After Dropbox records were compromised, the company said it would take steps to improve its customer-side security. One of the ideas that Dropbox said it was considering was a two-factor authentication option.
It’s been a few weeks since the breach occurred, and Dropbox has actually followed through on its promise. The company has released a beta version of its new two-factor authentication process. According to ZDNet:
Whenever you sign in to the Dropbox website or link a new device, you’ll need to enter both your password and also a security code sent to your mobile phone. There are no hardware tokens for the system. Instead, users can choose to enter their mobile phone number in order to have codes sent via SMS each time they attempt to log-in. Alternatively, users can use an app to retrieve tokens. Dropbox has decided not to create its own app for this; because it's decided to use the Time-based One-Time Password (TOTP) protocol for its two-factor authentication system, users can rely on three existing applications to create tokens.
How nice is it that a company came through on its promise?
Like anything introduced in beta form, there are still a lot of bugs in the system that need to be worked out. According to Information Week, there are users who wonder what happens if you lose your phone (and can’t get the texted code) or forgot your original password. The article went on to quote Dropbox user Grant H. Monday, who said:
Once a Dropbox user enables two-step verification he should be unable to sign into his account without entering a valid code into the sign-in interface. But that doesn't seem to be the case because mobile apps obviously still work, as does the Dropbox website--without any two-step authentication. The infrastructure shouldn't even allow this to happen.
But I — and others — have hope that Dropbox will fix the flaws and address the concerns. The fact that it stepped up so quickly to address the security concerns of its users is positive in and of itself. Sadly, a lot of companies don’t take security fixes, or consumer security concerns, seriously enough. Only time will tell how the two-authentication system works and whether or not people are patient enough or willing to adopt it. I think the new Dropbox system will be at the forefront of changes in how we access information stored in the cloud or on the network. We see passwords are increasingly ineffective, and yet, companies do little to encourage anything better. Heck, most sites or applications I use that require a password don’t ask me to make them overly strong or to change them periodically.
So thank you, Dropbox, for following through on a promise and making the effort to increase security at your site. Here’s hoping other companies start to follow your example.