A few weeks ago we wrote about a spam problem reported by Dropbox users.
Email addresses which had only ever been used with Dropbox accounts (at least so far as the account holders were aware) experienced a surge in spam, leading people to conclude that something had gone wrong at Dropbox.
As we reported at the time, the truth was actually a little more complex than that.
Some users had set the same password on multiple sites, and a compromise elsewhere led to their Dropbox accounts being unlawfully accessed and assaulted by spammers.
Other spam-affected users were affected indirectly, because one of those “compromised elsewhere” accounts belonged to an employee at Dropbox itself. This staffer’s was account was raided and gave up not one email address, but many, thanks to what Dropbox described as “a project document with user email addresses.”
Part of Dropbox’s response was to promise a two-factor authentication (2FA) system using your mobile phone as the second factor.
The good news is that Dropbox is already starting to deliver on that promise: three days ago, the company announced that it was just about there, opening up the the 2FA to early adopters prior to rolling it out (on an opt-in basis, at least for now) to everyone.
The Dropbox forum post which announced the 2FA availability doesn’t go into a whole lot of detail, but here’s what’s on offer:
We'll be adding optional two-step verification for all Dropbox accounts sometime in the next few days. Two-step verification adds an extra layer of protection to your account by requiring an additional security code that is sent to your phone by text message or generated using a mobile authenticator app.
(If you’re outside North America, the usability of SMS-based security tokens depends on your mobile provider’s willingness to accept and deliver international SMSes; some users on the Dropbox forum, e.g. in Moldova, Greece and New Zealand, have reported problems receiving their login codes over the air.)
Two-factor authentication that forces you to enter a per-transaction or per-session code – loosely speaking, a password that is used once and never again – is slightly less convenient for you, but very much less convenient for cybercrooks.
2FA even protects you from yourself, in the event that you inadvertently use the same password on more than one site, or get infected by key-logging malware.
If you’re a Dropbox user, why not give it a go?