Dropbox has followed through on an earlier promise and is rolling out two-factor authentication for its Windows, Mac, and Linux users. In July, the company pledged to the move after a bunch of its customers had their accounts hijacked and used to send vast quantities of spam for gambling websites. Dropbox blamed the security …
"in use for over a decade"
Much, much longer than that. I remember dragging around a SecurID credit-cardy thing in 1994 and various un*x tools have implemented OTP for at least 25 years...
..if, like me, you prefer to keep your phone number private, i.e. only family and friends ? I certainly don't want Dropbox or the like having it. Google already pesters me for it on the odd occasion I log into my gmail online, I don't want Dropbox doing the same.
Re: And what..
...if you don't have a mobile phone or any other way to perform an out-of-band authentication? I think this was one reason TFA didn't become practical in the consumer sphere until recently. Until most people had cell phones capable of SMS, it was difficult to determine if a person had a means to accept an out-of-band authentication. And before you say the telephone, back then long distance calls involved some money, and some people even then tend to screen or otherwise resist always picking up the phone for fear of attracting salesmen, scammers, or other people who may be interested in live targets.
@AC 18:32GMT - Re: And what..
I totally agree with you. I keep my phone number private, it is only being used to receive calls in case of an emergency situation at the school where my son is a student. The rest of the world is welcome to call me on my regular land line phone. So this stuff should be opt-in for those who value their cloud stuff more than their privacy, unless of course mobile phone providers would be so kind and reduce their prices so I can afford to pay for a second mobile phone solely dedicated to this task. Besides that, whenever I'm at home, I put my mobile phone away and I'm too lazy to fetch it just to be able to login to gmail. Also since I don't really enjoy Google tracking me, I prefer to logout from gmail as son as I've done reading/replying which means I would have to receive a dozen messages a day.
To those who do not agree, yeah I understand and I assume the risk.
Re: And what..
>TFA didn't become practical in the consumer sphere until recently
Not at all. My bank here in Norway uses two factor authentication with printed one time pads by the simple expedient of sending me a credit card sized printed one time pad in the post. When I log in the web site asks for a specific one of the numbers in addition to my id number and a password that I can set myself. When it has used about two thirds of them it sends out a new pad.
Now I can also ask it to send send a time limited one time code as a text to my registered mobile so I can use either and I don't need to be concerned about not being able to log in if my mobile is not available.
Downvoted for trying to make out that something so simple can only be made practical by the application of high technology.
" I would have to receive a dozen messages a day."
Google will remember which machine you used for a while, so even if you log out frequently you should only get one text message a month.
NO PHONE NUMBERS
I have a serious problem with privacy concerns handing out my phone number to Google.
I really wish they would let me create a private/public key pair for authentication purposes. This would be far more useful than a phone number that a) should be private and b) may not work overseas.
Cell Phone Dead Area
I am allowed to use DropBox at work, but my office is in an area with no cell phone reception. So I guess I can't use this,
Re: Cell Phone Dead Area
I just turned on two factor authentication on my own Dropbox account and did so without a text message being necessary. I already installed the Google Authenticator on my phone and use it elsewhere, Dropbox can use that too. No need for mobile coverage to get a verification code.
Dropbox also provides an mobile app that can generate two factor codes for you. And Google does the same. The App functions very much like a a SecureID token. You need to establish the initial seed, and then it just calculates new numbers every 5 minutes.
Also, you are logging into Gmail, but worried about the privacy of your phone number? That doesn't make any sense. Phone numbers are less trackable than IP addresses. Especially, since SMS to non-mobile numbers is available.
The point is, they then *have* that number.
We already live in a world where my phone number is a traded commodity in certain circles - the proof is the various calls I frequently receive from telemarketers. Even if google never-ever-never actually does anything with my cell number, I still don't want them to have it.
And in any case, I very much firmly believe that sooner or later the temptation to do *something* with those numbers will become too strong. Money talks.
As for generator apps - yes,cool, that will work, if I had a phone on which it runs.
Logging into gmail - can be done via things like Tor - bit of a pain, and you then start to realize just how firmly google and friends have take root in your browser, but can be done.
Bottom line, if dropbox makes this mandatory, then sorry, they loose me as a user. Not even because I want to be spiteful, but living in SA as I do, this just is not going to fly.
2-factor authentication: indoor use or outdoor use?
It appears that the benefit of 2-factor authentication is broadly recognized, not the least because OTP can now be sent to smart phones by SMS at very low costs. The benefit is indeed remarkable when the users are in the indoor environment. Is the benefit the same when the users are in the outdoor environment?
What can be relied upon in a dangerous environment can be relied upon in a safe environment, but we cannot say that the reverse is also true. I mean that the indoor environment is relatively much safer than the outdoor.
Some banks tell us that it is a “mistake” to carry a bank card together with a paper with the PIN on it. Then it should also be a mistake to carry a mobile computer, tablet or phone together with a paper with the password on it. Replace such a paper with a token generating OTP or a phone receiving OTP, and what conclusion do you think you would reach?
The PIN/password on a paper proves the identity of the paper, not the identity of the person who holds the paper. OTP generated on a token proves the identity of the token, not the identity of the person who holds the token. OTP received on a phone proves the identity of the phone, not the identity of the person who holds the phone. The structure is the same in all of them.
Those banks abovementioned may be wrong in using the word “mistake”,, but we could at least learn that the 2-factor authentication in the outdoor environment is not as beneficial as in the indoor environment, and that, in the outdoor environment, what matters most is the security of remembered PIN/password rather than the reliability of a paper with PIN/password on it or a token generating OTP or a phone receiving OTP.
Whether or not we use OTP-generating/receiving tokens/phones, it should still be imperative to enhance the remembered password itself if we want the safe cyber-life in the outdoor environment.
Re: 2-factor authentication: indoor use or outdoor use?
One comment: " very low costs" is still not zero.
Very low costs will still accumulate, and natrually these costs will be shifted to the user.
From the article: "In July, the company pledged to the move after a bunch of its customers had their accounts hijacked and used to send vast quantities of spam for gambling websites"
Is this correct? I understood it was merely a spreadsheet containing a list of customer email addresses which was leaked from within an employee's Dropbox.
I use Two-Factor Authentication across a lot of my accounts. I feel a lot more secure when I can telesign into my account. If you have that option available to you use it, it is worth the time and effort to have the confidence that your account won't get hacked and your personal information isn't up for grabs. I'm hoping that more companies start to offer this awesome functionality. This should be a prerequisite to any system that wants to promote itself as being secure.