I'd Go for the App
Generally less accurately referred to as Two-Step Authentication, the principle of Two Factor Authentication demands the production of two or more out of a set of three authentication factor categories:
- A knowledge factor - something you know;
- A possession factor - something you have; and
- An inherence factor - something you are.
One of the first two-factor systems to gain popularity was Google's Authenticator app (an open source project) on these platforms:
- Android 2.1 or later;
- iPhone iOS 3.1.3 or later; and
- BlackBerry OS 4.5 - 6.0.
Now On Dropbox
Anyway, not to bury the lede, Dropbox - perhaps in response to last month's spammage, enabled by a Dropbox employee who had re-used his or her password at another, previously hacked site, resulting in the exposure of many users' email addresses - now offers such a system. Look under the Security tab, in the section labelled Account sign in, for the so-called Two-step verification setting.
Two options are provided for acquiring the new verification code. The first is a simple text message to your mobile phone. This is the easier of the two, but it also introduces a new potential vulnerability. Attackers can use social engineering against your phone provider to have your messages forwarded to another account. This exploit has in fact been documented several times against Google's two-factor system, e.g. at CloudFlare in May of this year.
So yeah, I'd definitely go for option 2, which is to use one of the following mobile apps to generate a unique time-sensitive security code with the help of the standard Time-based One-Time Password (TOTP) algorithm:
- Google Authenticator (Android/iPhone/BlackBerry, as mentioned above)
- Amazon AWS MFA (Android)
- Windows Phone Authenticator (Windows Phone 7)
Hat tip: Brian Krebs, as is so often the case!