Secure Dropbox with Two-Step Verification

Putting your data in the cloud gives you the convenience of accessing it from anywhere. Dropbox is a popular cloud file storage solution that creates a folder on each of your computers. Anything placed in that folder will automatically be synced to other computers attached to your account.

These files are also accessible through the web site and through apps for popular mobile phones such as the iPhone, iPad, Android, and Blackberry devices. Save a file on your desktop and it will be on your laptop when you’re sitting at a hotel and need to update it. Your files can be accessed anywhere — make sure it’s done so safely!

This convenience comes at a risk. Now your files are on the Internet where not everyone is a polite and good citizen. Some people respond to this by not putting sensitive information in Dropbox. This makes that data impossible to get through your Dropbox account, but reduces the effectiveness of the site since the appeal is to have any file you want wherever you might need it. If you can’t put a file into Dropbox because it contains sensitive data, then the site becomes less usable.

An alternative is to increase the security of accessing the site. As a feature of this, Dropbox recently began offering two factor authentication services. This is designed to improve the security and make it more difficult for someone else to access your files. Let’s look at what it is and how can you take advantage of it.

What is Two Factor Authentication

Two Factor authentication, which Dropbox refers to as two-step verification, adds an extra layer of security to an account. A traditional login consists of a username and password. This is one factor, something that only you should know. The second factor is added when we require an additional item of information, usually in the form of something that only the authorized user should have access to. Banks often provide a small keychain dongle for this purpose.

In addition to the password, the user must have a numeric code given by this dongle. As hacking has become more of a problem after several high profile sites have been effected, including Dropbox, more sites have begun to offer this additional security in an attempt to make accessing another person’s account more difficult.

Dropbox uses your mobile phone as the second factor. Once you enable two-step verification, Dropbox will require you to enter a time sensitive six digit number any time you log into the web site, link a new computer, phone, or tablet to Dropbox in addition to your current login username and password.

This code can either be delivered to your phone by a text message or provided by an application running on your Smartphone. While Dropbox does not provide its own application specifically for mobile phones, it works with apps available for the iPhone, Android, Blackberry, and Windows Phone 7.

Getting the App

If you plan to use text messaging, you can skip this section. If you wish to instead use an app, it is best to have the app installed on your Smartphone before turning on two-step authentication. Dropbox will work with any app that supports the Time-based One-Time Password (TOTP) protocol. Google Authenticator is provided by Google for its own two factor service works for iPhone, Android, or Blackberry users.

Windows Phone 7 users can use Authenticator instead.

After you have installed these apps, you will later scan a photo of a barcode that Dropbox will provide containing the specific information for your account setup. Once you have this setup, then your app will provide the correct six digit code at any time. As a bonus these apps work without having cell service which allows you to still authenticate even when the only network you have is wifi.

Turn on Two Factor

Dropbox Settings

Security Settings in Dropbox where you enable two step authentication.

First we need to tell Dropbox that we want to use two step authentication. Log into your Dropbox account on the website. From there click on your name to open up your account. Now click on Settings to go to your account settings. Click the Security tab. There will be an option for Two-step verification that will read Disabled with a link next to it labeled Change. Click this link.

You will be asked to enter your password to verify that you are the person making this change to your account and then be asked to verify that you do want to enable two-step verification with your Dropbox account. You will also be given a sixteen digit backup code. If you lose your phone or otherwise cannot generate the security code this is the only way that you can access your account. Keep this code safe as its the last resource to again access your Dropbox account.

Enabling Two Step Authentication

You can use either text messaging or a mobile app for the security code

You’ll be given two options to receive the security code, either by text message or with a mobile app. Select the one you wish and then follow the appropriate instructions below.

Text Messages

You must have a phone that can receive text messages. If you are charged for text messages, then you will be charged for each one that you receive from Dropbox. With this option whenever you sign in to Dropbox with your username and password, the six digit verification code will be texted to your number.

Enter the phone number that you wish to receive text messages at. A verification security code will then be sent to that number to verify it. Enter the number once you receive the text message and you are now verified and two-step authentication is enabled for your account.

Mobile App

Install an appropriate app on your phone as mentioned before before enabling this option in Dropbox. Select the mobile app option. A 2d bar code will then be displayed. This bar code encodes the secret key that the app will use to generate the time sensitive code it displays to you.

Most apps support adding a verification option by scanning this barcode with your phone’s camera. If your phone does not have a camera you can also enter the code manually in most apps or those that do not support scanning the barcode. After the code is entered from either method, you will need to enter the code shown by the app to verify the setup is correct and enable two factor authentication.

Logging In

Request Verification Code

You must enter the correct code to access Dropbox after turning on two step authentication.

Now when you attempt to log into the Dropbox web site you will be asked for the security code. This code will either be delivered to you by text message to your phone or will be visible in the app that you connected to your account in the last step. If you ever lose your phone or otherwise cannot receive or generate the code, you can click the I lost my phone link when asked for the security code.

This will let you enter to sixteen digit code provided when you activated two-step authentication and disable two-step authentication. This will allow you to again log in using only your username and password to access your account. You can re-enable it at a later time with a new phone.

When you log in, you also have the option to trust the computer you are logging in from. If you do this then you will not be asked for the security code again. Anyone with access to the computer will then be able to access your Dropbox account as before with only the username and password. In effect this option disabled two factor on the device you are using at that time. It should only be used for devices you trust and have secured or you’d otherwise be defeating much of the purpose of enabling this feature.


Ultimately security is a personal choice against convenience. Putting files onto the Internet provides more convenience, but at increased risk if someone gains access to your account. By adding additional security such as two factor authentication you can reduce the changes of an unauthorized user gaining access to your account.

In the end, you have to choose what material you feel comfortable putting into the cloud, but adding additional security when possible will help you to feel better about what is there.