Dropbox Two-Steps Into Double-Knotted Security
Aug 27, 2012 12:10 PM PT
Dropbox has unveiled an experimental build that adds two-factor authentication to subscribers' accounts.
Subscribers can try out build 1.5.12, and Dropbox is asking those who are experimenting with it for their comments.
The response so far appears to be overwhelmingly positive.
Dropbox plans to roll out two-factor authentication (2FA) as an option to all subscribers' accounts in the future.
"I can definitely confirm that two-factor authentication is being used," Dropbox spokesperson Lydia Chan told TechNewsWorld.
"By using multiple communications channels to authenticate the subscriber, the service provider greatly reduces the ability of hackers to access an account," Rob Marchi, messaging solutions architect at Message Systems, told TechNewsWorld. "Message Systems highly recommends two-factor authentication for high-value data."
Dropping the 2FA Bomb
Two-factor authentication requires the use of any two of the following three factors: What you know, what you have, and who you are.
What you know is usually a password; who you are is your identity or a form of biometric identification such as your fingerprint; and what you have could be a smart card or a hardware or software token.
Dropbox will put in an additional security code that will either be sent to subscribers' mobile phones through a text message or will be generated using a mobile authenticator app. The company reportedly supports such apps for Android smartphones, iPhones, BlackBerries and Windows Phone devices.
Promises Made, Promises Kept
Dropbox's release of a trial build incorporating 2FA is in line with the company's pledge in July that it would begin rolling out the security measure following complaints from some subscribers that they were being spammed.
An investigation into the spamming found that hackers had stolen some usernames and passwords from third-party websites and were using these to sign into some Dropbox accounts.
A Dropbox employee's account containing a project document with users' email addresses was also hacked using a stolen password, and Dropbox said that this led to the spam attack.
The service is implementing other security measures in the wake of the spam attack, including new automated mechanisms to help identify suspicious activity.
Are 2FA Systems Safe?
However, not all 2FA workflows are created equal, and "some schemas are more difficult to manipulate than the common form of one-time passcode delivered via SMS or token," John Zurawski, vice president of Authentify, told TechNewsWorld.
Further, it's important to distinguish between asking multiple questions and real 2FA. "Asking multiple knowledge-based questions -- something you know, something else you know, and still something else you know, may seem like multi-factor [authentication], but it's all the same form factor," Zurawski pointed out. Authentify assumes the Internet has been compromised, and uses out-of-band authentication, over the phone.
Some 2FA systems are vulnerable to man-in-the-browser and man-in-the-middle attacks. The first is where a proxy Trojan Horse leverages a Web browser's security to modify Web pages or modify the content of transactions. It's often used in banking Trojans. Man-in-the-browser attacks can succeed even if encryption or authentication solutions are used.
The man-in-the-middle attack is where the attacker intercepts the messages between two parties in a communication and modifies them. It can defeat SMS verification on mobile phones.
"Getting around certain methods of two-factor authentication is quite easy," Chris Brennan, CEO and founder of NetAuthority, told TechNewsWorld. His company generates a unique dynamic device key based on irrefutable attributes within Internet-enabled communication devices. These are performed for every authentication session. This "prevents impersonation, and therefore prevents account breaches from unauthorized devices."
Corporations, including Google, are increasingly moving to 2FA, and "quite a few of the most recognized brands on the Internet have been relying on Authentify's form of out-of-band authentication for more than a decade," Zurawski said.