Dropbox Adds Security-Key Authentication To Boost Security of Users

Cloud storage provider Dropbox (BOX) has invested in security once again by adding security-key authentication to help ensure users are protected against data or credential breaches when they log in to their accounts.

We’ve already told you how a few months ago how Dropbox began to pay independent researchers so-called “bug bounties” for identifying flaws in its service. Now as additional security, the company has added Universal 2nd Factor (U2F) security keys as an additional method that now requires another verification step for authentication, the company said in a blog post.

Dropbox already has had a backup security method to the usual password authentication by requiring users to also enter codes sent via SMS to get into their accounts. But the keys—which in supported platforms replace these codes—provide stronger defense against credential theft accounts such as phishing, according to the post.

“Even if you’re using two-step verification with your phone, some sophisticated attackers can still use fake Dropbox websites to lure you into entering your password and verification code,” the company said. “They can then use this information to access your account.”

Security keys are stronger methods of authentication because they use cryptographic communication, so they will only work when you’re signing in to the legitimate Dropbox website, according to the company.

To use the keys, Dropbox users will have to acquire—that is, purchase—a USB security key that follows an open standard called “FIDO Universal 2nd Factor (U2F)” from the FIDO Alliance. The key can be set up with a Dropbox account or any other U2F-enabled services, including Google.

Once a user has a key, he or she must go to the Security tab in his or her Dropbox account settings in a Chrome browser only and click “Add” next to “Security keys.”

To use the key, a user types in his or her password to access an account and then inserts the key into a USB port when prompted instead of typing in a six-digit code. If users sign in from a device or platform that doesn’t support U2F, they can still use two-step verification through text message or an authenticator application, the company said.

Dropbox users can find detailed information on how to get started using the U2F keys in the company’s online Help Center.