Dropbox Follows Through on Its Promise

Sue Marquette Poremba

After Dropbox records were compromised, the company said it would take steps to improve its customer-side security. One of the ideas that Dropbox said it was considering was a two-factor authentication option.

It’s been a few weeks since the breach occurred, and Dropbox has actually followed through on its promise. The company has released a beta version of its new two-factor authentication process. According to ZDNet:

Whenever you sign in to the Dropbox website or link a new device, you’ll need to enter both your password and also a security code sent to your mobile phone. There are no hardware tokens for the system. Instead, users can choose to enter their mobile phone number in order to have codes sent via SMS each time they attempt to log-in. Alternatively, users can use an app to retrieve tokens. Dropbox has decided not to create its own app for this; because it's decided to use the Time-based One-Time Password (TOTP) protocol for its two-factor authentication system, users can rely on three existing applications to create tokens.

How nice is it that a company came through on its promise?

Like anything introduced in beta form, there are still a lot of bugs in the system that need to be worked out. According to Information Week, there are users who wonder what happens if you lose your phone (and can’t get the texted code) or forgot your original password. The article went on to quote Dropbox user Grant H. Monday, who said:

Once a Dropbox user enables two-step verification he should be unable to sign into his account without entering a valid code into the sign-in interface. But that doesn't seem to be the case because mobile apps obviously still work, as does the Dropbox website--without any two-step authentication. The infrastructure shouldn't even allow this to happen.

But I — and others — have hope that Dropbox will fix the flaws and address the concerns. The fact that it stepped up so quickly to address the security concerns of its users is positive in and of itself. Sadly, a lot of companies don’t take security fixes, or consumer security concerns, seriously enough. Only time will tell how the two-authentication system works and whether or not people are patient enough or willing to adopt it. I think the new Dropbox system will be at the forefront of changes in how we access information stored in the cloud or on the network. We see passwords are increasingly ineffective, and yet, companies do little to encourage anything better. Heck, most sites or applications I use that require a password don’t ask me to make them overly strong or to change them periodically.

So thank you, Dropbox, for following through on a promise and making the effort to increase security at your site. Here’s hoping other companies start to follow your example.

Add Comment      Leave a comment on this blog post
Sep 12, 2012 9:06 AM Tswan Tswan  says:
Even if it is late it's nice to see that leading companies in their respective verticals are giving users the better balance between security and user experience by implementing 2FA which allows us to telesign into our accounts. I know some will claim this make things more complicated, but the slight inconvenience each time you log in is worth the confidence of knowing your files are secure. I'm hoping that more companies start to offer this awesome functionality. This should be a prerequisite to any system that wants to promote itself as being secure. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.