Friday, August 14, 2015

Dropbox Provides Extra Security via USB-based Keys

With most of our personal and business information being backed up to the Cloud, security is key in keeping your things private. You’ve probably heard of 2-step authentication for email and other web-based accounts. Not only do you have to log in once to provide your password, but to combat against attackers, you then must enter a secondary password or code before you can access your information.

For those of you using Dropbox, you’ll be pleased to know that they are now taking security to the next level. They have added support for USB-based keys, which make it harder for hackers to access your account. Dropbox had originally provided two-factor authentication back in 2012, which was put into play after stolen passwords led to a spam attack.

Dropbox is using something called Universal 2nd Factor (U2F). This has security keys that are an extra option for two-factor authentication. Instead of using some sort of application on your smartphone to generate codes (i.e. Google Authenticator), you can insert a key via your device’s USB port once your Dropbox password has been entered.

According to a blog from Dropbox, "Unlike two-step with a phone, you'll never have to worry about your battery going dead when you use a security key...Security keys provide stronger defense against credential theft attacks like phishing. Even if you're using two-step verification with your phone, some sophisticated attackers can still use fake Dropbox websites to lure you into entering your password and verification code. They can then use this information to access your account." They continued on to say, "Security keys are designed to protect against these types of attacks. By using cryptographic communication, they will only work when you're signing in to the legitimate Dropbox website."

Now, how does one get this extra security setup? Dropbox has created a guide to walk you along the process. Be aware that as of right now, U2F only works for via the Chrome browser. If you're signing in from a device or platform that doesn't support U2F, you can use two-step authentication through text message or an authenticator app.