Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dropbox Adds Two-Factor Authentication

Posted by samzenpus on from the checking-it-twice dept.

angry tapir writes "File-sharing service Dropbox is now offering two-factor authentication, a system that makes it much harder for hackers to capture valid credentials for a person's account. Dropbox, one of the most widely used web-based storage services, said last month it planned on introducing two-factor authentication after user names and passwords were stolen from another website and used to access accounts."

9 of 64 comments (clear)

  1. Don't call it file-sharing by Anonymous Coward · · Score: 3, Funny

    It's cloud storage. Calling it file-sharing will get it confiscated by the Feds.

  2. No solution to the real problem by robmv · · Score: 3, Interesting

    Someone will hack them and will export the shared secret used for RFC 6238 TOTP: Time-Based One-Time Password Algorithm. Two factor authentication job is to protect the user, It doesn't make Dropbox security practices better, and they already demostrated are bad

    1. Re:No solution to the real problem by yishai · · Score: 4, Interesting

      Dropbox wasn't hacked in the prior attack. Also, in a successful attack now you have two different products you have to find a security exploit on. Just throwing up your hands and saying 'everything can be hacked' isn't a security methodology.

      The problem is that in the Dropbox company it was fine to just make a drop box account with some password that you reuse elsewhere. That is the fundamental problem. They don't have their employees use KeePass, or 1Password or something similar and generate random passwords that they change routinely, or any of these other security practices that would have prevented this attack without the two factor authentication. Dropbox is a huge target and does not have the expertise to play in that league (evidenced by the fact that they needed outside help to figure out this attack). I think the two factor authentication is a good thing, but if they think "OK, problem solved" then it is not helping them. There is no replacement for good security practices, especially in a company with such a high profile.

  3. You can have it too! by 0100010001010011 · · Score: 5, Informative

    $ apt-cache search google authenticator
    libpam-google-authenticator - Two-step verification

    It's in Debian repositories (And probably Ubuntu.) You can download it yourself and integrate it into anything that supports PAM.

    I have my code on both my phone and iPod touch so I always have something on me that can generate the code. The 'backup codes' are in a safety deposit box with other documents. Not sure if it actually is secure but it feels a bit more secure knowing that to get into my home server you have to have both my password and one of my devices. (And if I lose one I can easily generate a new key).

    It makes a QR-code in the bash terminal that you can take a picture of with your devices.

    1. Re:You can have it too! by Maquis196 · · Score: 3, Informative

      Can vouch for this. google auth use PAM so its very easy to hook up to most things. I use it at work for our VPN stuff, also a few ssh servers.

      Amazing piece of software.

  4. Re:Great! by Anonymous Coward · · Score: 5, Funny

    I put my Dropbox Emergency key in Google Drive, and my Google Emergency Key in Dropbox. This should work out perfectly.

    I did too, and then synced them both with my SkyDrive!

  5. Can OpenID-like tech rise again? by Anonymous Coward · · Score: 3, Insightful

    Back when OpenID was popular the argument was that you can outsource your authentication to a service that actually has a clue about security. Back then, though, none of the popular identity providers actually did anything better than username/password. (With the exception of MyOpenID, but they were always kinda niche.)

    Now that I've embraced Google's two-factor auth -- accepting a little inconvenience for a little more security -- I find it useful that when I log into Google properties I only need to do the two-factor stuff once in a while, rather than for every single service. Two-factor auth *is* less convenient, but if you have single sign-on then you can make it less so.

    If the latest trend is for every service to implement its *own* two-factor auth then this is going to get much less convenient. I'd sooner see services like DropBox just integrate with Google's auth (and with anyone else who has a decent auth system) and let users benefit.

    1. Re:Can OpenID-like tech rise again? by Bogtha · · Score: 3, Insightful

      I'd sooner see services like DropBox just integrate with Google's auth

      They do. You can use Google's Authenticator mobile app to authenticate yourself with Dropbox.

      --
      Bogtha Bogtha Bogtha
  6. Re:But did they actually make it any more secure by mkraft · · Score: 4, Informative

    That was fixed back in Dropbox 1.2.48 (October 31, 2011)

    https://www.dropbox.com/release_notes