As headlines about corporate hacks and data leaks have continued to dominate technology news sites, companies have moved to offer more security features to worried users and enterprise clients. Today, Dropbox announced that it is introducing support for open standard FIDO Universal Second Factor verification (U2F) to provide better account security to its users.
The cloud storage service has already been offering two-step verification for years, requiring users to provide both their usual usernames and passwords, plus additional security codes sent to their phones. The use of a second factor helps protect users from a variety of methods hackers can use to access passwords.
Safer than SMS
But relying on security codes sent via SMS is not foolproof, either. Dead batteries or lost phones can prevent users from accessing their accounts. The six-digit security code can also be vulnerable to phishing attacks, although it remains a much safer method than single-factor verification alone.
“Some sophisticated attackers can still use fake Dropbox Web sites to lure you into entering your password and verification code,” the company said in a blog post announcing support for U2F. “They can then use this information to access your account.”
U2F, however, allows users to access their accounts by plugging in USB devices that function as account keys. Instead of typing in six-digit codes sent to their cell phones, users will plug their USB drives into the computers they're using to access their accounts. Using a USB device is both more secure than SMS messages, and negates the problem of lost or dead cell phones. Unlike the six-digit security codes, USB keys will only interact with the legitimate Dropbox Web site, preventing users from being lured to spoofed URLs.
Added Security for Businesses
Setting up a security key requires a one-time purchase of a USB key that follows FIDO U2F. Once a user has a security key, it can be enabled for both personal and work Dropbox accounts. It can also be used with any other U2F-enabled service, such as Google apps.
The company has previously been criticized for not providing users with sufficient security protections. Edward Snowden, the former National Security Agency contractor and whistleblower, described Dropbox as “hostile to privacy.” But as the company has expanded its number of business customers, it has sought to introduce additional security features. Last year, it added password protection for link sharing, along with link expiration functionality.
Currently, Dropbox is only supporting U2F on the Chrome browser, so users with other browsers will have to continue using SMS verifications or authentication apps if they want two-factor verification. The security key also cannot be used to sign into the desktop client or the mobile app. Business admins will be able to enforce two-factor verification for all employees accessing corporate Dropbox accounts.