1. Sharing files and folders
  2. Payments and billing
  3. Security and privacy
  4. Dropbox for Business
  5. Syncing and uploads
  6. Sign-in help
  7. Desktop client and web app
  8. Manage account
  9. Space and storage
  10. Photos and videos
  11. Mobile

How do I enable two-step verification on my account?

Two-step verification is an optional but highly recommended security feature that adds an extra layer of protection to your Dropbox account. Once enabled, Dropbox will require a six-digit security code in addition to your password whenever you sign in to Dropbox or link a new computer, phone, or tablet.

Storing your emergency backup code

Before enabling two-step verification, you'll receive a special 16-digit backup code. It is very important that you write this key down and store it somewhere safe. If you ever lose your phone, or can't receive or generate a security code, you'll need this backup code for emergency access to your Dropbox.

Enable two-step verification

  1. Sign in to the Dropbox website.
  2. Click on your name from the upper-right of any page to open your account menu.
  3. Click Settings from the account menu and select the Security tab, or click here for a shortcut.
  4. Under Two-step verification section, click Enable.
    Enable two-step verification Enable two-step verification
  5. Click Get started.
  6. For security reasons, you'll be asked to re-enter your password to enable two-step verification. Once you do, you'll be given the choice to receive your security code by text message or to use a mobile app.
  7. After enabling the feature, consider adding a second phone number that can receive text messages as well. If you ever lose your primary phone, you'll be able to receive a backup security code to that number instead.

Use text messages

If you choose to receive your security codes by text message, you'll need a phone capable of receiving text messages (carrier rates may apply). Whenever you successfully sign in to Dropbox using your password, a text message containing a security code will be sent to your phone. To enable this option:

  1. Select Use text messages during the two-step verification setup.
  2. Enter the phone number where you'd like to receive text messages.
    Enter your phone number Enter your phone number
  3. You'll be sent a security code by text message. Verify your phone number and enable two-step verification by entering this code when prompted.

Use a mobile app

Several mobile apps are available that will generate a unique time-sensitive security code you can use to finish signing in to your Dropbox account. Any app that supports the Time-based One-Time Password (TOTP) protocol should work, including the following:

To use one of these apps:

  1. Select Use a mobile app during the two-step verification setup.
  2. You can choose to either scan the barcode (if your app supports it) or click enter your secret key manually to be given a secret key you can type into the app.
    Scan a barcode or enter a code manually Scan the barcode or enter a secret key manually
  3. Once your app is configured, you'll need to enter a security code generated by your authenticator app to verify setup and enable two-step verification.

Most apps will generate security codes even when cellular/data service is not available - useful when traveling or where coverage is unreliable.

For our advanced users

Linux users: Generating a security code from the command line

Those of you using a Unix or Linux shell might consider generating a security code using the OATH tool. This way you can generate a security code from your computer safely within the comfort of the command line.

Dropbox for Business users

If you lose your phone and can't sign in with two-step verification, your admin can turn off two-step verification for you in the admin console.

If your administrator requires that you sign in through a central identity provider with single sign-on (SSO), here’s what you’ll see in your account settings:

Dropbox for Business admins: You can enforce that two-step verification stays enabled. You can either do this either through the admin console or through your identity management provider if you've set up single sign-on (SSO).