Ronny Lam

about://tech

Dropbox 2-step Authentication, in Alpha!

Dropbox

After several security problems Dropbox finally enabled 2-step authentication for their users. But is it any good? Can we trust it? Can we now trust Dropbox again? No! The chain of trust is as strong as the weakest link. And with Dropbox the weakest link is with their change- and systems-management. Do you remember in 2011 that user accounts were open for 4 hours!? Anyone could login to any account with any password. This year a list with email-addresses got compromised and together with stolen passwords from other sites access to certain Dropbox accounts was gained.

While the 2-step authentication is a solution for the latter, it is not for the first. People that use the same logins and passwords on different sites on the internet are not likely to enable 2-step authentication. These people don’t care about security or are unaware to say it kind. Dropbox making big mistakes like in 2011 is another ballgame and is not solved by 2-step authentication.

Do I disadvise about the use of Dropbox? No, but I wouldn’t put my private files on there unless you encrypt it yourself. For example: I have my 1password database on Dropbox, but I trust that because the database is encrypted by military grade. If you think of Dropbox as public storage you are safe. After all, it is a great sharing mechanism and an alternative for large email attachments. Even the 1password guys are advising against the use of Dropbox 2-step authentication for the moment, and they explain very well why.

Dropbox 2-step authentication is in alpha and not yet finished, here’s why:

  • The help is not yet finished
  • There is an active discussion list about the experimental version
  • You can only choose between OTP-app and Texting, not have both
  • No OTP list, just one backup password
  • No word about application specific passwords, but they are there
  • No clear account recovery procedure

Do I use it? Yes, live life on the edge, even though Agilebits is advising against it for the moment. But I don’t encourage mainstream users to use it yet. Let’s first get the bugs out and let the Dropbox team gain some trust.

“Trust comes by foot and leaves by horse.”