Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Dropbox Adds Two-Factor Authentication

samzenpus posted about 2 years ago | from the checking-it-twice dept.

Security 64

angry tapir writes "File-sharing service Dropbox is now offering two-factor authentication, a system that makes it much harder for hackers to capture valid credentials for a person's account. Dropbox, one of the most widely used web-based storage services, said last month it planned on introducing two-factor authentication after user names and passwords were stolen from another website and used to access accounts."

cancel ×

64 comments

Sorry! There are no comments related to the filter you selected.

The rumors are 100% fact. (-1, Troll)

Snappyolyness (2713751) | about 2 years ago | (#41136037)

Precisely five minutes ago, while reading a few Slashdot comments, I expelled flatulence out of my very own anus. I didn't expel flatulence out of someone else's anus; I expelled it out of my own. That's what makes it truly astonishing!

Don't call it file-sharing (3, Funny)

Anonymous Coward | about 2 years ago | (#41136069)

It's cloud storage. Calling it file-sharing will get it confiscated by the Feds.

Re:Don't call it file-sharing (-1)

Anonymous Coward | about 2 years ago | (#41136089)

Wow! Wow! Wow! Such a thing just occurred! A fart of colossal proportions just shot out of my very own asshole whilst reading your comment. I came to the garbage of this place and realized how incorrect one such as you often is!

Re:Don't call it file-sharing (-1)

Anonymous Coward | about 2 years ago | (#41136169)

Dear KGB,
your bot needs more work since this story has nothing to do with you guys, or does it?

More Security for My Cat Pictures! (-1, Offtopic)

DevotedSkeptic (2715017) | about 2 years ago | (#41136081)

Now I can has more security!

Re:More Security for My Cat Pictures! (-1, Troll)

Anonymous Coward | about 2 years ago | (#41136161)

Maybe now you can shut up and stop using lame memes that don't even have anything to do with the article. Go back to watching Cartoon Network, neckbeard. Leave the computing to the adults.

Re:More Security for My Cat Pictures! (-1, Offtopic)

broggyr (924379) | about 2 years ago | (#41136229)

Wow. Rage much? lol

Re:More Security for My Cat Pictures! (-1, Offtopic)

DevotedSkeptic (2715017) | about 2 years ago | (#41136251)

I refuse to stop using lame memes, I just don't see the point in 2 factor authentication for a service wouldn't trust enough to store sensitive data on but at least they are trying i guess. slow news day so far.

Re:More Security for My Cat Pictures! (-1)

Anonymous Coward | about 2 years ago | (#41136323)

Maybe you can take some time to learn to speak English. [sic]

Re:More Security for My Cat Pictures! (2, Insightful)

Anonymous Coward | about 2 years ago | (#41136353)

There's a lot of data people need to sync and share that is confidential enough that you don't really want it to leak out, but still not that secret that it's the end of the world if it does. You know, the kind of data you would be perfectly comfortable letting a reasonably big and relatively trustworthy service manage for you.

And if that service gets even more secure, you can rest easy knowing that if the data does leak out, it's not because you where careless with your passwords, and thus you have someone else to blame.

By now Dropbox have a proven track record of security and reliability. Yes, it was apparent that they themselves could get at the data if they needed, but I fail to see how it would work otherwise. At least with this, you can be somewhat safer knowing that it would take more than hack your account at some other, less secure service, to get at the data, just because you like to reuse passwords.

Re:More Security for My Cat Pictures! (1)

Kalriath (849904) | about 2 years ago | (#41144629)

You're talking about Dropbox, the service that accidentally during a code push made it so that a user's password wasn't needed to get at their Dropbox files, and managed to get an extract from their user database stolen. I don't call that "a proven track record of security and reliability", unless you mean a bad track record.

Re:More Security for My Cat Pictures! (0)

Anonymous Coward | about 2 years ago | (#41136443)

> complain about memes
> neckbeard

Re:More Security for My Cat Pictures! (-1, Offtopic)

Sectoid_Dev (232963) | about 2 years ago | (#41137185)

You mad bro?

Re:More Security for My Cat Pictures! (0)

Anonymous Coward | about 2 years ago | (#41137403)

Haters gonna hate ...

Great! (2, Funny)

Anonymous Coward | about 2 years ago | (#41136083)

I put my Dropbox Emergency key in Google Drive, and my Google Emergency Key in Dropbox. This should work out perfectly.

Re:Great! (5, Funny)

Anonymous Coward | about 2 years ago | (#41136413)

I put my Dropbox Emergency key in Google Drive, and my Google Emergency Key in Dropbox. This should work out perfectly.

I did too, and then synced them both with my SkyDrive!

Month long NDA? (1)

vlm (69642) | about 2 years ago | (#41136109)

Dropbox ...said last month

What, a month long NDA, because release date is today, or what is the story on the delay?

Re:Month long NDA? (0)

Anonymous Coward | about 2 years ago | (#41136141)

Read the summary.

"Dropbox is now offering"
"said last month it planned"

No solution to the real problem (3, Interesting)

robmv (855035) | about 2 years ago | (#41136165)

Someone will hack them and will export the shared secret used for RFC 6238 TOTP: Time-Based One-Time Password Algorithm [ietf.org] . Two factor authentication job is to protect the user, It doesn't make Dropbox security practices better, and they already demostrated are bad

Re:No solution to the real problem (0)

Anonymous Coward | about 2 years ago | (#41136259)

Or steal the 16-digit backup code used to unlock the account.

While setting up two-factor authentication, users get a 16-digit backup code that can be used to unlock their account if they lose their phones and can't obtain codes through SMS or an application.

Re:No solution to the real problem (0)

Anonymous Coward | about 2 years ago | (#41136301)

Dropbox wasn't hacked in the prior attack. Also, in a successful attack now you have two different products you have to find a security exploit on. Just throwing up your hands and saying 'everything can be hacked' isn't a security methodology.

Re:No solution to the real problem (4, Interesting)

yishai (677504) | about 2 years ago | (#41136519)

Dropbox wasn't hacked in the prior attack. Also, in a successful attack now you have two different products you have to find a security exploit on. Just throwing up your hands and saying 'everything can be hacked' isn't a security methodology.

The problem is that in the Dropbox company it was fine to just make a drop box account with some password that you reuse elsewhere. That is the fundamental problem. They don't have their employees use KeePass, or 1Password or something similar and generate random passwords that they change routinely, or any of these other security practices that would have prevented this attack without the two factor authentication. Dropbox is a huge target and does not have the expertise to play in that league (evidenced by the fact that they needed outside help to figure out this attack). I think the two factor authentication is a good thing, but if they think "OK, problem solved" then it is not helping them. There is no replacement for good security practices, especially in a company with such a high profile.

Re:No solution to the real problem (2)

yishai (677504) | about 2 years ago | (#41136431)

Someone will hack them and will export the shared secret used for RFC 6238 TOTP: Time-Based One-Time Password Algorithm [ietf.org] . Two factor authentication job is to protect the user, It doesn't make Dropbox security practices better, and they already demostrated are bad

Although I fundamentally agree that the underlying issue is their security practices (or lack thereof), this does address the specific recent hack (of an employee of theirs reusing the same password on Dropbox as on another account with another company that was compromised), and is a good idea regardless. I wish more sites did it.

You can have it too! (5, Informative)

0100010001010011 (652467) | about 2 years ago | (#41136297)

$ apt-cache search google authenticator
libpam-google-authenticator - Two-step verification

It's in Debian repositories (And probably Ubuntu.) You can download it yourself [googlecode.com] and integrate it into anything that supports PAM.

I have my code on both my phone and iPod touch so I always have something on me that can generate the code. The 'backup codes' are in a safety deposit box with other documents. Not sure if it actually is secure but it feels a bit more secure knowing that to get into my home server you have to have both my password and one of my devices. (And if I lose one I can easily generate a new key).

It makes a QR-code in the bash terminal that you can take a picture of with your devices.

Re:You can have it too! (3, Informative)

Maquis196 (535256) | about 2 years ago | (#41136405)

Can vouch for this. google auth use PAM so its very easy to hook up to most things. I use it at work for our VPN stuff, also a few ssh servers.

Amazing piece of software.

Re:You can have it too! (1)

heypete (60671) | about 2 years ago | (#41136611)

Seconded. It's simple, easy to setup, and easy to integrate into a variety of services.

Re:You can have it too! (1)

Nerdfest (867930) | about 2 years ago | (#41136649)

In Ubuntu/Debian, it makes a nice two factory mechanism for ssh. as well.

Re:You can have it too! (1)

norminator (784674) | about 2 years ago | (#41138993)

Thanks to everyone who has posted about this here... I just got this set up on my own Ubuntu/ssh machine in the last couple of minutes, and it's pretty slick!

Re:You can have it too! (1)

Rich0 (548339) | about 2 years ago | (#41147577)

How well does it work with stuff that uses ssh but doesn't actually use openssh in a terminal to do it? For example, some nice GUI application that lets you access your home directory via ssh, or nx/x2go, etc. That would be my main concern with it. I'd also prefer not to have to use it if I was using RSA - that essentially is a two factor process already.

Re:You can have it too! (1)

Nerdfest (867930) | about 2 years ago | (#41148675)

Not sure about non-terminal use ... I image it would not work. An option with RSO keys would be to use a key with no password for convenience, with the 2nd factor being the authenticator. It would be mildly more convenient. Of course, leaving the password in lace makes it even more secure.

Re:You can have it too! (0)

Anonymous Coward | about 2 years ago | (#41136527)

If you're in Germany, I recommend using the chip card reader and chip card you got with your HBCI/FinTS online banking. (If you don’t have it yet, it’s <30€, does away with ever needing any TANs or other OTPs again, and is *way* more secure, because it doesn’t even trust the software requesting the transaction. Plus it allows you do you online transactions right in GnuCash & co.)

The chip card you got, has free space, and can be used, to store other keys too, allowing you to do two-factor authentication for any arbitrary login. (Apologies for my overuse of commas. I'm still pretty insecure about how to do it right, and I may have a bit of a different thought pattern than most people.)

(The ones with the display are more expensive, but even better, since you can charge you Geldkarte [stored-value card] and even do legally valid digital signing of documents that hold up in court.)

Re:You can have it too! (0)

Anonymous Coward | about 2 years ago | (#41138089)

Simple comma rule - put them in where you would naturally pause while speaking. That will cover a good portion of the correct uses.

Re:You can have it too! (0)

Anonymous Coward | about 2 years ago | (#41142581)

There is also OATH Toolkit in Ubuntu/Debian, with a writeup on how to use OATH Toolkit with Dropbox [josefsson.org] .

jas@latte:~$ apt-cache search oath toolkit
liboath-dev - Development files for the OATH Toolkit Liboath library
liboath0 - OATH Toolkit Liboath library
libpam-oath - OATH Toolkit libpam_oath PAM module
oath-dbg - OATH Toolkit debugging symbols
oathtool - OATH Toolkit oathtool command line tool
jas@latte:~$

When did they become a file-sharing service? (0)

Anonymous Coward | about 2 years ago | (#41136371)

I know the capability is there, but it's still mainly just online storage.

Re:When did they become a file-sharing service? (0)

Anonymous Coward | about 2 years ago | (#41136427)

When slashbots wanted to say that Dropbox was "totally the same thing as" Megaupload, so it was unfair that one of them is very successful and the other got raided by the feds.

Re:When did they become a file-sharing service? (1)

RobertLTux (260313) | about 2 years ago | (#41136867)

a couple ways this works

1 the public folder: you can send a link to a file in your dropbox to anybody
2 if both of "us" have dropbox accounts then i can share a folder to you and anything i put in you get and anything you put i i get (i think editing files is a bit wonky but...)

Re:When did they become a file-sharing service? (0)

MobileTatsu-NJG (946591) | about 2 years ago | (#41136885)

When I first used it a couple of years ago it was so I could deliver files to my client. I put the file on a folder on my machine, it magically appears on his when it's
done uploading. It most certainly is a file-sharing service, even if all it does is share them across machines that you own.

But did they actually make it any more secure (1, Interesting)

Anonymous Coward | about 2 years ago | (#41136461)

Great, but is it still the case you can just copy %APPDATA%\Dropbox\config.db to any computer and have instant access with no visibility that the credential is being double-used and no way to revoke or invalidate it?

http://dereknewton.com/2011/04/dropbox-authentication-static-host-ids/

Why would someone implement a keystroke logger if they can just steal this file and have unlimited future access with complete stealth? Sounds like this just makes it harder to remotely brute force against DB servers to login.

Re:But did they actually make it any more secure (4, Informative)

mkraft (200694) | about 2 years ago | (#41138693)

That was fixed back in Dropbox 1.2.48 (October 31, 2011)

https://www.dropbox.com/release_notes [dropbox.com]

Re:But did they actually make it any more secure (1)

lasvegasseo (2708229) | about 2 years ago | (#41157427)

Nice catch. I never remember release notes further back than a few weeks, tops.

Re:But did they actually make it any more secure (1)

Sprouticus (1503545) | about 2 years ago | (#41138971)

can someone remove the mod points from the parent post. Old bug.

Can OpenID-like tech rise again? (3, Insightful)

Anonymous Coward | about 2 years ago | (#41136497)

Back when OpenID was popular the argument was that you can outsource your authentication to a service that actually has a clue about security. Back then, though, none of the popular identity providers actually did anything better than username/password. (With the exception of MyOpenID, but they were always kinda niche.)

Now that I've embraced Google's two-factor auth -- accepting a little inconvenience for a little more security -- I find it useful that when I log into Google properties I only need to do the two-factor stuff once in a while, rather than for every single service. Two-factor auth *is* less convenient, but if you have single sign-on then you can make it less so.

If the latest trend is for every service to implement its *own* two-factor auth then this is going to get much less convenient. I'd sooner see services like DropBox just integrate with Google's auth (and with anyone else who has a decent auth system) and let users benefit.

Re:Can OpenID-like tech rise again? (1)

heypete (60671) | about 2 years ago | (#41136631)

I don't mind if they all use a compatible OTP system, so that I can just have the one Google Authenticator app for my iOS device (or a compatible J2ME program on my non-smartphone). The services that annoy me are the ones that use different methods that I can't integrate with code generating programs I already have.

The nice thing with TOTP/RFC 6238 [ietf.org] is that it's an open standard and not subject to the whims of a particular company. It's also completely independent of third-parties: I can set up my own TOTP system on my own systems and not have it be dependent on the availability or security of any third party.

Just not with Google (0)

Anonymous Coward | about 2 years ago | (#41138549)

I'm a little wary of using Google for authenticating myself for other services. They know too much about you, they want to tie that to your real identity, giving them full control over your internet life sounds like a bad idea without some serious privacy protection and separation in place. I was championing Google ten years ago, but now I try to keep away from everything I do online as much as possible.

Re:Can OpenID-like tech rise again? (3, Insightful)

Bogtha (906264) | about 2 years ago | (#41139615)

I'd sooner see services like DropBox just integrate with Google's auth

They do. You can use Google's Authenticator mobile app to authenticate yourself with Dropbox.

Re:Can OpenID-like tech rise again? (2)

Darinbob (1142669) | about 2 years ago | (#41140215)

I'm not really sure what this is. Google+ spams me now and then to link a phone, but I won't do that as it's insecure. I don't want my phone linked to anything. I don't want google+ linked to anything. I don't have important pictures stored only on the net. I don't have automatic upload of pictures or data. I don't want one failure to cascade and take down multiple accounts.

Besides I have disabled SMS entirely. Google's method can't work for me.

Re:Can OpenID-like tech rise again? (0)

Anonymous Coward | about 2 years ago | (#41141685)

"Besides I have disabled SMS entirely. Google's method can't work for me."

This is just a misconception. If you have a smart phone that can run the App, then Google's 2-factor method can work for you. The option to get an SMS is only one way to do the second factor. Almost everyone here is talking about something else.

Goofy (1)

marjancek (1215230) | about 2 years ago | (#41136621)

I'm the only one that looses his phone?

Re:Goofy (2)

Archangel Michael (180766) | about 2 years ago | (#41136821)

Do you work at Apple in their iPhone Development Division?

But if you lose your phone ... you've got other security problems. Don't keep anything valuable on your phone.

Re:Goofy (1)

pbrammer (526214) | about 2 years ago | (#41137831)

If you use a passcode to get into your iPhone, it is extremely secure. AES-256, secure. http://images.apple.com/ipad/business/docs/iOS_Security_May12.pdf [apple.com]

Re:Goofy (0)

Anonymous Coward | about 2 years ago | (#41146257)

Since the 256 bit key is derived from your pincode such as "1234" it is just a marketing stunt. No matter what you do, the weakest point is the password.

Re:Goofy (2)

awyeah (70462) | about 2 years ago | (#41136939)

They give you a backup code you can use in case you lose your phone.

Re:Goofy (0)

Anonymous Coward | about 2 years ago | (#41142947)

Well, if you loose your phone, you must be knowingly letting it go.

Unless you meant that you "lose" your phone, in which case you can't find it.

Wrong title! Wrong title! (1)

aglider (2435074) | about 2 years ago | (#41137327)

Dropbox adds a much better user identification method, for the sake of privacy.
As the second factor is an SMS, and because in all countries the law requires the mobile operator to be able to identify at any time who's the person using a certain SIM.
Identification of a user based on her/his email address is trivially uneffective.
Better security is a tiny side effect. Any techie of the VAS team at the mobile operator would be able to circumvent that method. As well as law enforcement men in black.
Really better security would be a cryptographic certificate locally protected by a password, a-la SSH.
Ah!

P.S.
Google is already willing to know your mobile phone number [google.com] since long now.

Re:Wrong title! Wrong title! (0)

Anonymous Coward | about 2 years ago | (#41138493)

that was terrible. are you a /. editor?

Re:Wrong comment! Wrong comment! (1)

Kalriath (849904) | about 2 years ago | (#41144661)

Um, in almost no countries is it law that the mobile operator has to know who the customer is. Here, we can just buy a prepay SIM for $10 at the supermarket, put it in the phone, and start calling. No ID needed. Your post is a huge crock of shit.

2 factor authentication free email account (0)

Anonymous Coward | about 2 years ago | (#41137703)

http://privatesky.me/

These guys have already figured this out the 2 factor authentication outlook add in and email account with secure pin pad access.
Its cool use it!

Great. Now how about some encryption? (1)

Rob_Bryerton (606093) | about 2 years ago | (#41138425)

Great. Now how about some encryption? I notice that the one useful feature most of these services (purposely?) omit is client side [de|en]cryption with the client holding the keys. Why is that?

Do these online storage services actually data mine their customers' files? /tinfoil

Re:Great. Now how about some encryption? (2)

michaelwigle (822387) | about 2 years ago | (#41139139)

While I agree that would be a nice feature, I find handling the encryption myself painless enough. There are many tools to do it but I find Axcrypt integrates quite nicely for Win/Linux systems but not Android yet.

Re:Great. Now how about some encryption? (0)

Anonymous Coward | about 2 years ago | (#41139467)

But they [de|en]crypt it at their end for your convenience. If the client had the keys but Dropbox didn't have copies of those keys they wouldn't be able to help you with data recovery should something go wrong on your end; a serious user-friendliness hit.

Anyway, Dropbox have a reputation for how well they protect your data. I knew someone that trusted his Bitcoin wallet (containing 25`000 BTC, then around $300`000) to Dropbox and there is real doubt that Dropbox is partly responsible for the subsequent emptying of said wallet.

Re:Great. Now how about some encryption? (0)

Anonymous Coward | about 2 years ago | (#41147755)

How would you trust that type of encryption service? And not assume that the provider had an extra key or method of access? /paranoia

Re:Great. Now how about some encryption? (0)

Anonymous Coward | about 2 years ago | (#41156767)

For that kind of encryption, there are services such as spideroak.com. Or, you could store a truecrypt container inside your dropbox directory, and do all encryption on your own end. What it seems to boil down to is that encryption has a tendency to get in the way of some of the deduplication they rely on to minimize storage space used while maximizing the amount of storage they can provide, so expecting it to come from Dropbox themselves seems like an exercise in futility. Spideroak does seem to have a decent way of handling deduplication and encryption at the same time, but it also looks like a system that took a bit more complexity to get in place. If Dropbox's track record is any indicator, it may very well be outside of the area of expertise of any of their employees, or at least, considered not a big priority for their management.

The United States has it's own propaganda (-1)

Anonymous Coward | about 2 years ago | (#41141267)

Memorable quotes for
Looker (1981)
http://www.imdb.com/title/tt0082677/quotes [imdb.com]

"John Reston: Television can control public opinion more effectively than armies of secret police, because television is entirely voluntary. The American government forces our children to attend school, but nobody forces them to watch T.V. Americans of all ages *submit* to television. Television is the American ideal. Persuasion without coercion. Nobody makes us watch. Who could have predicted that a *free* people would voluntarily spend one fifth of their lives sitting in front of a *box* with pictures? Fifteen years sitting in prison is punishment. But 15 years sitting in front of a television set is entertainment. And the average American now spends more than one and a half years of his life just watching television commercials. Fifty minutes, every day of his life, watching commercials. Now, that's power."

##

"The United States has it's own propaganda, but it's very effective because people don't realize that it's propaganda. And it's subtle, but it's actually a much stronger propaganda machine than the Nazis had but it's funded in a different way. With the Nazis it was funded by the government, but in the United States, it's funded by corporations and corporations they only want things to happen that will make people want to buy stuff. So whatever that is, then that is considered okay and good, but that doesn't necessarily mean it really serves people's thinking - it can stupify and make not very good things happen."
- Crispin Glover: http://www.imdb.com/name/nm0000417/bio [imdb.com]

##

"It's only logical to assume that conspiracies are everywhere, because that's what people do. They conspire. If you can't get the message, get the man." - Mel Gibson (from an interview)

##

"We'll know our disinformation program is complete when everything the American public believes is false." - William Casey, CIA Director

##

George Carlin:

"The real owners are the big wealthy business interests that control things and make all the important decisions. Forget the politicians, they're an irrelevancy. The politicians are put there to give you the idea that you have freedom of choice. You don't. You have no choice. You have owners. They own you. They own everything. They own all the important land. They own and control the corporations. They've long since bought and paid for the Senate, the Congress, the statehouses, the city halls. They've got the judges in their back pockets. And they own all the big media companies, so that they control just about all of the news and information you hear. They've got you by the balls. They spend billions of dollars every year lobbying lobbying to get what they want. Well, we know what they want; they want more for themselves and less for everybody else.

But I'll tell you what they don't want. They don't want a population of citizens capable of critical thinking. They don't want well-informed, well-educated people capable of critical thinking. They're not interested in that. That doesn't help them. That's against their interests. They don't want people who are smart enough to sit around the kitchen table and figure out how badly they're getting fucked by a system that threw them overboard 30 fucking years ago.

You know what they want? Obedient workers people who are just smart enough to run the machines and do the paperwork but just dumb enough to passively accept all these increasingly shittier jobs with the lower pay, the longer hours, reduced benefits, the end of overtime and the vanishing pension that disappears the minute you go to collect it. And, now, they're coming for your Social Security. They want your fucking retirement money. They want it back, so they can give it to their criminal friends on Wall Street. And you know something? They'll get it. They'll get it all, sooner or later, because they own this fucking place. It's a big club, and you ain't in it. You and I are not in the big club.

This country is finished."

##

We now return you Americans to your media: Corporate, Government sponsored and controlled (rigged) elections..

Most of you are all so asleep it's time you woke up!

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>