I’m using Dropbox to share highly confidential files with an investigator and need to be completely sure that no-one other than myself ever access the files. I know Dropbox uses SSL connections and my account is protected by a password, but I want a higher level of security. Can I set up a two-step verification or authentication process so it requires me to both know my password and receive a text message on my cellphone to log in?
You have an interesting situation and it sounds like your need for confidentiality is higher than for most of us. My first thought is that if I were in your shoes is that I’d be using a separate encryption system like PGP (it stands for “pretty good privacy” but in fact it’s a powerful and secure public-key encryption system) as a way to encrypt the file before you upload it to DropBox, then for the receiver to decrypt it once safely downloaded. You can learn more about PGP and grab some software to test at GNUPG, if you’re curious.
In terms of working with Dropbox, you’re in luck as they just recently introduced a two-step verification system just like you’re asking for (and just like what’s available on Gmail and PayPal, among other smart sites). The idea is that to get into the account you need two things, instead of just one: your account credentials and access to your registered cellphone so you can retrieve the one-time use code from a text message that Dropbox automatically sends you on login attempt.
To set it up, you’ll need to go to the Dropbox Web site, then choose “Settings” from the menu on the top right:
Once you’ve done that, you’ll see a bunch of different options. What you want is along the top tab bar, however:
Click on “Security”, then look near the bottom of that page for this block of info:
To enable two-step verification, click on “(change)” adjacent to the current status “Disabled” on the last line.
An informational pop-up appears to explain what you’re about to change:
Looks good. Click on “Get started” to proceed. You’ll need to enter your password again for verification purposes (you certainly don’t want someone else putting this on your account!) then you’ll be presented with two possibly ways to use the 2-step purpose:
My preference is to use text messaging because then it doesn’t require a specific app to be installed on my phone and since I’m often running early release or beta software, apps on my phone are notoriously ephemeral anyway. If you’d prefer an app, click “Use mobile app” before proceeding.
Either way, click “Next” to continue.
As expected, Dropbox needs to know your mobile phone number. For what I hope are obvious reasons, don’t enter a number that cannot receive text messages!
Enter your cell and again click on “Next”.
While you’re looking at that and wondering what to do, a text message with a six-digit (one time) code should be sent to your phone. It’ll look like this:
I enter the specified code — 656126 — and my Dropbox account is ready to set up for two-step verification. Only thing is, what happens if I lose my phone? They’ve got that covered too:
Since it’s easy to get a new phone and use a SIM card to have it receive your text messages, I don’t worry about this backup. Plus, I always have my phone.
That’s all there is to it. You’ve just set up two-step verification for your Dropbox account. Note that only adds a new layer of security to your access as the account owner. It doesn’t make the stored documents or your colleagues access any safer or more secure. That’s where something like PGP might well come in handy, as I mentioned earlier.
In any case, a good lesson on security, thanks for the interesting question!