Two-step verification is an optional but highly recommended security feature. Once enabled, Dropbox will require a six-digit security code or a security key in addition to your password.
Note: Before enabling two-step verification, you'll receive ten backup codes. Copy these codes down and store them securely. If you ever lose your phone, or can't receive or generate a security code, you'll need one of these backup codes to access your Dropbox. Once a backup code is used, it can't be used again.
Already use two-step verification and locked out? Learn how to regain access to your account.
Enable two-step verification
- Sign in to dropbox.com.
- Click your avatar at the top of any page to open the account menu.
- Select the Security tab.
- Under Two-step verification, toggle to On.
- Click Get started.
- For security reasons, you'll be asked to re-enter your password to enable two-step verification. Once you do, you'll be given the choice to receive your security code by text message or to use a mobile app.
- After enabling the feature, consider adding a backup phone number that can receive text messages as well. If you ever lose your primary phone, you'll be able to receive a security code to your backup phone number instead.
Storing your emergency backup codes
Before enabling two-step verification, you'll receive ten 8-digit backup codes. It is very important that you write these codes down and store them somewhere safe. If you ever lose your phone, or can't receive or generate a security code, you'll need one of these backup codes for emergency access to your Dropbox. Once a backup code is used, it can't be used again.
Use text messages
If you choose to receive your security codes by text message, you'll need a phone capable of receiving text messages (carrier rates may apply). Whenever you successfully sign in to Dropbox using your password, a text message containing a security code will be sent to your phone. To enable this option:
- Select Use text messages during the two-step verification setup.
- Enter the phone number where you'd like to receive text messages.
- You'll be sent a security code by text message. Verify your phone number and enable two-step verification by entering this code when prompted.
Use a mobile app
Several mobile apps are available that will generate a unique time-sensitive security code you can use to finish signing in to your Dropbox account. Any app that supports the Time-based One-Time Password (TOTP) protocol should work, including the following:
To use one of these apps:
- Select Use a mobile app during the two-step verification setup.
- You can choose to either scan the barcode (if your app supports it) or click enter your secret key manually to be given a secret key you can type into the app.
- Once your app is configured, you'll need to enter a security code generated by your authenticator app to verify setup and enable two-step verification.
Most apps will generate security codes even when cellular/data service is not available - useful when traveling or where coverage is unreliable.
Note: If you choose to use an authenticator app to receive your verification codes, then we highly recommend manually entering primary and backup phone numbers in your account settings. This is an important step because we use this contact information to help you regain access to your account if you're ever locked out due to an error with two-step verification.
Use a security key
About security keys
A security key is a small USB or Near Field Communication (NFC) device that you can carry on a keychain. When completing two-step verification, inserting your security key into your computer authenticates you with Dropbox.com and finishes signing you into your Dropbox account.
A security key doesn’t require a separate battery or network connection like when using SMS or a mobile app for two-step verification. It allows the convenience of simply inserting your key to authenticate, rather than typing in a 6-digit code. Most importantly, security keys use authenticated communication to defend against phishing attacks, in which attackers set up a phony Dropbox login page in order to lure you into disclosing your private information.
Getting a security key
Setting up a security key requires a one-time purchase of a USB key that follows an open standard called ‘FIDO Universal 2nd Factor (U2F).’
Where can I use my security key?
Once you have a security key, it can be enabled for both your personal and work Dropbox account. It can also be used with any other U2F enabled services, such as Google apps.
Currently, security keys are only supported on select devices and browsers; so, you must first set up two-step verification on Dropbox and select to receive codes via SMS messages or a mobile app. This step ensures that you have a backup method, in case a device doesn't support your security key.
Dropbox only supports using a security key when signing in on the website using the Chrome web browser. You can’t use a security key to sign in to the desktop client or mobile application at this time. Don’t worry, you still have the option to use ordinary two-step verification on devices and platforms that do not support U2F, or if you do not have your security key available.
To set up a security key on Dropbox:
- Sign in to dropbox.com.
- Click your avatar at the top of any page to open your account menu.
- Select the Security tab.
- Under Two-step verification, locate the Security keys section. If you do not see this section, follow the Enable two-step verification instructions before proceeding.
- Select Add key.
- You'll be prompted to insert your security key into a USB port.
Note: Security keys differ in the exact instructions to activate them. Your key may require a tap or button press to activate registration. If you are having difficulty completing security key registration, verify that your security key is U2F capable. You can also refer to the manufacture instructions specific to your device.
Linux users: Generating a security code from the command line
Those of you using a Unix or Linux shell might consider generating a security code using the OATH tool. This way you can generate a security code from your computer safely within the comfort of the command line.
Dropbox Business users
If you lose your phone and can't sign in with two-step verification, your admin can turn off two-step verification for you in the admin console.
If your administrator requires that you sign in through a central identity provider with single sign-on (SSO), you’ll see Managed by single sign-on under the Security tab in your account settings.
Dropbox Business admins: You can require two-step verification for your team. You can either do this either through the admin console or through your identity management provider if you've set up single sign-on (SSO).