Dropbox Enhances Authentication Security With USB Second Factor

Dropbox customers can now protect their accounts by using a USB device as the second factor in the two-step authentication (2FA) process.

2FA can be a highly efficient mechanism for protecting online accounts because it prevents unauthorized access even if the username and password have been compromised. The second authentication factor is usually provided via text messages or a special application, but physical USB security keys are also becoming increasingly popular.

With the addition of support for Universal 2nd Factor (U2F) security keys, Dropbox wants to enhance security while making it easy for customers to access their 2FA-protected accounts. When logging in to their account, after entering their password, users have to insert the security key into the computer’s USB port instead of typing in a 6-digit code received via SMS or an authentication app.

Dropbox has pointed out that two-step verification systems that rely on one-time passwords can be defeated by attackers who can trick victims into entering both their password and the verification code on a phishing website. Security keys are much more efficient because they use cryptographic communications to ensure that they can only be used on the legitimate Dropbox website.

Users who want to leverage the new feature must acquire a USB device compliant with FIDO U2F and add the security key to their account from the settings menu.

The new security feature currently only works on Google Chrome. Dropbox noted that customers who want to use the feature can continue to log in to their accounts by using the one-time passwords received via SMS or an authentication app when logging in from platforms or devices that don’t support U2F, or if they don’t have the security key on hand.

The U2F keys acquired by users for their Dropbox accounts can also be used for other services, such as Google. The search giant announced the introduction of USB security keys in October 2014.

The Linux Foundation also introduced a similar 2FA authentication feature last year for developers working on the Linux kernel.