Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dropbox Adds Two-Factor Authentication

Posted by samzenpus on from the checking-it-twice dept.

angry tapir writes "File-sharing service Dropbox is now offering two-factor authentication, a system that makes it much harder for hackers to capture valid credentials for a person's account. Dropbox, one of the most widely used web-based storage services, said last month it planned on introducing two-factor authentication after user names and passwords were stolen from another website and used to access accounts."

33 of 64 comments (clear)

  1. Don't call it file-sharing by Anonymous Coward · · Score: 3, Funny

    It's cloud storage. Calling it file-sharing will get it confiscated by the Feds.

  2. Great! by Anonymous Coward · · Score: 2, Funny

    I put my Dropbox Emergency key in Google Drive, and my Google Emergency Key in Dropbox. This should work out perfectly.

    1. Re:Great! by Anonymous Coward · · Score: 5, Funny

      I put my Dropbox Emergency key in Google Drive, and my Google Emergency Key in Dropbox. This should work out perfectly.

      I did too, and then synced them both with my SkyDrive!

  3. Month long NDA? by vlm · · Score: 1

    Dropbox ...said last month

    What, a month long NDA, because release date is today, or what is the story on the delay?

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  4. No solution to the real problem by robmv · · Score: 3, Interesting

    Someone will hack them and will export the shared secret used for RFC 6238 TOTP: Time-Based One-Time Password Algorithm. Two factor authentication job is to protect the user, It doesn't make Dropbox security practices better, and they already demostrated are bad

    1. Re:No solution to the real problem by yishai · · Score: 2

      Someone will hack them and will export the shared secret used for RFC 6238 TOTP: Time-Based One-Time Password Algorithm. Two factor authentication job is to protect the user, It doesn't make Dropbox security practices better, and they already demostrated are bad

      Although I fundamentally agree that the underlying issue is their security practices (or lack thereof), this does address the specific recent hack (of an employee of theirs reusing the same password on Dropbox as on another account with another company that was compromised), and is a good idea regardless. I wish more sites did it.

    2. Re:No solution to the real problem by yishai · · Score: 4, Interesting

      Dropbox wasn't hacked in the prior attack. Also, in a successful attack now you have two different products you have to find a security exploit on. Just throwing up your hands and saying 'everything can be hacked' isn't a security methodology.

      The problem is that in the Dropbox company it was fine to just make a drop box account with some password that you reuse elsewhere. That is the fundamental problem. They don't have their employees use KeePass, or 1Password or something similar and generate random passwords that they change routinely, or any of these other security practices that would have prevented this attack without the two factor authentication. Dropbox is a huge target and does not have the expertise to play in that league (evidenced by the fact that they needed outside help to figure out this attack). I think the two factor authentication is a good thing, but if they think "OK, problem solved" then it is not helping them. There is no replacement for good security practices, especially in a company with such a high profile.

    3. Re:No solution to the real problem by Sancho · · Score: 1

      If we're talking about Dropbox's general security IQ, how about the bug that allowed anyone to access any account with any password?

      http://techcrunch.com/2011/06/20/dropbox-security-bug-made-passwords-optional-for-four-hours/

  5. You can have it too! by 0100010001010011 · · Score: 5, Informative

    $ apt-cache search google authenticator
    libpam-google-authenticator - Two-step verification

    It's in Debian repositories (And probably Ubuntu.) You can download it yourself and integrate it into anything that supports PAM.

    I have my code on both my phone and iPod touch so I always have something on me that can generate the code. The 'backup codes' are in a safety deposit box with other documents. Not sure if it actually is secure but it feels a bit more secure knowing that to get into my home server you have to have both my password and one of my devices. (And if I lose one I can easily generate a new key).

    It makes a QR-code in the bash terminal that you can take a picture of with your devices.

    1. Re:You can have it too! by Maquis196 · · Score: 3, Informative

      Can vouch for this. google auth use PAM so its very easy to hook up to most things. I use it at work for our VPN stuff, also a few ssh servers.

      Amazing piece of software.

    2. Re:You can have it too! by heypete · · Score: 1

      Seconded. It's simple, easy to setup, and easy to integrate into a variety of services.

    3. Re:You can have it too! by Nerdfest · · Score: 1

      In Ubuntu/Debian, it makes a nice two factory mechanism for ssh. as well.

    4. Re:You can have it too! by norminator · · Score: 1

      Thanks to everyone who has posted about this here... I just got this set up on my own Ubuntu/ssh machine in the last couple of minutes, and it's pretty slick!

    5. Re:You can have it too! by Rich0 · · Score: 1

      How well does it work with stuff that uses ssh but doesn't actually use openssh in a terminal to do it? For example, some nice GUI application that lets you access your home directory via ssh, or nx/x2go, etc. That would be my main concern with it. I'd also prefer not to have to use it if I was using RSA - that essentially is a two factor process already.

    6. Re:You can have it too! by Nerdfest · · Score: 1

      Not sure about non-terminal use ... I image it would not work. An option with RSO keys would be to use a key with no password for convenience, with the 2nd factor being the authenticator. It would be mildly more convenient. Of course, leaving the password in lace makes it even more secure.

  6. Re:More Security for My Cat Pictures! by Anonymous Coward · · Score: 2, Insightful

    There's a lot of data people need to sync and share that is confidential enough that you don't really want it to leak out, but still not that secret that it's the end of the world if it does. You know, the kind of data you would be perfectly comfortable letting a reasonably big and relatively trustworthy service manage for you.

    And if that service gets even more secure, you can rest easy knowing that if the data does leak out, it's not because you where careless with your passwords, and thus you have someone else to blame.

    By now Dropbox have a proven track record of security and reliability. Yes, it was apparent that they themselves could get at the data if they needed, but I fail to see how it would work otherwise. At least with this, you can be somewhat safer knowing that it would take more than hack your account at some other, less secure service, to get at the data, just because you like to reuse passwords.

  7. But did they actually make it any more secure by Anonymous Coward · · Score: 1, Interesting

    Great, but is it still the case you can just copy %APPDATA%\Dropbox\config.db to any computer and have instant access with no visibility that the credential is being double-used and no way to revoke or invalidate it?

    http://dereknewton.com/2011/04/dropbox-authentication-static-host-ids/

    Why would someone implement a keystroke logger if they can just steal this file and have unlimited future access with complete stealth? Sounds like this just makes it harder to remotely brute force against DB servers to login.

    1. Re:But did they actually make it any more secure by mkraft · · Score: 4, Informative

      That was fixed back in Dropbox 1.2.48 (October 31, 2011)

      https://www.dropbox.com/release_notes

    2. Re:But did they actually make it any more secure by Sprouticus · · Score: 1

      can someone remove the mod points from the parent post. Old bug.

  8. Can OpenID-like tech rise again? by Anonymous Coward · · Score: 3, Insightful

    Back when OpenID was popular the argument was that you can outsource your authentication to a service that actually has a clue about security. Back then, though, none of the popular identity providers actually did anything better than username/password. (With the exception of MyOpenID, but they were always kinda niche.)

    Now that I've embraced Google's two-factor auth -- accepting a little inconvenience for a little more security -- I find it useful that when I log into Google properties I only need to do the two-factor stuff once in a while, rather than for every single service. Two-factor auth *is* less convenient, but if you have single sign-on then you can make it less so.

    If the latest trend is for every service to implement its *own* two-factor auth then this is going to get much less convenient. I'd sooner see services like DropBox just integrate with Google's auth (and with anyone else who has a decent auth system) and let users benefit.

    1. Re:Can OpenID-like tech rise again? by heypete · · Score: 1

      I don't mind if they all use a compatible OTP system, so that I can just have the one Google Authenticator app for my iOS device (or a compatible J2ME program on my non-smartphone). The services that annoy me are the ones that use different methods that I can't integrate with code generating programs I already have.

      The nice thing with TOTP/RFC 6238 is that it's an open standard and not subject to the whims of a particular company. It's also completely independent of third-parties: I can set up my own TOTP system on my own systems and not have it be dependent on the availability or security of any third party.

    2. Re:Can OpenID-like tech rise again? by Bogtha · · Score: 3, Insightful

      I'd sooner see services like DropBox just integrate with Google's auth

      They do. You can use Google's Authenticator mobile app to authenticate yourself with Dropbox.

      --
      Bogtha Bogtha Bogtha
    3. Re:Can OpenID-like tech rise again? by Darinbob · · Score: 2

      I'm not really sure what this is. Google+ spams me now and then to link a phone, but I won't do that as it's insecure. I don't want my phone linked to anything. I don't want google+ linked to anything. I don't have important pictures stored only on the net. I don't have automatic upload of pictures or data. I don't want one failure to cascade and take down multiple accounts.

      Besides I have disabled SMS entirely. Google's method can't work for me.

  9. Goofy by marjancek · · Score: 1

    I'm the only one that looses his phone?

    1. Re:Goofy by Archangel+Michael · · Score: 2

      Do you work at Apple in their iPhone Development Division?

      But if you lose your phone ... you've got other security problems. Don't keep anything valuable on your phone.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    2. Re:Goofy by awyeah · · Score: 2

      They give you a backup code you can use in case you lose your phone.

      --
      Why, no, I haven't meta-moderated lately. Thanks for asking!
    3. Re:Goofy by pbrammer · · Score: 1

      If you use a passcode to get into your iPhone, it is extremely secure. AES-256, secure. http://images.apple.com/ipad/business/docs/iOS_Security_May12.pdf

  10. Re:When did they become a file-sharing service? by RobertLTux · · Score: 1

    a couple ways this works

    1 the public folder: you can send a link to a file in your dropbox to anybody
    2 if both of "us" have dropbox accounts then i can share a folder to you and anything i put in you get and anything you put i i get (i think editing files is a bit wonky but...)

    --
    Any person using FTFY or editing my postings agrees to a US$50.00 charge
  11. Wrong title! Wrong title! by aglider · · Score: 1

    Dropbox adds a much better user identification method, for the sake of privacy.
    As the second factor is an SMS, and because in all countries the law requires the mobile operator to be able to identify at any time who's the person using a certain SIM.
    Identification of a user based on her/his email address is trivially uneffective.
    Better security is a tiny side effect. Any techie of the VAS team at the mobile operator would be able to circumvent that method. As well as law enforcement men in black.
    Really better security would be a cryptographic certificate locally protected by a password, a-la SSH.
    Ah!

    P.S.
    Google is already willing to know your mobile phone number since long now.

    --
    Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
  12. Great. Now how about some encryption? by Rob_Bryerton · · Score: 1

    Great. Now how about some encryption? I notice that the one useful feature most of these services (purposely?) omit is client side [de|en]cryption with the client holding the keys. Why is that?

    Do these online storage services actually data mine their customers' files? /tinfoil

    1. Re:Great. Now how about some encryption? by michaelwigle · · Score: 2

      While I agree that would be a nice feature, I find handling the encryption myself painless enough. There are many tools to do it but I find Axcrypt integrates quite nicely for Win/Linux systems but not Android yet.

  13. Re:More Security for My Cat Pictures! by Kalriath · · Score: 1

    You're talking about Dropbox, the service that accidentally during a code push made it so that a user's password wasn't needed to get at their Dropbox files, and managed to get an extract from their user database stolen. I don't call that "a proven track record of security and reliability", unless you mean a bad track record.

    --
    For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
  14. Re:Wrong comment! Wrong comment! by Kalriath · · Score: 1

    Um, in almost no countries is it law that the mobile operator has to know who the customer is. Here, we can just buy a prepay SIM for $10 at the supermarket, put it in the phone, and start calling. No ID needed. Your post is a huge crock of shit.

    --
    For a site about things like basic rights, Slashdot users sure do like to censor "dissent".