You have an interesting situation and it sounds like your need for confidentiality is higher than for most of us. My first thought is that if I were in your shoes is that I'd be using a separate encryption system like PGP (it stands for "pretty good privacy" but in fact it's a powerful and secure public-key encryption system) as a way to encrypt the file before you upload it to DropBox, then for the receiver to decrypt it once safely downloaded. You can learn more about PGP and grab some software to test at GNUPG, if you're curious.
In terms of working with Dropbox, you're in luck as they just recently introduced a two-step verification system just like you're asking for (and just like what's available on Gmail and PayPal, among other smart sites). The idea is that to get into the account you need two things, instead of just one: your account credentials and access to your registered cellphone so you can retrieve the one-time use code from a text message that Dropbox automatically sends you on login attempt.
To set it up, you'll need to go to the Dropbox Web site, then choose "Settings" from the menu on the top right:
Once you've done that, you'll see a bunch of different options. What you want is along the top tab bar, however:
Click on "Security", then look near the bottom of that page for this block of info:
To enable two-step verification, click on "(change)" adjacent to the current status "Disabled" on the last line.
An informational pop-up appears to explain what you're about to change:
Looks good. Click on "Get started" to proceed. You'll need to enter your password again for verification purposes (you certainly don't want someone else putting this on your account!) then you'll be presented with two possibly ways to use the 2-step purpose:
My preference is to use text messaging because then it doesn't require a specific app to be installed on my phone and since I'm often running early release or beta software, apps on my phone are notoriously ephemeral anyway. If you'd prefer an app, click "Use mobile app" before proceeding.
Either way, click "Next" to continue.
As expected, Dropbox needs to know your mobile phone number. For what I hope are obvious reasons, don't enter a number that cannot receive text messages! :-)
Enter your cell and again click on "Next".
While you're looking at that and wondering what to do, a text message with a six-digit (one time) code should be sent to your phone. It'll look like this:
I enter the specified code -- 656126 -- and my Dropbox account is ready to set up for two-step verification. Only thing is, what happens if I lose my phone? They've got that covered too:
Since it's easy to get a new phone and use a SIM card to have it receive your text messages, I don't worry about this backup. Plus, I always have my phone.
That's all there is to it. You've just set up two-step verification for your Dropbox account. Note that only adds a new layer of security to your access as the account owner. It doesn't make the stored documents or your colleagues access any safer or more secure. That's where something like PGP might well come in handy, as I mentioned earlier.
In any case, a good lesson on security, thanks for the interesting question!
Sign up for my weekly AskDaveTaylor Newsletter and you'll receive even more tech and gadget help
right to your inbox, along with exclusive news and industry updates. It's good stuff. I promise!
Exactly how "confidential" (sensitive) are these files. Are you talking about something that someone else may be actively trying to intercept? Or something that you just want to be very careful not to leave sitting around in public?
2 factor can be hacked, here are some examples:
Modern banker malware undermines two-factor authentication, September 23rd, 2009
http://blogs.zdnet.com/security/?p=4402&alertspromo=&tag=nl.rSINGLE
Airport VPN hacked using Citadel malware
http://www.scmagazine.com.au/News/312040,airport-vpn-hacked-using-citadel-malware.aspx
The other question you have to ask yourself is how much do you really know about Dropbox? Do you know enough to really trust their promise not to let ANYONE in there company read your files?
For these reasons, Dave's suggestion of using separate encryption like PGP is very good advice. Either use public Key encryption like PGP, or a shared private key that you agree on.