How do I enable two-step verification on my account?
Two-step verification is an optional but highly recommended security feature that adds an extra layer of protection to your Dropbox account. Once enabled, Dropbox will require a six-digit security code in addition to your password whenever you sign in to Dropbox or link a new computer, phone, or tablet.
Storing your emergency backup code
Before enabling two-step verification, you'll receive a special 16-digit backup code. It is very important that you write this key down and store it somewhere safe. If you ever lose your phone, or can't receive or generate a security code, you'll need this backup code for emergency access to your Dropbox.
Enable two-step verification
- Sign in to the Dropbox website.
- Click on your name from the upper-right of any page to open your account menu.
- Click Settings from the account menu and select the Security tab, or click here for a shortcut.
- Under Two-step verification section, click Enable.
- Click Get started.
- For security reasons, you'll be asked to re-enter your password to enable two-step verification. Once you do, you'll be given the choice to receive your security code by text message or to use a mobile app.
- After enabling the feature, consider adding a second phone number that can receive text messages as well. If you ever lose your primary phone, you'll be able to receive a backup security code to that number instead.
Use text messages
If you choose to receive your security codes by text message, you'll need a phone capable of receiving text messages (carrier rates may apply). Whenever you successfully sign in to Dropbox using your password, a text message containing a security code will be sent to your phone. To enable this option:
- Select Use text messages during the two-step verification setup.
- Enter the phone number where you'd like to receive text messages.
- You'll be sent a security code by text message. Verify your phone number and enable two-step verification by entering this code when prompted.
Use a mobile app
Several mobile apps are available that will generate a unique time-sensitive security code you can use to finish signing in to your Dropbox account. Any app that supports the Time-based One-Time Password (TOTP) protocol should work, including the following:
- Google Authenticator (Android/iPhone/BlackBerry)
- Duo Mobile (Android/iPhone)
- Amazon AWS MFA (Android)
- Authenticator (Windows Phone 7)
To use one of these apps:
- Select Use a mobile app during the two-step verification setup.
- You can choose to either scan the barcode (if your app supports it) or click enter your secret key manually to be given a secret key you can type into the app.
- Once your app is configured, you'll need to enter a security code generated by your authenticator app to verify setup and enable two-step verification.
Most apps will generate security codes even when cellular/data service is not available - useful when traveling or where coverage is unreliable.
Note: If you choose to use an authenticator app to receive your verification codes, then we highly recommend manually entering primary and backup phone numbers in your account settings. This is an important step because we use this contact information to help you regain access to your account if you're ever locked out due to an error with two-step verification.
For our advanced users
Linux users: Generating a security code from the command line
Those of you using a Unix or Linux shell might consider generating a security code using the OATH tool. This way you can generate a security code from your computer safely within the comfort of the command line.
Dropbox for Business users
If you lose your phone and can't sign in with two-step verification, your admin can turn off two-step verification for you in the admin console.
If your administrator requires that you sign in through a central identity provider with single sign-on (SSO), here’s what you’ll see in your account settings:
Dropbox for Business admins: You can enforce that two-step verification stays enabled. You can either do this either through the admin console or through your identity management provider if you've set up single sign-on (SSO).