Two-factor authentication is often held up as a best practice for security in the online world, but Dropbox on Wednesday announced a new feature that’s designed to make it even tougher.
Whereas two-step verification most commonly involves the user’s phone for the second authentication method, Dropbox’s new U2F support adds a new means of authenticating the user via Universal 2nd Factor (U2F) security keys instead.
What that means is that users can now use a USB key as an additional means to prove who they are.
“This is a very good advancement and adds extra security over mobile notifications for two-factor authentication,” said Rich Mogull, CEO with Securosis.
“Basically, you can’t trick a user into typing in credentials,” Mogull explained. “The attacker has to compromise the exact machine the user is on.”
For most users, phone-based, two-factor authentication is “totally fine,” he said. “But this is a better option in high-security environments and is a good example of where the FIDO standard is headed.”
Security keys provide stronger defense against credential-theft attacks like phishing, Dropbox said.
“Even if you’re using two-step verification with your phone, some sophisticated attackers can still use fake Dropbox websites to lure you into entering your password and verification code,” the company explained in a blog post. “They can then use this information to access your account.”
Security keys, on the other hand, use cryptographic communication and will only work when the user is signing in to the legitimate Dropbox website.
Dropbox users who want to use the new feature will need a security key that follows the FIDO Alliance’s Universal 2nd Factor (U2F) standard. That U2F key can then be set up with the user’s Dropbox account along with any other U2F-enabled services, such as Google.
Currently, U2F is supported for Dropbox.com using only the Chrome browser. Once set up, users simply insert their key into a USB port when prompted after typing in their password.