The file-sharing utility Dropbox is now offering two-factor authentication, a system that makes it much harder for hackers to capture valid credentials for a person’s account.
Dropbox, one of the most widely used web-based storage services, said last month it planned on introducing two-factor authentication after user names and passwords were stolen from another website and used to access accounts.
While it is relatively easy for hackers to obtain a person’s user name and password using malware and social engineering, it is much harder for them to intercept one-time passcodes, although it is possible. The codes, sent by SMS (short message service) or generated by a device, expire quickly.
Users will first need to upgrade their client to version 1.5.12. The feature can be turned on through Dropbox’s website on the “security” tab in a person’s account settings. Users can opt to receive the six-digit code sent by SMS to their mobile phone when a new device is used to access their account.
A valid code can also be obtained by using an application that supports the Time-Based One-Time Password protocol, such as Google Authenticator, Amazon AWS MFA or Authenticator, according to Dropbox. Apple users can opt to generate a code from the terminal application using the OATH tool, Dropbox said.
While setting up two-factor authentication, users get a 16-digit backup code that can be used to unlock their account if they lose their phones and can’t obtain codes through SMS or an application.
Dropbox users have reported a few problems on the company’s forum, but were generally positive. Dropbox employee “Dan W.” wrote on the forum that since SMS codes expire in about a minute, the company is working to make SMS deliveries faster, as well as adding new carriers.
“In the meantime, if SMS delivery is slow, I recommend using an offline app instead,” he wrote.
Dropbox is also working on a feature for users to “untrust” their current browser or all other browsers, which would mean a code would be required upon the next attempted login. Dan W. wrote that “in the meantime, for testing purposes, you can untrust a computer by deleting Dropbox cookies.”
Send news tips and comments to jeremy_kirk@idg.com