You've no doubt wondered how secure your password is; the short story is that it isnt!  Two-factor authentication has been used for online banking for years, but it is now an increasingly common option for logging in to online services like Google and Dropbox that requires something the user knows (like a password) and something the user has (like access to a particular mobile phone).

This post will show you how to enable Two Factor Authentication with Dropbox.

If you’ve been following the tech news at all in the last few weeks, you have undoubtedly already heard that an iCloud account belonging to former Gizmodo and current Wired tech journalist, Mat Honan, was accessed by hackers.  He tells the full story at his blog, but the headlines pretty much say it all:

“Social engineering and weak tech support make strong passwords useless” – Examiner.com

“Cloud hack wipes out user, and Apple support was responsible” – Digital Journal

“How Apple let a hacker remotely wipe an iPhone, iPad, MacBook” – ZDNet

Irrespective of how great a password Mat set, he fell victim to a social engineering attack that resulting in a hacker being able to gain access to his Amazon and iCloud account - allowing the attacker to remotely wipe his iPhone, iPad and MacBook.

Two-step verification is an optional but highly recommended security feature that adds an extra layer of protection to your Dropbox account.  Once enabled, Dropbox will require a six-digit security code in addition to your password whenever you sign in to Dropbox or link a new computer, phone, or tablet.  That might sound annoying, but its not actually that bad and might save you a similar fate to Mat.

Two-step verification is currently an opt-in service, so first you need to visit the following link:

http://www.dropbox.com/try_twofactor

You'll be prompted for your Dropbox username and password and then presented with the Security Settings screen.  At the top of the page, you should see a banner that informs you that you've successfully opted in for two-step verification.

Under the Account sign in section, next to Two-step verification, toggle (change)

For security reasons, you'll be asked to re-enter your password to confirm your decision to enable two-step verification. Once you do, you'll be presented with a simple wizard:

You'll be given the choice to receive your security code by text message or through a a mobile app.  Several mobile apps are available that will generate a unique time-sensitive security code you can use to finish signing in to your Dropbox account.  Any app that supports the Time-based One-Time Password (TOTP) protocol should work, including the following Google Authenticator (Android/iPhone/BlackBerry), Amazon AWS MFA (Android), and Authenticator (Windows Phone 7).  In this example, we'll use the Google Authenticator app.

You can choose to either configure authentication by scanning a barcode (if your app supports it) or click enter your secret key manually to be given a secret key you can type into the app.

But, before we do that, we'll need to install a mobile app!  In this example, we'll use Google Authenticator with an iPhone 4S.  The Google Authenticator is freely available in the App Store as you would expect.

Install the app and fire it up and you'll be presented with a rather basic screen

Hit the Scan Barcode button and then hold  your iPhone up to the screen.  The app will automatically recognise the barcode and present you with a basic and rather cryptic screen with your Dropbox login and a 6-digit code.  This the 6-digit code that will change regularly and you will use to complete authentication with Dropbox.  The little pie-chart in the top left corner counts down how long the current code will last before you are presented with the next one.

Now head back to your browser window and progress to the next screen.  You'll be asked to enter the 6-digit security code from your mobile device.

That completes your enrolment to two-step verification.  Dropbox will now provide you with a an emergency backup code to disable two-step verification and access your account.  This will be required if you ever lose your mobile device, so keep this emergency code somewhere safe!  You have been warned!

Job done!  Back on the Dropbox  Security Settings screen, you should now see under the Account sign in section that Two-step verification is Enabled.