Dropbox Adds Two-Factor Authentication After Spam Scare

Dropbox security got a shot in the arm, as the cloud storage company finally added two-factor authentication for its users, following a spam scare last month.

In July, users complained of receiving excess spam in their Dropbox-associated email accounts.

At the end of the month, Dropbox claimed passwords stolen from other sites had been used to compromise user accounts and spread spam. One Dropbox employee had their account hacked.

To improve Dropbox security for users, the company promised to deliver two-factor authentication, which it delivered yesterday.

Not by default

To access their account, users will have to submit their password and a security code that will either be texted to their mobile phone or generated by a mobile authenticator app, which is now available for iOS, Android, Blackberry and Windows Phone 7.

It is not switched on by default, however, and requires users to switch the feature on in the new ‘Security’ tab in account settings.

“On your desktop or mobile devices, you’ll only need the code the first time you sign in to Dropbox. On the web, you can also select the option to ‘Trust this computer’ and you won’t need to re-enter a code again,” explained Dropbox engineer, Dan Wheeler, in a blog post.

“Two-step verification is one of several steps that we’re taking to enhance the security of your Dropbox. We’ve also created a way for you to view all active logins to your account on the Security tab, and we’re working on automated mechanisms to identify suspicious activity.”

Yet Dropbox’s changes have not impressed everyone. Brian Spector, CEO of two-factor authentication provider CertiVox, said Dropbox were really serving up “two-factor lite”.

“Firstly, it still needs a user password – the same one, it would appear, as has been used in an environment that has already been compromised, which makes absolutely no security sense,” Spector told TechWeekEurope.

“Secondly, the SMS channel it uses for the one-time code is highly insecure – wide open, in fact. Thirdly, it relies on the user carting around a hardware token in the form of a mobile phone. Lose or forget your phone, kiss goodbye to authentication. Contrast all this with two-factor authentication based on a PIN, a soft token and no hardware at all (apart from the device you’re already using) and Dropbox’s approach starts to look like significantly less protection for significantly more user inconvenience.”

Dropbox itself was guilty of security failures last year. In summer 2011, a bug affecting the Dropbox authentication mechanism could have allowed anyone to sign into accounts without the need for proper login credentials. The flaw lasted for around five hours before being patched.

Are you a security guru? Try our quiz!