Is two-factor authentication Dropbox’s security answer?

Is two-factor authentication Dropbox’s security answer?

Summary: After admitting that its service was breached, Dropbox says it will offer two-factor authentication. Is it the answer to the issue or the start of a new round of questions?

TOPICS: Security, Cloud, Privacy

Dropbox’s impending introduction of two-factor authentication in the coming weeks can help boost security, but it isn’t a panacea on its own and could introduce crippling usability issues for end-users.

Security is always a trade-off between risk and usability. To reinforce the point, look no further than the decade-long popularity of 123456 as an end-user credential, which includes high risk and near frictionless usability.

And in today’s world, portability in the form of smartphones and laptops combine to complicate the equation.

Dropbox says its soon-to-be-deployed two-factor authentication will offer an option such as a password and a temporary code sent to a phone. This second factor of authentication ups the security level a notch.

“It’s not perfect but I am generally a fan of that approach, it moves the authentication out of band which is good,” says Gunnar Peterson, managing principal of Arctec Group. “However, with so many people using smartphones it might not be as out of band as it used to be, but still it raises the bar on the attacker,” says Peterson, who focuses on distributed systems security for large mission critical financial, financial exchanges, healthcare, manufacturer, and insurance systems.

The major down side, however, for the phone-code factor is users traditionally grow tired of the log-in process. Usability studies done by Google as far back as 2008 show that Websites and enterprises consistently get feedback from users saying the process becomes annoying after repeated usage and the log-in process becomes cumbersome.

Eventually, use of the protected resource slows or evaporates completely.

So there is a question of how many users will opt for Dropbox’s two-factor authentication and how many who accept it will stick with it. Policy can impose certain rules on users (erodes usability), but often the rules foster creative workarounds (increases risk).

But two-factor authentication is not the only change Dropbox plans to institute. It will deploy automated mechanisms to identify suspicious behavior. Also, the company is offering a new Web page that lets users examine all active logins to their accounts (ironically it is accessed via a user name and password).

And the company is reserving the right to require users to change their password if it is commonly used or has not been changed in a “long time.”

The difficulty in securing the Dropbox service, or any other password protected service, will further be complicated as the company seeks to attract more corporate customers as opposed to the consumer-base that makes up a large part of its user base.

Dropbox could add software certificates, persistent cookies or hardware tokens to harden its log-in process, but all those will come with trade-offs, including tying users to specific machines or IP subnets, that may or may not be worth it for end-users.

Dropbox also could tap into federated identity management models, such as those laid out by the National Strategy for Trusted Identities in Cyberspace (NSTIC), but that reality is a few years off. Or explore OpenID Connect and other emerging identity protocols and frameworks that would take it out of the password business.

Security answers, however, don’t rest entirely with the log-in process. They also must be addressed in different ways and in the different layers of security defense, especially when mobile devices are involved.

But rest assured, Dropbox is not the slippery slope, it is just the latest service sliding on it.

The company, however, has a history of issues around authentication including a flaw last year that exposed users’ files publicly, and issues in its iOS app that exposed user log-in credentials.

The company will be challenged to convince users the problems are fixed this time.  And it will be challenged to build, maintain and sell to end-users the fixes it does come up with.

See also:


Topics: Security, Cloud, Privacy


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Wrong-Headed

    If the DropBox breach happened because one of their employee's password got breached (presumably at somewhere else) -- then how is requiring clients to use two-factor authentication supposed to help?

    DropBox should require all its employees who have possession or access to user information to use 'two-factor' authentication -- or similar. Sensitive client info should NEVER be just one password away from exposure!

    As for client users themselves, I believe they should ultimately be responsible for the safety/security of their own access. If I stupidly (or lazily) choose to use the same passwords for multiple sites and someone who breaks into my DropBox account by using my password for other sites -- then that is my own fault -- and in any case, only my account will be hacked. And that is a different thing from DropBox security getting hacked.
    • In response to ReadandShare's comment

      That's exactly WHY two-factor auth exists.

      I could give you my Google password, but you wouldn't be able to login because I have two-factor auth enabled.

      You'd have to physically get my iPhone too and use the Google Authenticator app which spits out expiring six digits keys to login to my Google account.
  • Two-factor authentication sucks

    Two-Factor authentication sucks! It's too hard for users. Most people will never us it. Dropbox should consider using Rublon (yes, that's my startup):

    7 reasons why you should add Rublon to your website:
    Michal Wendrowski
  • awesome functionality

    I use Two-Factor Authentication across a lot of my accounts. I feel a lot more secure when I can telesign into my account. If you have that option available to you use it, it is worth the time and effort to have the confidence that your account won't get hacked and your personal information isn't up for grabs. I'm hoping that more companies start to offer this awesome functionality. This should be a prerequisite to any system that wants to promote itself as being secure.
  • Two-factor is a good start

    Two factor is a good start to preventing stolen passwords from being used, but what happens if the breach is not authentication related. For example, stolen backups, etc. or even a curious vendor working for one of the cloud providers accessing my data?

    Anyways good start regardless, so good job to Dropbox for taking steps at least in the right direction.

    We have a free application called IronCloud Desktop that works with Dropbox, Google Drive and Skydrive that lets you drag and drop encrypt data on the client side for even more security. The link is if anyone is interested.


    Kevin Lam