The good news: Dropbox is introducing two-factor authentication, which could harden users’ cloud-storage accounts from outside attackers.
The bad news: At least for the moment, it’s still in the experimental stage.
Imagine you’re the average Dropbox user, and you hear (either from the Web, where the news has circulated since the weekend, or a friend) that the service has introduced two-factor authentication. Great, you think, and click on your account settings. But instead of seeing a convenient check box marked “Enable two-factor authentication,” you find… nothing.
For at least “the next few days” (Dropbox’s words), users who want that two-factor authentication goodness will need to head over to The Dropbox Forums, where they can download Experimental Build 1.5.12. It is available for Windows, Mac OS X, Linux x86_64 and Linux x86.
After downloading the experimental forum build, users head via a link to their account-setting page; from there, they can choose to enable two-factor authentication. Dropbox relies on a six-digit code sent either by text message or via any mobile app that supports Time-based One-Time Password (TOTP) protocol, including Amazon AWS MFA and Google Authenticator.
In addition to the six-digit authentication code, Dropbox will send users a 16-digit backup code. This is meant to help a user access their account in the event they lose their phone. Users should store it, obviously, in a very safe place.
Results so far seem mixed among early adopters of Dropbox’s two-factor authentication. Many of those on the forums report success in downloading and installing the software (“Working fine so far!”). A number also encountered problems, however, including an “Invalid code” error message. “Dan W.,” described on the forums as a “Dropboxer,” offered some advice for those encountering the aforementioned issue:
1. For app users — These codes are time-based, so if your clock is out of sync by even a few minutes, the codes won’t work. How to fix on Android: Settings > Date & Time > Automatic. For iOS: Settings > General > Date & Time > Set Automatically : On.
2. For SMS users — if your SMS takes over a minute to arrive, the code inside has probably already expired. We’ll be fixing this soon to allow for slower SMS delivery. We’re also working hard to make SMS delivery faster. In the meantime, if SMS delivery is slow, I recommend using an offline app instead.
Dropbox first announced its heightened security measures over a month ago, after a breach resulted in users complaining of spam flooding email addresses linked to their Dropbox accounts. “Our investigation found that usernames and passwords recently stolen from other Websites were used to sign in to a small number of Dropbox accounts,” read a July 31 posting on The Dropbox Blog. “A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses.”
The access to that employee account “is what led to the spam.” In addition to two-factor authentication, the company also claimed that it would introduce new “automated mechanisms” to identify suspicious activity, along with a new page that allows users to examine active logins to an account.