Dropbox Two-Factor Authentication Has Kinks, Users Say

  /     /     /  
Publicated : 22/11/2024   Category : security


Dropbox Two-Factor Authentication Has Kinks, Users Say


Cloud storage provider upgrades security after attacker stole data from Dropbox employees account. But users say the beta version needs tweaks.



Microsoft SkyDrive Vs. Dropbox, Google: Hands-On (click image for larger view and for slideshow)
Dropbox is making two-factor authentication available to some users as part of a beta test thats meant to shake down the new service.
The features debut--for self-selected early adopters--involves installing and running an experimental build version of the Dropbox software,
released Friday
, for their Windows, Mac OS X, or Linux PC. The feature had been previewed by Dropboxs VP of engineering, Aditya Agarwal, last month, after an investigation conducted by Dropbox into a spam campaign against its users was ultimately traced to
passwords that had been reused by Dropbox users
on other sites, from which the credentials had been stolen.
But Dropbox also found that one password-reuse culprit was in fact a Dropbox employee, whod stored--unencrypted--a copy of some Dropbox users email addresses in his Dropbox account, which an attacker then accessed and downloaded. In the wake of that breach, some security experts had recommended that all Dropbox users treat any data they uploaded to the service as
publicly accessible
.
As of Friday, however, Dropbox users can make it more difficult for attackers to access their stored items, by using the enable two-step verification feature now displayed on the security tab of their account pages. The sign-up page states: Two-step verification adds an extra layer of protection to your account. Whenever you sign in to the Dropbox website or link a new device, youll need to enter both your password and also a security code sent to your mobile phone. Instead of receiving text messages with a one-time log-in password, however, Dropbox users can choose to use a mobile app.
If going the text-message route, heres how to set it up: Users input their cellphone number into the website, receive a six-digit numeric code, and then provide this back to the Dropbox website. The Dropbox website then gives users a unique 16-digit password, together with this admonition: If you ever lose your phone, youll need this emergency backup code to disable two-step verification and access your account.
[ Wondering about security of your text messages? See
Android And BlackBerry Safer Than iOS For SMS
. ]
While any new security features are to be welcomed, early users have suggested that Dropboxs new two-factor authentication system still isnt ready for primetime. Im afraid I dont think were quite here yet with two-step verification, said Dropbox forum power user Grant H. Monday in a post to the companys online forums. Once a Dropbox user enables two-step verification he should be unable to sign into his account without entering a valid code into the sign-in interface. But that doesnt seem to be the case because mobile apps obviously still work, as does the Dropbox website--without any two-step authentication. The infrastructure shouldnt even allow this to happen.
Multiple users have also criticized the current options for regaining access to an account if a user loses his cellphone or forgets her password. In Google, I have a mobile authenticator app as my primary method for getting codes. But as a backup, I can have Google call me or text me with a code, said Grant H. Dropbox only allows a mobile app or SMS, but not both. This is actually so serious that Ive left off two-step verification for the time being until its fixed.
Pro user David W. agreed, saying that to have your entire Dropbox account contingent upon you not losing one 16 character password is crazy!
Obviously, the two-factor authentication feature is still in beta, and Dropbox will no doubt continue to work out the kinks, but its not the only security enhancement on offer. Dropboxs Agarwal said last month that Dropbox would also be implementing new automated mechanisms to help identify suspicious activity and a page that lists all historical log-ins to a users account. He also said Dropbox was exploring mandatory password changes, for example if a users password hadnt been changed for a specified period of time, or if it wasnt
sufficiently complex
.
Seeing any security improvements from the cloud-storage firm is good news. Of course, with Dropbox now competing in the crowded cloud-storage marketplace, its arguably a business necessity. Indeed, the service competes directly with Apple iCloud, Box.com, Google Drive, and
Microsoft SkyDrive
.
Meanwhile, services such as
SpiderOak
and
Wuala
are offering a zero knowledge approach that encrypts client-side data, but gives the service provider no access to the key, thus helping secure the information not just against outside attackers, but any surreptitious law enforcement access demands
Vulnerability scanners can be used to help detect and fix systemic problems in an organizations security program and monitor the effectiveness of security controls. However, a vulnerability scanner can improve the organization?s security posture only when it is used as part of a vulnerability management program. In our
Choosing The Right Vulnerability Scanner
report, we give you tips on choosing and implementing vulnerability scanners in your enterprise. (Free registration required.)

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Dropbox Two-Factor Authentication Has Kinks, Users Say