Dropbox’s impending introduction of two-factor authentication in the coming weeks can help boost security, but it isn’t a panacea on its own and could introduce crippling usability issues for end-users.
Security is always a trade-off between risk and usability. To reinforce the point, look no further than the decade-long popularity of 123456 as an end-user credential, which includes high risk and near frictionless usability.
And in today’s world, portability in the form of smartphones and laptops combine to complicate the equation.
Dropbox says its soon-to-be-deployed two-factor authentication will offer an option such as a password and a temporary code sent to a phone. This second factor of authentication ups the security level a notch.
“It’s not perfect but I am generally a fan of that approach, it moves the authentication out of band which is good,” says Gunnar Peterson, managing principal of Arctec Group. “However, with so many people using smartphones it might not be as out of band as it used to be, but still it raises the bar on the attacker,” says Peterson, who focuses on distributed systems security for large mission critical financial, financial exchanges, healthcare, manufacturer, and insurance systems.
The major down side, however, for the phone-code factor is users traditionally grow tired of the log-in process. Usability studies done by Google as far back as 2008 show that Websites and enterprises consistently get feedback from users saying the process becomes annoying after repeated usage and the log-in process becomes cumbersome.
Eventually, use of the protected resource slows or evaporates completely.
So there is a question of how many users will opt for Dropbox’s two-factor authentication and how many who accept it will stick with it. Policy can impose certain rules on users (erodes usability), but often the rules foster creative workarounds (increases risk).
But two-factor authentication is not the only change Dropbox plans to institute. It will deploy automated mechanisms to identify suspicious behavior. Also, the company is offering a new Web page that lets users examine all active logins to their accounts (ironically it is accessed via a user name and password).
And the company is reserving the right to require users to change their password if it is commonly used or has not been changed in a “long time.”
The difficulty in securing the Dropbox service, or any other password protected service, will further be complicated as the company seeks to attract more corporate customers as opposed to the consumer-base that makes up a large part of its user base.
Dropbox could add software certificates, persistent cookies or hardware tokens to harden its log-in process, but all those will come with trade-offs, including tying users to specific machines or IP subnets, that may or may not be worth it for end-users.
Dropbox also could tap into federated identity management models, such as those laid out by the National Strategy for Trusted Identities in Cyberspace (NSTIC), but that reality is a few years off. Or explore OpenID Connect and other emerging identity protocols and frameworks that would take it out of the password business.
Security answers, however, don’t rest entirely with the log-in process. They also must be addressed in different ways and in the different layers of security defense, especially when mobile devices are involved.
But rest assured, Dropbox is not the slippery slope, it is just the latest service sliding on it.
The company, however, has a history of issues around authentication including a flaw last year that exposed users’ files publicly, and issues in its iOS app that exposed user log-in credentials.
The company will be challenged to convince users the problems are fixed this time. And it will be challenged to build, maintain and sell to end-users the fixes it does come up with.