August 27, 2012
Dropbox Implements Optional Two-Step Verification Process
Michael Harper for redOrbit.com — Your Universe Online
In July, cloud-storage company Dropbox brought in an outside team of experts to investigate claims of a possible targeted spam attack against its users. Some Dropbox users had begun to notice spam messages in inboxes which were only used for Dropbox and had never been given out. Such spam attacks could have meant Dropbox may have had some of their files compromised.
Nearly a month later, Dropbox had acknowledged they had been attacked, which resulted in those spammy inboxes.
Claiming a hacker had cracked the password of an employee, Dropbox said the hackers were then able to gain access to some of their users´ password information. The company then laid out their new security measures to protect their users.
Today, one of these measures has been officially launched in beta. Now, users can enable two-step verification to their accounts, adding an extra layer of security between hackers and their sensitive information.
“Two-step verification is an optional but highly recommended security feature that adds an extra layer of protection to your Dropbox account,” writes the Dropbox team.
“Once enabled, Dropbox will require a six-digit security code in addition to your password whenever you sign in to Dropbox or link a new computer, phone, or tablet.”
As with other two-step verification processes, this new “experimental feature” requires Dropbox users to offer two-forms of verification, or digital ID. After signing in with the usual credentials (email address and password) Dropbox will then send a second code or password to the user´s mobile phone either via text or via a barcode scanner. Once the barcode is scanned, the secondary, one time use code is delivered and is used to grant access to the account. If a user decides to receive a text message, the secondary code is delivered via text, and is then available for input.
Once a user signs up for two-step verification, Dropbox also provides an extra, 16 character code. This code can be used to turn off two-step verification or gain access to their folder in the event their phone or laptop goes missing. Ideally, this code will be stored in a safe place and not on the phone or laptop used to access Dropbox.
Mat Honan, the Wired writer who recently had most of his digital life hacked, discusses the importance of having these codes written down in a safe place rather than keeping them stored on the machines themselves.
In his latest piece about retrieving his lost data, Honan writes, “My Dropbox password was itself a 1password-generated litany of nonsense.” 1Password is a password app for Mac which not only stores but also generates passwords for all sorts of account logins, as well as stores credit card and other secure information.
“Without access to Dropbox,” writes Honan, “I couldn´t get my keychain. Without my keychain, I couldn´t get into Dropbox.”
Honan´s experience has also brought to light for many the importance of keeping a rigorous backup routine and sturdy security measures.
As a part of this, two-step verification has become widely sought after. One of the more popular services to offer two-step verification, Google, has no doubt seen an influx of users sign up for this service in recent weeks. Even Honan mentioned his regret for not having Google´s two-step verification turned on for his accounts.
“Had I used two-factor authentication for my Google account, it´s possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc,” Honan said.
Dropbox´s two-step verification offering is a welcome addition to any security regime and should be thoughtfully considered by anyone who uses Dropbox to store even the tiniest piece of sensitive information.