Android Central

Many of us use Dropbox in varying capacities (see what I did there?), and when we do, we often use it as crucial backup storage for data that's important to us. If it wasn't important, we probably wouldn't bother backing it up now would we? If you take your security seriously, and by now we hope you all do, you should be jumping for joy that Dropbox has added 2-step verification sign in to its latest betas.

The latest Dropbox beta follows the same principle that Google's 2-step verification does. In order to access your account you need two things: 1) something you know -- your password and 2) something you have -- your phone. And there's really no reason not to take security into your own hands and add that second level in order to help prevent the worst from happening. If you haven't already, go pick up the Dropbox app from the Google Play Store at the link above, and if you're interested in setting up 2-step verification for your account, see us after the break for a better in-depth explanation

Source: Dropbox forums; via The Verge

Android Central

After downloading the beta application to your desktop from the Dropbox forum (Windows, Mac and Linux all represented) and installing it, you'll have the option to turn on 2-step verification in your settings panel on the Dropbox website. Turn it on, enter your Dropbox password to authorize and choose how you'd like to receive password codes as your 2nd step.

In the same way as Google's option, you'll be able to choose from being sent text messages with codes, or using a time-based one-time password generator. If you've already set up Google's 2-step authentication, you've likely installed the Google Authenticator app, and this app will work perfectly for Dropbox as well. Select the option to use a mobile phone app, and you'll be presented with a barcode. In the Google Authenticator app, tap the settings button in the top right and tap "Add account" then "Scan barcode". Scan the code on your computer and your Dropbox app will now be linked to Google Authenticator and start generating codes. 

Upon entering a code to initialize the service, you'll be given an "emergency backup code". This is analogous to Google's one-use passwords, and will get you back into your account if your phone is ever stolen or unlinked from your account without your knowledge. Keeping this code safe should be put high on your priority list, as it's your last line of defense for getting into your account should it be accessed by another person. Dropbox recommends writing it down on paper and storing it somewhere safe -- but everyone has their own system that works here.

Android Central

That's it! Now you're set up with a vastly more secure way to access your important files on Dropbox. To give it a try, attempt logging into Dropbox and use the Google Authenticator app to generate a code. This works just fine when authorizing the Dropbox app on Android as well -- when prompted for a code, hit the home button and go to your Google Authenticator, look at the code, then switch back to Dropbox and enter it.

 

Reader comments

Latest Dropbox beta adds 2-step verification

24 Comments

Once you've authenticated the Dropbox app on your device, everything else works normally. If you set it up in the settings, automatic photo uploads will happen in the background, and be automatically downloaded again on your computer.

According to Dropbox, there's no need for "application specific passwords" like with Google 2-step. I'd assume it's built into Dropbox's API so that anyone using it automatically can accept 2-step verification. It's worth taking a look at the beta forum posts and see if anyone has some experience with it.

That's what the one-use password is for. You can then deactivate any devices that have been lost or stolen so they no longer have access to the account.

and how am i supposed to remember this one-use password? and i imagine it's convoluted and obscure and thus hard to remember? imagine being drunk or hung over after some stripper or hooker in Vegas steals your wallet and phone. not that that's ever happened to me................i'm speaking hypothetically of course..........

Yes, the password is random and obscure, which helps so that no one can guess it.

The idea is that you'll print off (or write it down) the one-use password and put it somewhere safe (think like... a safe). Another good option in addition to this is saving it somewhere secure on a computer, like an encrypted volume on your hard drive that is also backed up off-site. This way you have multiple safe and secure ways to access the one-use password should your phone get stolen or lost.

see my comment below - what about traveling? weekend bender in Vegas that gets out of hand. wallet and phone stolen. need to access your Gmail and Dropbox from foreign computer. what do you do?

Not to be rude, but most people don't go on that kinda bender, and if you do you should probably think ahead and leave the phone behind... Certainly not gonna need it (nor will it survive) if you're getting ripped off by hookers while unconscious. A more credible example would be simply getting mugged while traveling. If that's a concern and you can't survive without Gmail/Dropbox for a few days you can just leave the one time codes in a safe at the hotel room or something like that.'s more upsides than downsides to yetwo step verification though. I wouldn't be surprised if pretty soon it becomes a requirement to access many bank accounts online.

2-step verification is cool and all, but I'd hate to be in a situation where my phone is stolen and I can't even access my phonebook on a nearby computer (not to mention plethora of other google services), because I have 2-step sign in on on my google account. I'm all for security, but phones getting stolen/lost/broken or even drained battery in an emergency situation - that's scary.

Google allows you to print off a code card of 10 valid codes for such emergencies. You can keep it in your wallet. It does not have your email address or other account identifiable information on it.

From your personal computer you only have to verify every 30 days.

Both Google and Dropbox offer one-use passwords that don't expire that you can use to log into your accounts. They both recommend that you write them down or print them off and have them available if your phone is ever lost or stolen or you forget your password.

so you write them down and keep them where? and when you're traveling? in your wallet? in your travel bag? and thus defeating the purpose and actually INCREASING the security threat vulnerability even more than before you enabled the 2-step?

There is no information on the print out to say what the numbers are for except for the header backup verification codes, which to anyone could be for anything.

Hmmmm... How about just creating a really long and obscure password to begin with to log in to dropbox. That way it is harder to cracked and not have to worry about two step authentication. Just saying.

It doesn't matter how long and complicated your password is if someone breaks into Dropbox's password storage (very unlikely, but still) and takes your password. It also doesn't matter if you have a piece of malware or a keylogger on your computer (or router, or friend's router, or public WiFi AP), or visit a spoofed site, or are the victim of a man-in-the-middle attack and someone takes your password.

This goes for all sites, not just Dropbox. Yes making a long complicated randomized password helps security (quite a bit), but it doesn't mean anything if the site's backend gets hacked or your password is taken by one of the numerous common methods. There's no reason to put your security solely in the hands of the site if you have the option to put it in your own as well.

It's the idea of needing something you know and something you have in order get into your account that keeps it much more secure. Someone would have to know your Dropbox login, steal your password and steal your phone in order to get into your account.

Done. Took all of 90 seconds. Small price to pay for a increase in security.

I don't understand people who complain about using Google 2-Step. Once a month my phone and laptop ask for a new code. It takes all of ten seconds. I also flash new roms a lot, it's never a problem.