Risk
8/27/2012
11:08 AM
Connect Directly
RSS
E-Mail
50%
50%

Dropbox Two-Factor Authentication Has Kinks, Users Say

Cloud storage provider upgrades security after attacker stole data from Dropbox employee's account. But users say the beta version needs tweaks.

Microsoft SkyDrive Vs. Dropbox, Google: Hands-On
Microsoft SkyDrive Vs. Dropbox, Google: Hands-On
(click image for larger view and for slideshow)
Dropbox is making two-factor authentication available to some users as part of a beta test that's meant to shake down the new service.

The feature's debut--for self-selected early adopters--involves installing and running an "experimental build" version of the Dropbox software, released Friday, for their Windows, Mac OS X, or Linux PC. The feature had been previewed by Dropbox's VP of engineering, Aditya Agarwal, last month, after an investigation conducted by Dropbox into a spam campaign against its users was ultimately traced to passwords that had been reused by Dropbox users on other sites, from which the credentials had been stolen.

But Dropbox also found that one password-reuse culprit was in fact a Dropbox employee, who'd stored--unencrypted--a copy of some Dropbox users' email addresses in his Dropbox account, which an attacker then accessed and downloaded. In the wake of that breach, some security experts had recommended that all Dropbox users treat any data they uploaded to the service as publicly accessible.

As of Friday, however, Dropbox users can make it more difficult for attackers to access their stored items, by using the "enable two-step verification" feature now displayed on the security tab of their account pages. The sign-up page states: "Two-step verification adds an extra layer of protection to your account. Whenever you sign in to the Dropbox website or link a new device, you'll need to enter both your password and also a security code sent to your mobile phone." Instead of receiving text messages with a one-time log-in password, however, Dropbox users can choose to use a mobile app.

If going the text-message route, here's how to set it up: Users input their cellphone number into the website, receive a six-digit numeric code, and then provide this back to the Dropbox website. The Dropbox website then gives users a unique 16-digit password, together with this admonition: "If you ever lose your phone, you'll need this emergency backup code to disable two-step verification and access your account."

[ Wondering about security of your text messages? See Android And BlackBerry Safer Than iOS For SMS. ]

While any new security features are to be welcomed, early users have suggested that Dropbox's new two-factor authentication system still isn't ready for primetime. "I'm afraid I don't think we're quite here yet with two-step verification," said Dropbox forum "power user" Grant H. Monday in a post to the company's online forums. "Once a Dropbox user enables two-step verification he should be unable to sign into his account without entering a valid code into the sign-in interface. But that doesn't seem to be the case because mobile apps obviously still work, as does the Dropbox website--without any two-step authentication. The infrastructure shouldn't even allow this to happen."

Multiple users have also criticized the current options for regaining access to an account if a user loses his cellphone or forgets her password. "In Google, I have a mobile authenticator app as my primary method for getting codes. But as a backup, I can have Google call me or text me with a code," said Grant H. "Dropbox only allows a mobile app or SMS, but not both. This is actually so serious that I've left off two-step verification for the time being until it's fixed."

"Pro user" David W. agreed, saying that "to have your entire Dropbox account contingent upon you not losing one 16 character password is crazy!"

Obviously, the two-factor authentication feature is still in beta, and Dropbox will no doubt continue to work out the kinks, but it's not the only security enhancement on offer. Dropbox's Agarwal said last month that Dropbox would also be implementing "new automated mechanisms to help identify suspicious activity" and a page that lists all historical log-ins to a user's account. He also said Dropbox was exploring mandatory password changes, for example if a user's password hadn't been changed for a specified period of time, or if it wasn't sufficiently complex.

Seeing any security improvements from the cloud-storage firm is good news. Of course, with Dropbox now competing in the crowded cloud-storage marketplace, it's arguably a business necessity. Indeed, the service competes directly with Apple iCloud, Box.com, Google Drive, and Microsoft SkyDrive.

Meanwhile, services such as SpiderOak and Wuala are offering a "zero knowledge" approach that encrypts client-side data, but gives the service provider no access to the key, thus helping secure the information not just against outside attackers, but any surreptitious law enforcement access demands

Vulnerability scanners can be used to help detect and fix systemic problems in an organization's security program and monitor the effectiveness of security controls. However, a vulnerability scanner can improve the organization?s security posture only when it is used as part of a vulnerability management program. In our Choosing The Right Vulnerability Scanner report, we give you tips on choosing and implementing vulnerability scanners in your enterprise. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Johan1974
50%
50%
Johan1974,
User Rank: Apprentice
2/24/2013 | 10:09:13 AM
re: Dropbox Two-Factor Authentication Has Kinks, Users Say
Hi ,

I see this is an old message but i still have the same issue.
O do not have the backup code and they refuse to send me a new one to my phone. Even when i created a new account with a different email adress with the same phone number i get no help at all. The support just stops responding .

I like dropbox but because of this i quit using dropbox.
kitus
50%
50%
kitus,
User Rank: Apprentice
10/17/2012 | 9:59:08 PM
re: Dropbox Two-Factor Authentication Has Kinks, Users Say
Hi again,

I just received their response to my request for help. Fasten your seat belts: "Your computer is still linked to Dropbox, and you have logged into the website using two-step verification before, you should be able to launch the Dropbox website from the Dropbox icon in your menu bar or system tray. Click on the Dropbox icon and select "Launch Dropbox Website." If this logs you in then you can disable two-step verification from the security page."

I provided a very thorough response to Dropbox support indicating what had happened and all I get is a response that is of no use for me... 1 week and I'm still in square one! In this response I linked back to this website.
kitus
50%
50%
kitus,
User Rank: Apprentice
10/7/2012 | 11:28:41 PM
re: Dropbox Two-Factor Authentication Has Kinks, Users Say
I guess I've made a huge fool of myself, and now I can't use Dropbox to its full. My dynamic codes are not valid (I seem to have used a wrong seed), and so is my local 16-character password.

Guess what. I contacted user support and they have responded me with "Unfortunately, for security purposes, if you can't enter the two-step code, and you failed to store the emergency backup code, we have no way to help you regain access to your Dropbox account.".

I've been an early adopter of Googles 2 factor authentication and I've never had any problem whatsoever. To my surprise I seem to not only have used a wrong seed but also stored a wrong static password (which by the way I copied directly into my password manager).

Dropbox two factor authentication is worse than Google's and if they don't help me out, I'm gonna be utterly disappointed as I have gained over 12GB bringing people to Dropbox.

Can anybody please spot a way for me to solve this?

Your help would be much appreciated.

Thanks,
TS_Time
50%
50%
TS_Time,
User Rank: Apprentice
8/29/2012 | 11:12:55 AM
re: Dropbox Two-Factor Authentication Has Kinks, Users Say
Even if it is late it's nice to see that leading companies in their respective verticals are giving users the better balance between security and user experience by implementing 2FA which allows us to telesign into our accounts. I know some will claim this make things more complicated, but the slight inconvenience each time you log in is worth the confidence of knowing your files are secure. I'm hoping that more companies start to offer this awesome functionality. This should be a prerequisite to any system that wants to promote itself as being secure.
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
8/28/2012 | 11:27:47 AM
re: Dropbox Two-Factor Authentication Has Kinks, Users Say
And how do you use this new feature when you don't have a mobile phone? Dropbox should offer more options for the second layer, which would also add a bit more security. With that any hacker has to try multiple ways for the second step and if users want they should be able to have the account blocked for a day if the second method selected is not the one originally chosen.
MarkSitkowski
50%
50%
MarkSitkowski,
User Rank: Moderator
8/27/2012 | 11:59:27 PM
re: Dropbox Two-Factor Authentication Has Kinks, Users Say
I'm surprised that Dropbox still uses passwords. Whether you go with 2, 3, 4 or 5 factor authorisation, you'll still be vulnerable to the well-known methods of hacking the result. Also, methods like eyeball scanning, fingerprints or colonoscopy tend to be a bit user-hostile.
Two U.S banks and one in Hong Kong are implementing an authorisation method which is proof against spy cameras, network snoopers, keyloggers, and doesn't need passwords, just a user ID.
There's a nice PowerPoint thingy which describes it reasonably well at www.designsim.com.au/What_is_S....
Number 6
50%
50%
Number 6,
User Rank: Apprentice
8/27/2012 | 5:35:12 PM
re: Dropbox Two-Factor Authentication Has Kinks, Users Say
I'll store that 16-digit key in my Dropbox folder so I can access it anywhere from my smartph... Oh.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.