Dropbox Two-Factor Authentication Has Kinks, Users Say

[InfoSec News <alerts () infosecnews org>]

http://www.informationweek.com/security/application-security/dropbox-two-factor-authentication-has-ki/240006269

By Mathew J. Schwartz
InformationWeek
August 27, 2012

Dropbox is making two-factor authentication available to some users as 
part of a beta test that's meant to shake down the new service.

The feature's debut--for self-selected early adopters--involves 
installing and running an "experimental build" version of the Dropbox 
software, released Friday, for their Windows, Mac OS X, or Linux PC. The 
feature had been previewed by Dropbox's VP of engineering, Aditya 
Agarwal, last month, after an investigation conducted by Dropbox into a 
spam campaign against its users was ultimately traced to passwords that 
had been reused by Dropbox users on other sites, from which the 
credentials had been stolen.

But Dropbox also found that one password-reuse culprit was in fact a 
Dropbox employee, who'd stored--unencrypted--a copy of some Dropbox 
users' email addresses in his Dropbox account, which an attacker then 
accessed and downloaded. In the wake of that breach, some security 
experts had recommended that all Dropbox users treat any data they 
uploaded to the service as publicly accessible.

As of Friday, however, Dropbox users can make it more difficult for 
attackers to access their stored items, by using the "enable two-step 
verification" feature now displayed on the security tab of their account 
pages. The sign-up page states: "Two-step verification adds an extra 
layer of protection to your account. Whenever you sign in to the Dropbox 
website or link a new device, you'll need to enter both your password 
and also a security code sent to your mobile phone." Instead of 
receiving text messages with a one-time log-in password, however, 
Dropbox users can choose to use a mobile app.

[...]