Dropbox two-step verification final released

Martin Brinkmann
Aug 28, 2012

Dropbox just three days ago launched the two-step verification feature as a beta for users of the cloud synchronization service that added another layer of security to the sign in process both on the Dropbox website and when connecting new clients on desktop systems.

The company today made two-step verifications available for all users of its service.  You can head over to your Dropbox account right now to activate the feature if you want. For that you need to click on your name located in the top right corner of the account screen after you have logged in and select Settings from the context menu there.

On the settings menu select the Security tab and locate the Account sign in module near the bottom of the page. It is located below the my devices and web sessions listings.

A click on the change button loads the wizard that walks you through the configuration of the security feature. Please note that you either need to verify a mobile phone using its number in the process, or install and work with mobile phone apps that are available for Android, iPhone, BlackBerry or Windows Phone smartphones.

If you select the text messaging option, you will receive an SMS whenever you try to log in on the Dropbox website or connect a new Dropbox client to the cloud hosting service. You need to enter that code during log in after you have entered your username and password. The mobile phone app works similar, only that it will generate the code that you then need to enter during log in.

An attacker trying to get into your Dropbox account would therefor not only need your username and password, but also your mobile phone, or at least the code that is generated to do so.

Dropbox has not updated the client yet, and it seems as if an update is not required to enable the two-step verification feature at all.

One of the reasons why Dropbox may push the feature that much was a recent attack on an employee's account that resulted in the leaking of a file with user information that were promptly abused to send out spam messages.


Previous Post: «
Next Post: «


  1. 2StepWorry said on September 3, 2012 at 11:05 pm

    Thanks for the clear explanation.

    I’m currently assigned to a project *** outside the U.S. ***,
    but would like to turn ON “2-step verification”
    with each:
    Dropbox, Gmail, LastPass, etc.

    Will Google (or anyone else) charge you $$$,
    to receive the code via an SMS text message
    to a cell phone in a non-US country?

    How reliable and fast is receiving the SMS code in your cell phone,
    in a non-US country? Always 100% ?

    Does it take seconds or minutes
    after you enter the regular password on your Desktop PC?

    Also, what if the SMS message
    does not arrive at all…?

    Concerned about reliability
    if I turn 2-step verification on…
    Thanks for any guidance…

    1. Martin Brinkmann said on September 3, 2012 at 11:30 pm

      1. You need to ask that your provider, can’t say
      2. Can’t say, but I never had a issue receiving SMS
      3. Most of the time less than a minute. Sometimes, it took really long, like 30 minutes or longer.
      4. If the SMS does not arrive, you can ask for a resend.

      1. 2StepWorry said on September 3, 2012 at 11:36 pm

        Thank you for your answers, Martin.

  2. John said on August 29, 2012 at 1:15 pm

    It’s nice to see that leading companies in their respective verticals are giving users the perfect balance between security and user experience by implementing 2FA which allows us to telesign into our accounts. I know some will claim this make things more complicated, but the slight inconvenience each time you log in is worth the confidence of knowing your info is secure. I’m hoping that more companies start to offer this awesome functionality. This should be a prerequisite to any system that wants to promote itself as being secure.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.