Sophos Cloud Optix
A few weeks ago we wrote about a spam problem reported by Dropbox users.
Email addresses which had only ever been used with Dropbox accounts (at least so far as the account holders were aware) experienced a surge in spam, leading people to conclude that something had gone wrong at Dropbox.
As we reported at the time, the truth was actually a little more complex than that.
Some users had set the same password on multiple sites, and a compromise elsewhere led to their Dropbox accounts being unlawfully accessed and assaulted by spammers.
Other spam-affected users were affected indirectly, because one of those “compromised elsewhere” accounts belonged to an employee at Dropbox itself. This staffer’s was account was raided and gave up not one email address, but many, thanks to what Dropbox described as “a project document with user email addresses.”
Part of Dropbox’s response was to promise a two-factor authentication (2FA) system using your mobile phone as the second factor.
The good news is that Dropbox is already starting to deliver on that promise: three days ago, the company announced that it was just about there, opening up the the 2FA to early adopters prior to rolling it out (on an opt-in basis, at least for now) to everyone.
The Dropbox forum post which announced the 2FA availability doesn’t go into a whole lot of detail, but here’s what’s on offer:
We'll be adding optional two-step verification for all Dropbox accounts sometime in the next few days. Two-step verification adds an extra layer of protection to your account by requiring an additional security code that is sent to your phone by text message or generated using a mobile authenticator app.
(If you’re outside North America, the usability of SMS-based security tokens depends on your mobile provider’s willingness to accept and deliver international SMSes; some users on the Dropbox forum, e.g. in Moldova, Greece and New Zealand, have reported problems receiving their login codes over the air.)
Two-factor authentication that forces you to enter a per-transaction or per-session code – loosely speaking, a password that is used once and never again – is slightly less convenient for you, but very much less convenient for cybercrooks.
2FA even protects you from yourself, in the event that you inadvertently use the same password on more than one site, or get infected by key-logging malware.
If you’re a Dropbox user, why not give it a go?
–
Awesome. I'm ready for it, it will protect my data better until I get my data server sorted out.
I've been using the Google accounts 2fa for a while. While I definitely appreciate the security aspect, there just must be a better way – it is pretty inconvenient – and means that if I've left my phone then I cannot access my accounts.
The other problem with complex security arrangements like this are that they make automation of things very hard – I do test/build/integration automation as a day job, so moving data between various systems and iteracting with them with as little human intervention as possible is important.
Perhaps there is a good way though – key pair auth like ssh – long complex sequences, that have to be authenticated once as the user logs in on their machine. I realise this wouldn't prevent somebody social engineering them out of their private key – but is surely more secure than password based security. Especially if some kind of key rotation/automatic salting or similar could be added.
Errrr…don't leave your phone behind, then 🙂
Key-pair auth would be a nice-to-have but the idea of Dropbox-like services is that you can access your data from anywhere. (That's also one of the dangers of the service, of course!) So you'd have to carry your private key with you anyway – and put copies of it on other people's computers, etc. if you wanted Dropbox for its "access anywhere" flexibility.
OTOH, if you don't need Dropbox for that "access anywhere" freedom – e.g. you're always moving data between the same sets of systems in your build-test process – wouldn't it be more convenient _and much simpler/safer_ to cut Dropbox out of the equation altogether and just send the data directly from server A to server B using SSH or the like?
For the average user, I see the introduction of a step into Dropbox (and similar services) which inhibits automation as a positive one, at least from an unnoticed-and-unauthorised-access point of view…as @Ben Pike bluntly points out below, security and convenience almost always operate in some kind of inverse-proportion relationship.
No one ever said security was convenient…
I'll stand up and say security needs to be convenient.
LastPass is a good example of usable security.
To be fair, 2FA is intended to solve (or at least to address) parts of the security puzzle which LastPass doesn't. In particular, LastPass doesn't add one-time-only passwords to your authentication "diet".
2FA is intended to add an extra layer of authentication which varies unguessably every time you login. So it's safe to say that it can never be as convenient as having password you entrust to LastPass and let it enter on your behalf for weeks/months/years. But IMO it is also safe to say, for exactly the same reason, that LastPass will never be as secure against password thieves.
@Danny Staple notes that it's inconvenient to have 2FA if you lose or forget the "second factor" device (token, phone, whatever). Point taken. But that cuts both ways, of course. Whenever you *do* have the second factor at hand, it follows that the crook does not, and thus that *he* is inconvenienced instead.
You need to decide which outcome is the most troublesome to you: the risk that you might lock yourself out, or the risk that a crook might too easily let himself in.
LastPass does offer 2FA when used in conjunction with Yubikey.
Your next comment “Does it count as 2FA if the device you receive the code on, is the device you are accessing the site on?” was my immediate reaction WRT both DropBox and Google.
Here again, I would opt for the Yubikey/LastPass solution or my Roboform running from the encrypted partition of my biometric thumbdrive with FIPS 140-2 level 3 or 4 protecton.
I just noticed that I should have given Sean credit for the latter comment.
Does it count as 2FA if the device you receive the code on, is the device you are accessing the site on? So a smartphone is really not a separate communications channel most of the time especially if the "something I know " is stored in the Dropbox app and the "something I have" is the very same smartphone.
Dropbox calls it a two step process whic seems more accurate
More reasons to ensure a strong pass code on your phone.
"Does it count as 2FA if the device you receive the code on, is the device you are accessing the site on? "
Not really. Of course, if a crook already has malware on your phone which can intercept and redirect SMSes, then the second factor (or second step, to use your terminology – Dropbox use both ways to describe their solution) is busted anyway – whether you access the data from your phone or from your laptop.
I greatly prefer 2FA which uses a dedicated, allegedly tamper-proof, token – the sort with a tiny keypad and display on which you enter a server-side challenge code and then reply with a one-time response. Second choice is one of those time-based tokens which has a one-time response (measured at 60-second granularity 🙂 They're more prevalent, probably because they're cheaper and seen as less inconvenient.
Of course, 2FA doesn't _eliminate_ the problem of hackers, crooks and crackers. As the RSA breach proved, a crook may be able to steal not only your regular username/password database, but also sufficient "shared secret" data to allow him to reproduce the token sequences of your users.
But 2FA _does_ raise the bar (if you will pardon that overworked phrase) for the Bad Guys. Here's a paper on that very issue. Written in 2006 but still pertinent. though I say so myself: http://bit.ly/Tkpbaj
Is it that it costs too much to be proactive instead of reactive? I do not understand why such large companies wait until they've been hacked, embarrassed in public, and potentially held responsible before they upgrade security.
Do they not look outside of their own box to see what is going on around them?
I've no empathy for any company that waits too long before implementing preventive measures, and, especially, if they don't keep them up to date. Even less so if they put the burden on the customers.
I use DropBox on my tablet, desktop and netbook. How will this work since I don’t use it on my phone?
Your phone is just to receive the authentication code – it doesn't need to be running DropBox. You can also use Google authenticator on your tablet if you don't want to use a mobile.
Err, just sayin’… but if a Dropbox employee happens to have user emails casually and insecurely stored on his account as “a project document”, then what is the implication of giving Dropbox more personal data to abuse and treat insecurely – I’m certainly not giving Dropbox my mobile phone number until they can explain why data protection isn’t taken seriously at their company!
It's nice to see that leading companies in their respective verticals are giving users the perfect balance between security and user experience by implementing 2FA which allows us to telesign into our accounts. I know some will claim this make things more complicated, but the slight inconvenience each time you log in is worth the confidence of knowing your info is secure. I use Two-Factor Authentication across a lot of my accounts. I feel a lot more secure when I can telesign into my account. If you have that option available to you use it, it is worth the time and effort to have the confidence that your account won't get hacked and your personal information isn't up for grabs. I'm hoping that more companies start to offer this awesome functionality. This should be a prerequisite to any system that wants to promote itself as being secure.