
Dropbox Introduces 2-Factor Authentication  - Xyzodiac
https://www.dropbox.com/account/security
======
SwaroopH
Try this: <https://www.dropbox.com/try_twofactor>

Although tray login still logs you in without the need to enter password or
the code.

~~~
guylhem
Not working for Martinique (FWI), country code 596. Still waiting for a SMS to
come. Asked twice 5 and 10 minutes ago.

Maybe the country list should be edited to only list countries where SMS can
be sent? (I have no problem with other 2-ways services I use)

~~~
daveying99
Lack of SMS shouldn't be a problem. You can use two factor authentication with
the app version.It's on that same page.

~~~
guylhem
Yes but SMS are handy. BTW Just got both of them with a 7 hours delay.

------
joshzayin
More details: <https://www.dropbox.com/help/363/en>

It looks like they support any app that uses the TOTP protocol, so google
authenticator, among others, works with this seamlessly.

~~~
icebraining
That's nice. A little context: TOTP is part of OATH - Initiative for Open
Authentication - and is an open standard published as RFC 6238.

For those who don't have iOS/Android/BB and/or don't want to use Google
Authenticator, Wikipedia lists a few compatible applications:
<https://en.wikipedia.org/wiki/Google_Authenticator>

These work for Gmail too.

~~~
gcr
Is OATH related to OAuth?

~~~
lowe
nope! confusingly unrelated.

------
ch0wn
I'm glad they didn't invent their own mechanism but used standard OTP tokens,
so you can just add them to apps like Google Authenticator.

~~~
spindritf
This is very convenient, Google Accounts, Amazon AWS[1], SSH[2], and Dropbox,
all from one simple app.

If Google Authenticator allowed to change the order of accounts without
removing and readding them, I would have absolutely nothing to complain about.

[1] <https://aws.amazon.com/mfa/faqs/>

[2] [http://askubuntu.com/questions/159727/how-can-i-use-a-
passco...](http://askubuntu.com/questions/159727/how-can-i-use-a-passcode-
generator-for-authentication-for-remote-logins/159728#159728)

~~~
chmars
In the iOS app, you can change the order by tapping 'edit' and then by drag
and drop. The 'edit' button usually works if you tap and cancel the '+' button
first.

------
teach
I don't see any mention of 2-factor auth on the linked page. Maybe they're
rolling it out in stages?

~~~
irunbackwards
Seems like it to me as well, I don't see any options to do 2-factor auth on my
settings page either. Maybe it's a pro feature right now?

~~~
barik
It's available to all users. But since it's experimental, you have to go here
to enable it:

<http://www.dropbox.com/try_twofactor>

Then it will appear under Security.

------
forsaken
I upgraded my account, and now the desktop client is not letting me login,
saying I need the latest client. I downloaded that and it still gives me the
same error..

~~~
dkulchenko
You'll need their "experimental build":
<https://forums.dropbox.com/topic.php?id=66910>

~~~
forsaken
That is pretty horrible UX. Why would they enable it in the web UI, but make
you look at a forum post to get the build you need. Also, without linking to
it when you get an error on the build?

~~~
irunbackwards
The feature seems to have been released to forum users, then submitted here by
a third party. I agree, though, there should have at least been a notification
when the feature was enabled to read the forum post.

------
steveeq1
Does anyone know where I can download the latest Linux binary that support 2
factor authentication? I tried downloading the linux version, but it keeps on
saying "this account uses two-step verification. To link to it, please
download the latest version of Dropbox from www.dropbox.com/download". Maybe
there is no new linux client, not sure.

~~~
lowe
Sorry for the confusion, this was a forum release. Linux build is here:

<https://forums.dropbox.com/topic.php?id=66910>

------
jrockway
Well done. I wish more sites would move to using standard OTP protocols. I
hate having to carry around and use a separate dongle for each company that
provides two factor authentication.

------
batgaijin
Great, now only if they actually encrypted my files.

~~~
matwood
Put a truecrypt volume in your DropBox. Why rely on someone else to do the
encryption?

~~~
mapgrep
If Dropbox were designed to handle sequentially-numbered blobs of encrypted
data, changing one file would require your other devices to download _only
that file_ (an encrypted blob of roughly the same size).

With a TrueCrypt volume or other encrypted file solution on top of Dropbox,
you have to resync the entire multi-GB volume any time a single file in there
changes, since to Dropbox it's just one big file. (Another option is to use
something like an OS X sparsebundle -- encrypted data banded across many files
-- but God help you if you have two computers reading/writing from that
sparsebundle at once.)

I've started using SpiderOak and it is quite efficient even though the data is
encrypted such that the server admins couldn't see your data even if they
wanted too. <https://spideroak.com/engineering_matters> SpiderOak also offers
two-factor auth. (The SpiderOak UI, however, is fairly atrocious.)

~~~
yafujifide
Only part of a truecrypt volume changes when you make a change to the data
within. Since Dropbox intelligently syncs files in parts, only part of a
truecrypt volume has to be re-uploaded when something changes -- not the
entire multi-GB file. I know because I do exactly this with a 1GB file. It
takes about 2 minutes to sync when I unmount the file. Dropbox is not re-
uploading all 1GB.

However, like the other commenter, I still recommend encfs for most uses.

~~~
mapgrep
Very interesting, I did not know that.

------
peterwwillis
If you want to get the most out of this, use a hardware token generator
instead of a phone or computer. Example: [http://hackaday.com/2012/07/11/time-
based-one-time-passwords...](http://hackaday.com/2012/07/11/time-based-one-
time-passwords-with-an-arduino/)
[http://lab.infoserver.com.br/wiki/index.php/Projects:arduino...](http://lab.infoserver.com.br/wiki/index.php/Projects:arduino-
oath-token#Arduino_OATH_Token)

~~~
mertd
That looks like a software generator running on Arduino.

~~~
peterwwillis
I stand corrected. The device is more of a physical/hardware token generator
than a phone or computer in that it's stand-alone. Phones with radios
permanently switched off or computers without network access are probably as
secure.

------
septerr
Carrying a set of backup codes when travelling, generating a code for each app
that is linked to your account...these things make two way authentication seem
very inconvenient. I went with converting my gmail account to use two way
authentication but after being informed to remember to carry a set of 10
backup codes when I am going to be without my phone, was a turn off and I
reverted to my old settings.

------
treelovinhippie
Hmm, but I can still simply open someone's Dropbox folder locally if they
forgot to logoff/switch on their computer...

~~~
dkokelley
That requires physical access, which is arguably more secure than internet
access should your credentials be compromised. This is a major step in the
right direction for Dropbox. I don't think it's Dropbox's job to encrypt and
secure my local files. This would break many use cases, and there are other
purpose-built solutions for this.

Dropbox made their business on an extreme convenience (your files everywhere
through a dead-simple, familiar interface). Inconveniently, convenience is
often the enemy of security. It's a "good thing" that Dropbox is now offering
some granularity over the convenience/security spectrum.

------
reledi
My security codes aren't working (invalid). Using Google Authenticator.

Anyone else have this issue?

~~~
sinsear
Yup, have the same issue, went with sms-version because of this ;(. Google
Authenticator on HTC Desire HD with custom ROM

~~~
mryan
When I first used Authenticator I had this problem, because the clock on my
phone was a couple of minutes out of sync.

There is room for some error but it is worth making sure the time on your
phone is correct.

------
mjs7231
Yeay, now I can have a really secure login to my insecure files?

------
mwww
Two-Factor authentication sucks. It's too hard for users. Most people will
never us it. Dropbox should consider using Rublon (yes, that's my startup):
<https://rublon.com>

7 reasons why you should add Rublon to your website:
<http://blog.rublon.com/2012/why-add-rublon/>

~~~
joshu
how is the phone not a second factor?

~~~
mwww
Rublon replaces passwords with cryptographic keys that are partially stored on
your phone. This is a completely new approach to user authentication.

~~~
adgar
It's not a completely new anything, it's a password on your phone.

