Dropbox: Set up two-factor authentication, FIDO keys, and passkeys to secure your account.

  • Enable 2FA with SMS, authenticator app, or passkeys and save recovery codes.
  • Reinforces FIDO2/U2F keys to mitigate phishing on supported browsers.
  • Manage sessions, devices, IP addresses, and apps from Security; use remote wipe and unlink.
  • Prevent 2FA hijacking with TOTP/key apps, updates, and best practices.
Iván MartínUpdated on

9 minutes

Dropbox two-step confirmation

Dropbox is, as of today, the most used cloud storage application worldwide. And one of the few details that has been criticized—and more so recently—is security. Users, especially paying ones, were asking for a confirmation system when sharing files privately or downloading much better. And that's why Dropbox is increasing its security with the inclusion of two-step confirmation.

One of the reasons that has led to this company has been that recently suffered a small breach in its security system And some users were affected. So it was time to take action. And the result of that action has been this new confirmation system, which, admittedly, may make using the app on mobile devices a little more complicated, but compensates for the increased security it offers.

Activation is done by the user

If this two-step security system is activated, something the user must do. What is achieved is that, in addition to the usual password verification, an additional one is generated that it is sent by text message or, failing that, it can be created on the device itself using an additional application for it (which can be accessed by means of a QR code in the process).

When creating the second security step with which Dropbox increases its security, a 16-digit alphanumeric password which is the one requested on the phone or tablet. In this way, the security is much higher. This second code is the one necessary, too, for register new devices in your Dropbox account (this only needs to be done once). In addition, the regular login uses 6 digit codes single-use when you choose SMS or an authentication app.

To activate it, you just have to access your Dropbox account and access the security section, here is the link, and look at the bottom of the page for the option named Two-step Verification. If you click on it, you can activate it. From there the wizard will guide you to choose SMS or authenticator app, scan the QR and save your recovery codes.

What is two-step authentication and why you should enable it?

Authentication verifies your identity before granting access. 2FA combines two factors: something that sabes (password), something that you have (mobile, physical key) or something that are (biometrics). This second layer blocks access even if someone knows your password.

The SMS option is simple, but a authentication app (Google Authenticator, Duo, etc.) is more robust against attacks such as YES swapThese apps generate codes that expire quickly and are independent of the mobile network; before installing new apps, Check your security with VirusTotal.

Dropbox security two-step authentication

Set up two-step verification in Dropbox

How to enable two-step verification in Dropbox

  1. Login to dropbox.com and enters Settings> Security (you can also press your avatar and open the Security tab).
  2. En Two-step authentication, choose Activate and select SMS or authentication app.
  3. If you choose app, scan the unit’s QR code with your phone and enter the generated 6-digit code.
  4. Keep them in a safe place recovery codes and, if you wish, mark your team as trusted device.

When 2FA is active, you will be asked for a additional code every time you log in or link a new device. You can switch between SMS and the app whenever you need from the same section.

FIDO Physical Security Keys (U2F/WebAuthn)

Dropbox allows you to use security keys USB, Bluetooth or NFC that comply with FIDO U2F o WebAuthn (FIDO2). These keys do not require a battery or network and establish an authenticated communication that mitigates phishing. Before adding them, it is advisable to have 2FA configured by SMS or app as backup method.

  1. Go to Settings > Security > Two-step authentication and select Security Keys > Add.
  2. Enter your password, connect the key by USB/BT/NFC and follow the wizard to register it (click on Start setup (if requested).
  3. To delete a key, go to Security keys, choose the one that corresponds and select Delete.

Compatibility: Currently the keys work to log in to dropbox.com with browsers like Chrome or Firefox. They are not used to access the desktop or mobile app; in those cases, you can continue with SMS or appYou can use the same key for your personal and work accounts, and even with other U2F/WebAuthn-compatible services.

FIDO2 Security Keys in Dropbox

Access keys (passkeys) and biometrics

Dropbox supports access keys based on WebAuthn, where you confirm your identity with biometrics (fingerprint or face) or a QR code from a trusted device. These keys simplify login and reduce phishing by not using reusable passwords.

Troubleshooting common problems

  • You are not receiving codes by SMS: confirm your number, coverage, and that your operator does not block these messages.
  • The app does not generate valid codes: check time and date from the phone, update the app and check that you are using the correct account.
  • They ask for a 6-digit code by email: It is an additional check when there is unusual activity or a new deviceCheck your inbox.
  • They don't ask you for the 2FA code: you probably use a trusted device. Clear your browser's cache and cookies or revoke their status by going to Security > Two-Step Authentication > Trusted Devices > Revoke All.
  • Problems activating 2FA due to invalid password: confirms that you enter the Dropbox password (not the email one), disable the caps Lock, log out and back in, or reset it from the web. If it persists, contact the dropbox support.
  • Does the 4-digit code from the mobile app work? It is a local access code to open the app on that device, but does not replace to two-step account verification.
  • Do you receive a code without logging in? Change immediately your Dropbox password and review sessions and linked devices, and Check out the guide to recover hacked accounts.
  • Nothing works? Waiting 24h and try logging in again; some temporary blocks resolve themselves.

What is 2FA hijacking and how to avoid it?

El 2FA hijacking seeks to steal or circumvent the second factor (malware that reads SMS, YES swap or malicious apps). Minimize it by using authentication apps o FIDO keys, keep your devices updated and avoid suspicious links. A good antivirus and common sense are key; also use secure apps like Threema.

Measures for teams and administrators

Two-factor authentication adds a additional layer of security to your team's Dropbox accounts. Admins can force its use to all or part of the members from the Administration console or through your identity provider if you use SSO.

Check devices and web browsers: Check your active sessions (desktop, mobile, and browser) and close any you don't recognize with the X. To share devices securely, check the Guide to creating and managing user profiles. By doing so, the log outIf you notice anything suspicious, change your password.

Review linked applications: Audit connected third-party apps (e.g., office suites). Unlink anything you don't need with the X and strengthen the password if something doesn't fit.

Improve your password: uses unique, long keys and with a variety of characters. From security, enter the current and new passwords and save the changes.

Monitors linked devices and third-party apps, as well as active web sessions, to track account usage. Close open sessions, delete local copies of files, and revoke access from third-party applications to user accounts to control computer data. As a proactive security measure, administrators can restore the password of all team members or a particular user.

Unlink devices

The administrator can unlink computers and mobile devices connected to user accounts through the Admin console. On computers, unlinking removes the authentication data and offers the option to delete local copies of files the next time your computer connects to the internet. On mobile devices, unlinking removes files and Paper docs for offline use, stored data, and login information.

Erased remote

Protect company data when employees leave the computer or lose a device by using the remote delete of data and local copies of both computers and mobile devices to prevent unauthorized access.

Transfer of account

After deprovisioning a user (either manually or through directory services), administrators can transfer files from that user's account to another user on the computer.

Log in as a user

Team admins can log in as members of their teams. This gives admins access to files, folders, and Paper docs in team members' accounts so they can resolve issues, share on behalf of team members, or perform other tasks. audits at the file level (available on Advanced or Enterprise plans).

In addition, from Settings> Security you can check the last known IP of the devices, identify their approximate country and close sessions in browsers or apps to cut off unauthorized access remotely.

With two-step verification enabled, FIDO Key support, and good password and device hygiene, your Dropbox account gains a comprehensive defense against unauthorized access without sacrificing everyday comfort.

create-and-manage-multiple-users
Related article:
Complete Guide to Creating and Managing User Profiles on Android and Sharing Your Device Securely