Dropbox Adds Two-Factor Authentication After Spam Scare

Dropbox security got a shot in the arm, as the cloud storage company finally added two-factor authentication for its users, following a spam scare last month.

In July, users complained of receiving excess spam in their Dropbox-associated email accounts.

At the end of the month, Dropbox claimed passwords stolen from other sites had been used to compromise user accounts and spread spam. One Dropbox employee had their account hacked.

To improve Dropbox security for users, the company promised to deliver two-factor authentication, which it delivered yesterday.

Not by default

To access their account, users will have to submit their password and a security code that will either be texted to their mobile phone or generated by a mobile authenticator app, which is now available for iOS, Android, Blackberry and Windows Phone 7.

It is not switched on by default, however, and requires users to switch the feature on in the new ‘Security’ tab in account settings.

“On your desktop or mobile devices, you’ll only need the code the first time you sign in to Dropbox. On the web, you can also select the option to ‘Trust this computer’ and you won’t need to re-enter a code again,” explained Dropbox engineer, Dan Wheeler, in a blog post.

“Two-step verification is one of several steps that we’re taking to enhance the security of your Dropbox. We’ve also created a way for you to view all active logins to your account on the Security tab, and we’re working on automated mechanisms to identify suspicious activity.”

Yet Dropbox’s changes have not impressed everyone. Brian Spector, CEO of two-factor authentication provider CertiVox, said Dropbox were really serving up “two-factor lite”.

“Firstly, it still needs a user password – the same one, it would appear, as has been used in an environment that has already been compromised, which makes absolutely no security sense,” Spector told TechWeekEurope.

“Secondly, the SMS channel it uses for the one-time code is highly insecure – wide open, in fact. Thirdly, it relies on the user carting around a hardware token in the form of a mobile phone. Lose or forget your phone, kiss goodbye to authentication. Contrast all this with two-factor authentication based on a PIN, a soft token and no hardware at all (apart from the device you’re already using) and Dropbox’s approach starts to look like significantly less protection for significantly more user inconvenience.”

Dropbox itself was guilty of security failures last year. In summer 2011, a bug affecting the Dropbox authentication mechanism could have allowed anyone to sign into accounts without the need for proper login credentials. The flaw lasted for around five hours before being patched.

Are you a security guru? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Microsoft Executive Indicates Departmental Hiring Slowdown

Amid concern at the state of the global economy, a senior Microsoft executive tells staff…

2 days ago

Shareholders Sue Twitter, Elon Musk For Stock ‘Manipulation’

Disgruntled shareholders are now suing both Twitter and Elon Musk, over volatile share price swings…

2 days ago

Google Faces Second UK Probe Over Ad Practices

UK's competition watchdog launches second investigation of Google's ad tech practices, and whether it may…

2 days ago

Elon Musk Raises His Contribution To Twitter Acquisition

But one of Elon Musk's biggest backers on the Twitter board has tendered his resignation…

3 days ago

Broadcom Confirms VMware Acquisition For $61 Billion

Entry into cloud infrastructure software for US chip firm Broadcom after it confirms reports it…

3 days ago