Re: Dropbox's 'two-step verification'

Kit_L
Kit_L
Community Member
edited September 2012 in Lounge
On of the reasons I bought in to the 1Password solution is that I am on the road over six months of the year, and expect to be for years to come, and data theft is a daily concern. One of the biggest problems of being on the road are phones: different country, different phone or SIM card, and (this is the really trick part) different numbers.

Now, for staying in contact with hosts and friends, a new number every few weeks is no drama, because email is the constant. But for any two-step verification process, it's a nightmare. Yesterday (while I was in Australia and my partner in Scottsdale, USA) we had to use part of the time-zone overlap to do some international banking. She wanted to pay a local consultant—with an Australian bank. Well, that could not work: they require two-step verification too, and she has one of my phones in the US—but that number is not part of her profile, and there is no way she can get an international SMS on the plan she has.


I needed to use the two-step verification the bank uses five times to do that transfer (one to lift my limit; for security, because normally she handles finances, my international transfer limit is set to zero, one to enter a new transfer, etc. etc.).

So, for me personally, Jeff's advice is not only sound, it will remain my MO while on the road: until the era of the world phone, two-step verification must remain a local single-country based solution, it seems to me.

Comments

  • khad
    khad
    1Password Alumni
    Thanks for the feedback, Kit! You outline a very good example of a use case where two-step verification is not only inconvenient and could be very costly. Data availability is a very important aspect to security.
  • Kit_L
    Kit_L
    Community Member
    No point in making it so secure you can't get at it!
  • steveberl
    steveberl
    Community Member
    After reading the blog post, I'm a bit confused about the proper use of 1Password and Dropbox.

    Seems the suggestion is to create a strong random password for your Dropbox account, and then save that in 1Password.

    But, Dropbox is where my 1Password database lives, and in order to get at it, I need my Dropbox password. It seems to be a catch-22 situation where I need 1Password to find my Dropbox password, and I need Dropbox to find my 1Password database.

    Am I missing something? Seems I need to have the Dropbox password saved someplace that doesn't require the Dropbox password to access.

    -steve
  • khad
    khad
    1Password Alumni
    edited September 2012
    Seems the suggestion is to create a strong random password for your Dropbox account, and then save that in 1Password.

    That is what I do as I access my Dropbox password via another computer or device if I need to look it up (i.e. iPhone, iPad, other Mac/PC). It is also possible to access all of your 1Password data via a local, offline backup — such as Time Machine, SupderDuper, etc. — in any modern browser using the 1PasswordAnywhere feature built into your data file:

    1PasswordAnywhere

    If you wish, you could also employ the technique we recommend for creating strong, memorable Master Passwords when creating your Dropbox password:

    Toward Better Master Passwords

    More details on this can be found in our recent blog post on the Mat Honan story:

    More than just one password: Lessons from an epic hack
  • thinklad
    thinklad
    Community Member
    What is the status on the support of Dropbox two-step authentication?
    Jeff's blog post on the topic hasn't been updated and I did not find any recent info on this. Is it safe to activate now?
  • thightower
    thightower
    Community Member
    edited November 2012
    Been using it since day one (during beta cycle) with no issues none what so ever.

    What we see in the Dropbox forums are this :

    People change phones and are using the mobile app vs the SMS option. If this happens disable the feature (2 Step on the Dropbox site) and then re enable it with the new device. Its a security feature to keep folks from copying the files from one phone to another and gaining access to your account.

    Make sure and store the emergency reset password in a safe place, make sure to include it in maybe a safe deposit box etc. The reason behind this is if you are traveling etc and loose your phone etc. You or a trusted relative will be able to gain access to the file and restore access to your account etc.

    Make sure your Dropbox account has a current and valid email address, make it a private one, non work related in case you loose employment and loose access to the email. If you are a student make sure and do the same, after you graduate some institutions will yank your email address you used in school.

    The reason for the email thing is this. Dropbox has began to automatically expire passwords that have not been changed in forever. Yes they expired my 1Password random 50 character password. They are sending reset instructions to that email address and if its no longer valid it poses an issue. They have begun to add some additional features for regaining access. Which involve the Dropbox app on a particular linked device and so forth.

    Those are the most common issues we moderators see in the forums. Other than that there really are no issues on Dropbox's end.

    Of course your question was mainly for Jeff but thought if he were gonna respond I would give him some tie bits we see in the Dropbox forums.


    I am sure he will be along shortly to give more insight into it.
  • khad
    khad
    1Password Alumni
    I will poke Jeff to post the follow up. I'm pretty sure he has at least a draft of it.
  • thinklad
    thinklad
    Community Member
    Thanks for the feedback! Will give it a try - and looking forward to Jeff's update as well.
  • akpm
    edited December 2012
    Hi,

    I`m new here. I purchased family license last week and following the advice on this forum how to make 2 seperate accounts, now me and my wife are set. (each one on iPhone and own PC)
    To all above regarding DB, I also use SugarSync which is really good, but not many people know about them. I dropped DB due to their privacy policy a while ago. Maybe it has been changed, but I don`t keep there what I used to anymore, just basic. Is there any chance to implement other solutions to DB like SS mentioned above? I don`t use Evernote either, which is IMO over exposed (advertised)
  • khad
    khad
    1Password Alumni
    Welcome to the forums, akpm! Please see my post in the SugarSync feature request thread. :)

    Additionally, the following document also applies:

    Alternatives to Dropbox cloud syncing: iCloud, Google Drive, SkyDrive

    If we can be of further assistance, please let us know. We are always here to help!
  • khad wrote:

    Welcome to the forums, akpm! Please see my post in the SugarSync feature request thread. :)

    Additionally, the following document also applies:

    Alternatives to Dropbox cloud syncing: iCloud, Google Drive, SkyDrive

    If we can be of further assistance, please let us know. We are always here to help!


    Thank you a lot. It was helpful. I hope 1Password will please many of us in the near future :-)
  • khad
    khad
    1Password Alumni
    It is my pleasure to help. Happy New Year!
This discussion has been closed.