Dropbox going two-factor, becoming de facto
Move comes four weeks after the popular online file sharing service was hit by an embarrassing spam attack
By Antone Gonsalves
August 28, 2012 — CSO — Dropbox's decision to offer users two-factor authentication on top of their user ID and password reflects a growing trend among web service providers, experts say.
Dropbox, an online file-sharing service, introduced the second security layer on Monday as an option. To turn on the feature, users have to go to the security tab in their account settings and enable two-step verification in the "account sign in" section.
The option was released nearly four weeks after Dropbox was hit by an embarrassing spam attack that stemmed from the theft of an employee's password. The credential enabled the hacker to steal a number of user email addresses and send them ads for gambling sites. The addresses belonged to European users.
The use of two-factor authentication is growing among service providers as numerous high-profile breaches increase user awareness of the need for better security.
For example, Google has made it available to Google Apps subscribers. "We anticipate that more and more users, both corporate and consumer, will want to utilize their mobile device for secure access to either their own or corporate applications," Sally Hudson, analyst for IDC, said in an email.
The market for mobile enterprise security software, which would include two-factor authentication, is expected to reach nearly $2.5 billion in 2016 from $682 million last year, according to IDC. That amounts to a compound annual growth rate of 30%.
Other experts contacted by email praised Dropbox's decision. Andrew Wild, chief security officer for Qualys, said he had already enabled the feature on his personal account. "I'm pleased that Dropbox is offering an enhanced authentication option and I'd like for more web services to do the same," he said.
Jon Oberheide, co-founder and chief technology officer of Duo Security, said Dropbox "killed two birds with one stone" in launching the new service. "It serves as a reaction to their breach to increase consumer confidence, as well as implements a feature that businesses have been demanding from cloud storage vendors." (Duo Security is a two-factor authentication service provider.)
Dropbox is giving users the choice of having a six-digit one-time password texted to their mobile phones, or generated using a mobile authenticator app, such as Google Authenticator or Amazon Web Service's MFA.
The code supplied from either option would be necessary to complete the login process after entering a user ID and password.
Besides the recent spam attack, Dropbox has had other missteps with security. About a year ago, the company accidentally turned off password authentication for all its users for four hours before the snafu was discovered.
In May 2011, a security researcher at the University of Indiana filed a complaint with the Federal Trade Commission (FTC), claiming the company exaggerated the level of encryption used to secure customer data. The company denied the allegations.
Nevertheless, Dropbox is still seen by many industry observers as primarily a consumer service. "Strengthening authentication options is important, but enterprises require more than just strong authentication for a file-sharing SaaS (software as a service) to be considered enterprise ready," Wild said.
Those features would included the ability to manage and control credentials across multiple services and the ability to pull activity data to monitor document flow and security events, such as an unusual number of login failures.
Businesses also need to be able to block and control sharing of sensitive information.
Read more about access control in CSOonline's Access Control section.