Dropbox Aims to Thwart Phishers with 2FA Security Keys

Dropbox now supports USB-based security keys to improve log-in security and better protect users from phishing attempts.

The Universal 2nd Factor (U2F) security keys can be used when signing in to the popular cloud storage service, head of trust and security Patrick Heim and Jay Patel said in a blog post.

“After typing in your password, just insert your key into a USB port when you’re prompted, instead of typing in a six-digit code,” they explained. “And unlike two-step with a phone, you’ll never have to worry about your battery going dead when you use a security key.”

Physical security keys are a better choice than smartphone-based two-factor authentication because the latter still exposes the user to the risk of being directed toward a fake Dropbox site designed to phish their password and verification code.

“Security keys are designed to protect against these types of attacks,” Dropbox claimed. “By using cryptographic communication, they will only work when you’re signing in to the legitimate Dropbox website.”

Keys need to support the FIDO Alliance’s FIDO Universal 2nd Factor (U2F), and currently will only work when accessing Dropbox.com from the Chrome browser, according to the pair.

“Once you have a key, go to the Security tab in your Dropbox account settings and click Add next to Security keys,” they explained.

“Signing in from a device or platform U2F isn’t supported, or don’t have your key on hand? Don’t worry — you’ll still have the option to use two-step verification through text message or an authenticator app.”

Phishing campaigns against Dropbox users have spiked recently as cyber-criminals look to access sensitive corporate and personal data held in users’ accounts.

Back in May, security firm Ipswitch warned of fake Dropbox emails urging the user to click through to view “urgent and highly confidential” documents.

Those that did were taken to a fake log-in page designed to harvest credentials.

“Dropbox is vulnerable to these common attacks as it was not originally designed with enterprise security in mind,” said Ipswitch senior vice president, Alessandro Porro, at the time.

What’s Hot on Infosecurity Magazine?