That worked, thanks! Also, I just discovered a checkbox under 'Account Settings' that seems like it's an opt-in for early releases. OP probably already had this checked?
I upgraded my account, and now the desktop client is not letting me login, saying I need the latest client. I downloaded that and it still gives me the same error..
Does anyone know where I can download the latest Linux binary that support 2 factor authentication? I tried downloading the linux version, but it keeps on saying "this account uses two-step verification. To link to it, please download the latest version of Dropbox from www.dropbox.com/download". Maybe there is no new linux client, not sure.
Well done. I wish more sites would move to using standard OTP protocols. I hate having to carry around and use a separate dongle for each company that provides two factor authentication.
Carrying a set of backup codes when travelling, generating a code for each app that is linked to your account...these things make two way authentication seem very inconvenient. I went with converting my gmail account to use two way authentication but after being informed to remember to carry a set of 10 backup codes when I am going to be without my phone, was a turn off and I reverted to my old settings.
That requires physical access, which is arguably more secure than internet access should your credentials be compromised. This is a major step in the right direction for Dropbox. I don't think it's Dropbox's job to encrypt and secure my local files. This would break many use cases, and there are other purpose-built solutions for this.
Dropbox made their business on an extreme convenience (your files everywhere through a dead-simple, familiar interface). Inconveniently, convenience is often the enemy of security. It's a "good thing" that Dropbox is now offering some granularity over the convenience/security spectrum.
That's hardly an unexpected security hole - most of my devices maintain local copies of everything in my Dropbox folder (phone/iPad excepted). Requiring password/two factor auth to get at the cloud hosted version of something in the local filesystem would achieve pretty much nothing.
Maybe there's people using Dropbox in some other fashion, but surely this is the intended/common use case?
Two-Factor authentication sucks. It's too hard for users. Most people will never us it. Dropbox should consider using Rublon (yes, that's my startup): https://rublon.com
1) Screw outsourcing your authentication database to a third party, or incorporating third-party JS, as a mandatory thing. It's ok if you build something (like OATH) which allows a third-party service provider, but it shouldn't be mandatory; you should be able to implement the entire thing on your own infrastructure, and ideally play nicely with other sites in a user-selected client (potentially a browser).
2) I'd rather just do N-factor using a client cert stored in the web browser (mobile or desktop), combined with a password. x509 is probably terminally defective in desktop browsers due to historical accident and a messy protocol, but it could work on mobile, and stuff like OneID or BrowserID could meet the same need for regular browsers.
I don't believe in desktop + cellphone both being required to log into every site every time. The OATH compromise (using the phone periodically, along with a desktop password, and caching something in the browser) is an acceptable compromise for some apps.
Ultimately what I want is trusted keystore of asymmetric private keys on devices, and then multifactor auth to the keystore (biometric, password, location/time based heuristics, etc.), and reasonable management of keystores and keys (so I can for instance revoke every key on my phone if stolen, or disallow ipad and iphone but not mba13 for dropbox, but allow all 3 for linkedin)
The technical problem is relatively simple; it's an integration program (the auth libraries used by every site, plus mobile OSes, maybe desktop OSes, and hardware in phones and computers).
Give users the ability to make their own choices, and let sites establish minimum standards as well. I should be allowed to make a site depend on fingerprint swipe + physical location + specific machine if I want, but it shouldn't be mandatory for a random game site for everyone/anyone.
This completely misses the point of Two-factor authentication, though.
Two-factor authentication is all about increasing security by combining two separate factors: something you know (password), and something you have (phone). From what I can tell, you're just switching from relying on one factor (password) to relying on the other factor (phone). It's just a different one-factor authentication paradigm.
Unfortunately, this leaves several gaps. For example, what happens when I lose my phone, or someone takes it from me? Can that other person log in immediately?
I can potentially understand an argument that this is more secure than solely password-based solutions (although I don't think it would be for me, where I use complex random passwords), but I certainly wouldn't consider it an alternative to two-factor authentication.
Thanks for your opinion guys. Looks like we'll have to invest much more time in creating a new website that will explain Rublon more precisely. I can see that there is way too much confusion and misunderstanding about the product.
How about this for a novel idea. Stop inventing new mechanisms for autentication, and let ME choose how I authenticate myself to your service (to gain access to MY data). http://ragmondocom.appspot.com/2012/03/My-Stuff-My-Lock
[+] [-] SwaroopH|13 years ago|reply
Although tray login still logs you in without the need to enter password or the code.
[+] [-] lowe|13 years ago|reply
[+] [-] guylhem|13 years ago|reply
Maybe the country list should be edited to only list countries where SMS can be sent? (I have no problem with other 2-ways services I use)
[+] [-] irunbackwards|13 years ago|reply
[+] [-] josteink|13 years ago|reply
[+] [-] joshzayin|13 years ago|reply
It looks like they support any app that uses the TOTP protocol, so google authenticator, among others, works with this seamlessly.
[+] [-] icebraining|13 years ago|reply
For those who don't have iOS/Android/BB and/or don't want to use Google Authenticator, Wikipedia lists a few compatible applications: https://en.wikipedia.org/wiki/Google_Authenticator
These work for Gmail too.
[+] [-] ch0wn|13 years ago|reply
[+] [-] spindritf|13 years ago|reply
If Google Authenticator allowed to change the order of accounts without removing and readding them, I would have absolutely nothing to complain about.
[1] https://aws.amazon.com/mfa/faqs/
[2] http://askubuntu.com/questions/159727/how-can-i-use-a-passco...
[+] [-] teach|13 years ago|reply
[+] [-] irunbackwards|13 years ago|reply
[+] [-] forsaken|13 years ago|reply
[+] [-] dkulchenko|13 years ago|reply
[+] [-] steveeq1|13 years ago|reply
[+] [-] lowe|13 years ago|reply
https://forums.dropbox.com/topic.php?id=66910
[+] [-] jrockway|13 years ago|reply
[+] [-] batgaijin|13 years ago|reply
[+] [-] matwood|13 years ago|reply
[+] [-] SCdF|13 years ago|reply
[+] [-] irunbackwards|13 years ago|reply
[+] [-] bschlinker|13 years ago|reply
[+] [-] peterwwillis|13 years ago|reply
[+] [-] mertd|13 years ago|reply
[+] [-] septerr|13 years ago|reply
[+] [-] treelovinhippie|13 years ago|reply
[+] [-] dkokelley|13 years ago|reply
Dropbox made their business on an extreme convenience (your files everywhere through a dead-simple, familiar interface). Inconveniently, convenience is often the enemy of security. It's a "good thing" that Dropbox is now offering some granularity over the convenience/security spectrum.
[+] [-] bigiain|13 years ago|reply
Maybe there's people using Dropbox in some other fashion, but surely this is the intended/common use case?
[+] [-] reledi|13 years ago|reply
Anyone else have this issue?
[+] [-] sinsear|13 years ago|reply
[+] [-] mjs7231|13 years ago|reply
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] mwww|13 years ago|reply
7 reasons why you should add Rublon to your website: http://blog.rublon.com/2012/why-add-rublon/
[+] [-] rdl|13 years ago|reply
2) I'd rather just do N-factor using a client cert stored in the web browser (mobile or desktop), combined with a password. x509 is probably terminally defective in desktop browsers due to historical accident and a messy protocol, but it could work on mobile, and stuff like OneID or BrowserID could meet the same need for regular browsers.
I don't believe in desktop + cellphone both being required to log into every site every time. The OATH compromise (using the phone periodically, along with a desktop password, and caching something in the browser) is an acceptable compromise for some apps.
Ultimately what I want is trusted keystore of asymmetric private keys on devices, and then multifactor auth to the keystore (biometric, password, location/time based heuristics, etc.), and reasonable management of keystores and keys (so I can for instance revoke every key on my phone if stolen, or disallow ipad and iphone but not mba13 for dropbox, but allow all 3 for linkedin)
The technical problem is relatively simple; it's an integration program (the auth libraries used by every site, plus mobile OSes, maybe desktop OSes, and hardware in phones and computers).
Give users the ability to make their own choices, and let sites establish minimum standards as well. I should be allowed to make a site depend on fingerprint swipe + physical location + specific machine if I want, but it shouldn't be mandatory for a random game site for everyone/anyone.
[+] [-] Serplat|13 years ago|reply
Two-factor authentication is all about increasing security by combining two separate factors: something you know (password), and something you have (phone). From what I can tell, you're just switching from relying on one factor (password) to relying on the other factor (phone). It's just a different one-factor authentication paradigm.
Unfortunately, this leaves several gaps. For example, what happens when I lose my phone, or someone takes it from me? Can that other person log in immediately?
I can potentially understand an argument that this is more secure than solely password-based solutions (although I don't think it would be for me, where I use complex random passwords), but I certainly wouldn't consider it an alternative to two-factor authentication.
[+] [-] teach|13 years ago|reply
I'd suggest you work on your elevator pitch a bit more.
[+] [-] mwww|13 years ago|reply
[+] [-] alexlitov|13 years ago|reply
[+] [-] spindritf|13 years ago|reply
[+] [-] ragmondo|13 years ago|reply
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] joshu|13 years ago|reply
[+] [-] adgar|13 years ago|reply
It must be easier to build a startup on the assumption that your users are incompetent mouthbreathers. Respecting your users is hard work :-/