbox feature a try, here's a look at how to enable the feature on your account.
First, a Warning
Dropbox's current implementation of two-step verification is in experimental mode and is recommended only for users who don't mind confronting buggy software or unexpected problems. If you don't like dealing with PC hassles, do not try this feature in its current state. Dropbox says it plans to roll out optional two-step verification to all users in the near future.
The first thing you need to do is get the latest experimental build of the Dropbox desktop app from this page on the Dropbox forums. Dropbox offers .exe and .dmg downloads available for Windows and Mac OS X respectively, and either a 32- or 64-bit tarball for Linux users.
Before you install your version of Dropbox, you need to quit the current version of the desktop app running on your PC. This varies depending on your operating system. Windows users need to right-click the Dropbox icon in the taskbar and select "Exit." Then you can install the new version of Dropbox as you normally would.
After the experimental build is installed, sign in to Dropbox online using this link, which will let you enable two-step verification on your account.
The link above should take you directly to your Security settings. If it doesn't, click on your name in the upper right-hand corner and from the drop-down menu select “Settings.” On the next page, click on the Security tab.
Scroll down to the bottom of the security section until you see the “Account sign in” section. You should see an option that says “Two-step verification Disabled.” Click on “(change)” and enter your password if prompted.
Next, a pop-up window will appear asking you to start the activation process for two-step verification by clicking on “Get started.” Then you'll be asked whether you want to receive two-step verification codes via SMS or a mobile app. For our purposes, we'll choose the mobile app option.
Dropbox two-step verification supports several third-party authentication apps including Google Authenticator (Android, iOS, BlackBerry), AWS Virtual MFA from Amazon's Appstore for Android, or Authenticator for Windows Phone.
Enable and Get Your Code
You'll then be asked to enable the authentication app by scanning a QR code or getting a secret key you can enter manually.
If your phone supports it, scanning the QR code is the faster option.
The process is almost over, but we're not quite there yet.
Once you've scanned the QR code or added your Dropbox account to the smartphone app manually, you have to enter a six-digit code from your authentication app to make sure everything is working properly.
After enabling your authentication app, Dropbox will display a 16-digit code that you need to copy down to a secure place such as an encrypted file or a plain piece of paper kept in a safe place.
This code is your back-up should you lose your phone and become unable to authenticate a sign-in to your Dropbox account.
Using the 16-digit code will give you emergency access to your account and allow you to disable two-step verification.
After you've copied the code, you're all set-up with two-factor authentication.
If you want to make sure everything is working properly, try unlinking your desktop account and re-linking your account. This will basically sign you out of Dropbox on the desktop and will not erase your files.
To unlink on Windows, right-click on the Dropbox icon in your taskbar, select "Preferences>Account>Unlink This Computer." Dropbox will disappear and then reboot asking you to sign in. After you've entered your username and password, you should now see a request for a two-step verification code.
You will have to use a two-step verification code whenever you want to log into the Dropbox site or enable the service's desktop app on a new computer. In my tests, two-step verification did not affect the Dropbox smartphone apps for Android and iOS. It's not clear if the new security feature will also be extended to mobile apps once the feature moves out of the experimental phase.