Although tray login still logs you in without the need to enter password or the code.
Maybe the country list should be edited to only list countries where SMS can be sent? (I have no problem with other 2-ways services I use)
It looks like they support any app that uses the TOTP protocol, so google authenticator, among others, works with this seamlessly.
For those who don't have iOS/Android/BB and/or don't want to use Google Authenticator, Wikipedia lists a few compatible applications:
These work for Gmail too.
Finally gave up, considering how weird the idea seemed for most people. Glad that dropbox saw how interesting this is, especially in the light of the recent journalist hacks.
Hopefully, icloud will be next :-)
If Google Authenticator allowed to change the order of accounts without removing and readding them, I would have absolutely nothing to complain about.
Then it will appear under Security.
With a TrueCrypt volume or other encrypted file solution on top of Dropbox, you have to resync the entire multi-GB volume any time a single file in there changes, since to Dropbox it's just one big file. (Another option is to use something like an OS X sparsebundle -- encrypted data banded across many files -- but God help you if you have two computers reading/writing from that sparsebundle at once.)
I've started using SpiderOak and it is quite efficient even though the data is encrypted such that the server admins couldn't see your data even if they wanted too. https://spideroak.com/engineering_matters SpiderOak also offers two-factor auth. (The SpiderOak UI, however, is fairly atrocious.)
But they do: store files and name them sequentially ;)
I think Encfs is the best solution, since it encrypts each file separately. Just mount the encrypted end over the Dropbox directory and the plaintext end somewhere else, and use it transparently.
However, like the other commenter, I still recommend encfs for most uses.
A service for syncing and sharing with built-in encryption might therefore me more convenient for most users. Spideroak and Wuala are two examples.
Worth doing for some files, yes, but still a pain. Per-file encryption would be ideal, but a monstrous pain to implement with TrueCrypt.
Dropbox is probably not crazy about widespread encryption because it would eliminate their ability to perform deduplication. Perhaps they could get around this if you had a special encrypted quota. For example, you have 5GB of space and 100MB of encrypted space.
I just modified a file in a 64MB truecrypt container and unmounted it. Dropbox took roughly five seconds to sync it.
The only real problem with truecrypt in dropbox is that you can't keep it mounted on multiple devices.
Dropbox made their business on an extreme convenience (your files everywhere through a dead-simple, familiar interface). Inconveniently, convenience is often the enemy of security. It's a "good thing" that Dropbox is now offering some granularity over the convenience/security spectrum.
Maybe there's people using Dropbox in some other fashion, but surely this is the intended/common use case?
Anyone else have this issue?
There is room for some error but it is worth making sure the time on your phone is correct.
7 reasons why you should add Rublon to your website:
Two-factor authentication is all about increasing security by combining two separate factors: something you know (password), and something you have (phone). From what I can tell, you're just switching from relying on one factor (password) to relying on the other factor (phone). It's just a different one-factor authentication paradigm.
Unfortunately, this leaves several gaps. For example, what happens when I lose my phone, or someone takes it from me? Can that other person log in immediately?
I can potentially understand an argument that this is more secure than solely password-based solutions (although I don't think it would be for me, where I use complex random passwords), but I certainly wouldn't consider it an alternative to two-factor authentication.
2) I'd rather just do N-factor using a client cert stored in the web browser (mobile or desktop), combined with a password. x509 is probably terminally defective in desktop browsers due to historical accident and a messy protocol, but it could work on mobile, and stuff like OneID or BrowserID could meet the same need for regular browsers.
I don't believe in desktop + cellphone both being required to log into every site every time. The OATH compromise (using the phone periodically, along with a desktop password, and caching something in the browser) is an acceptable compromise for some apps.
Ultimately what I want is trusted keystore of asymmetric private keys on devices, and then multifactor auth to the keystore (biometric, password, location/time based heuristics, etc.), and reasonable management of keystores and keys (so I can for instance revoke every key on my phone if stolen, or disallow ipad and iphone but not mba13 for dropbox, but allow all 3 for linkedin)
The technical problem is relatively simple; it's an integration program (the auth libraries used by every site, plus mobile OSes, maybe desktop OSes, and hardware in phones and computers).
Give users the ability to make their own choices, and let sites establish minimum standards as well. I should be allowed to make a site depend on fingerprint swipe + physical location + specific machine if I want, but it shouldn't be mandatory for a random game site for everyone/anyone.
I'd suggest you work on your elevator pitch a bit more.
The idea of using QR codes for authentication is interesting, but I would be very careful in selling this as a highly-secure system that is capable of replacing two-factor auth.
To me, this appears no more secure than leaving a copy of your password in plain text on the phone - if someone gets access to your phone, they have access to all of your Rublon accounts. Compare this to Google Authenticator - in the same scenario, the attacker would still need to know my password as well as the token.
It must be easier to build a startup on the assumption that your users are incompetent mouthbreathers. Respecting your users is hard work :-/