Following a well-publicized security breach that was discovered last month, document sharing service Dropbox is launching a beta test of two-factor authentication with some users. The new security feature, made available on Friday, August 24 to early Dropbox adopters using Windows, Mac OS X, or Linux PC, sends users a one-time mobile security code they must enter in addition to their standard password.
Early Results Suggest Two-Factor Authentication Has Kinks
As reported by Information Week, two-factor authentication has already been previewed by Dropbox VP of Engineering Aditya Agarwal. It comes as a response to the discovery that spam being sent to user email accounts only used for Dropbox originated from hackers who had stolen passwords they had reused from other sites (see more detail below). In addition, an internal Dropbox investigation revealed that hackers stole unencrypted user passwords that were improperly stored in a Dropbox employee’s account.
Dropbox users can receive mobile security codes via text message or mobile app. Information Week reports that early public commentary on the beta test suggests it needs some fine-tuning. For example, one user posted in an online Dropbox forum that despite signing up for two-factor authentication, he could still log into his Dropbox account only using his password.
Another complaint posted online by more than one user is that currently there is no backup option if a mobile phone or the 16-digit mobile security code is lost.
Two-Factor Authentication One of Several Promised Security Fixes
In a public statement on its website, Dropbox previously said it would start requiring two-factor identification. In addition, Dropbox pledged to offer security fixes including a new page that will let users see all logins to their account, and possibly periodically ask users to change their passwords. Internally, Dropbox intends to add automated mechanisms for detecting suspicious activity.
Obviously, it will take some time for Dropbox to launch fully operational versions of all these new and improved security features (and internal features may not be publicized), but considering how quickly the company rolled out a beta test of two-factor authentication, Dropbox seems committed to rectifying the problems caused by this embarrassing security breach.
Dropbox users themselves should also take some steps to help protect not just their Dropbox accounts, but all of their various online accounts. The IT Security Office at Duke University offers some helpful tips on how to select a strong password that will not be easy for a hacker to guess. These include using at least eight characters (some systems allow up to 63), mixing upper and lower-case characters, interspersing punctuation marks and symbols, and using modified versions of words from favorite childhood nursery rhymes or foods. Duke IT Security also advises to never use the same password on more than one account and to avoid dictionary words, phone numbers and anything associated with a name.