A few weeks ago, when Dropbox users began reporting that their emails had been leaked to spam lists, Dropbox made some security changes and promised it would bolster its security measures further. The company has now made good on its promise, rolling out the beta version of a two-factor authentication system over the weekend.
The "experimental feature" requires logged-in users to visit an opt-in URL, which will switch on a two-factor authentication option in their account's security panel.
There are no hardware tokens for the system. Instead, users can choose to enter their mobile phone number in order to have codes sent via SMS each time they attempt to log-in. Alternatively, users can use an app to retrieve tokens. Dropbox has decided not to create its own app for this; because it's decided to use the Time-based One-Time Password (TOTP) protocol for its two-factor authentication system, users can rely on three existing applications to create tokens.
Users that are already using Amazon AWS MFA (multi-factor authentication), Authenticator for Windows Phone 7, or Google Authenticator for Android/iPhone/BlackBerry can simply have tokens generated through these apps.
Signing up will also generate a 16 character code that users will need to store in a safe place (ideally, not on their phone) in the event that they can't enter their token and need to disable the two-factor authentication.
Two-factor authentication actually comes into play when a user attempts to link a new device, so this means that, if a user decides to unlink their old desktop client, they will need to download the experimental software in order to re-link with two-factor authentication. Previously linked devices will remain linked.