Enable two-step verification

Two-step verification is an optional but highly recommended security feature. Once enabled, Dropbox requires a six-digit security code or a security key in addition to your password when you sign in to your account.

Already use two-step verification and locked out? Learn how to regain access to your account.

Sections in this article:

Enable two-step verification

  1. Sign in to dropbox.com.
  2. Click your avatar.
  3. Choose Settings.
  4. Select the Security tab.
  5. Toggle Two-step verification to On.
  6. Click Get started.
  7. Re-enter your password. 
  8. Choose if you want to receive your security code by text message or mobile app:

Use text messages

If you choose to receive your security codes by text message, you need a phone capable of receiving text messages (carrier rates may apply).

Whenever you successfully sign in to Dropbox using your password, a text message containing a security code will be sent to your phone.

To enable this option:

  1. Select Use text messages during the two-step verification setup.
  2. Enter the phone number where you'd like to receive text messages.
  3. Click Next.
  4. You'll be sent a security code by text message. Enter this code into the prompt on dropbox.com.
  5. Click Next.

Use a mobile app

Several mobile apps are available that will generate a unique time-sensitive security code you can use to finish signing in to your Dropbox account. Any app that supports the Time-based One-Time Password (TOTP) protocol should work, including:

Once you download one of these apps, follow these steps to use the app for Dropbox two-step verification: 

  1. Select Use a mobile app during the two-step verification setup.
  2. You can either:
    • Scan the barcode (if your app supports it): Open your app of choice and choose to add a new account. You may then be able to use your phone's camera to scan the barcode on dropbox.com.
    • Enter your secret key manually: You'll be given a secret key on dropbox.com that you can type into the app. Use the steps in your app to add a new account using a secret key.
  3. Click Next.
  4. Once your app is configured, enter the security code generated by your authenticator app to verify setup and enable two-step verification.
  5. Click Next.

Most apps will generate security codes even when cellular/data service is not available - useful when traveling or where coverage is unreliable.

Note: If you choose to use an authenticator app to receive your verification codes, then we highly recommend manually entering primary and backup phone numbers in your account settings. This is an important step because we use this contact information to help you regain access to your account if you're ever locked out due to an error with two-step verification.

Add a backup method

After enabling two-step verification, consider adding a backup phone number that can receive text messages as well. If you ever lose your primary phone, or can't use your authenitcator app, you can send a security code to your backup phone number instead.

  1. Sign in to dropbox.com.
  2. Click your avatar.
  3. Choose Settings.
  4. Select the Security tab.
  5. Under Two-step verification, click Add next to Backup method.
  6. Enter your password.
  7. Enter the phone number you'd like to use as your backup device.

Storing your emergency backup codes

When enabling two-step verification, you'll receive ten 8-digit backup codes. It is very important that you write these codes down and store them somewhere safe. If you ever lose your phone, or can't receive or generate a security code, you need one of these backup codes for emergency access to your Dropbox. Once a backup code is used, it can't be used again.

If you didn't note your backup codes when you first set up two-step verification, you can find them on dropbox.com:

  1. Sign in to dropbox.com.
  2. Click your avatar.
  3. Choose Settings.
  4. Select the Security tab.
  5. Under Two-step verification, click Show next to Recovery codes.
  6. Enter your password.
  7. Use or save the code that appears.

Use a security key

About security keys

A security key is a small USB or Near Field Communication (NFC) device that you can carry on a keychain. When completing two-step verification, inserting your security key into your computer authenticates you with Dropbox.com and finishes signing you into your Dropbox account.

A security key doesn’t require a separate battery or network connection like when using SMS or a mobile app for two-step verification. It allows the convenience of simply inserting your key to authenticate, rather than typing in a 6-digit code. Most importantly, security keys use authenticated communication to defend against phishing attacks, in which attackers set up a phony Dropbox login page in order to lure you into disclosing your private information.

Set up a security key for your Dropbox account:

  1. Sign in to dropbox.com.
  2. Click your avatar.
  3. Choose Settings.
  4. Select the Security tab.
  5. Under Two-step verification, click Add next to Security keys. If you do not see this section, follow the Enable two-step verification instructions before proceeding.
  6. Enter your password
  7. Insert your security key into a USB port, then click Begin setup.

Getting a security key

Setting up a security key requires a one-time purchase of a USB key that follows an open standard called ‘FIDO Universal 2nd Factor (U2F).’

Where can I use my security key?

Once you have a security key, it can be enabled for both your personal and work Dropbox accounts. It can also be used with any other U2F enabled services, such as Google apps.

Currently, security keys are only supported on select devices and browsers, so you must first set up two-step verification for your Dropbox account and select to receive codes via SMS messages or a mobile app. This step ensures that you have a backup method, in case a device doesn't support your security key.

Dropbox only supports using a security key when signing in to dropbox.com using the Chrome web browser. You can’t use a security key to sign in to the desktop or mobile apps at this time. Don’t worry, you still have the option to use text or mobile app two-step verification on devices and platforms that do not support U2F, or if you do not have your security key available.

Using a security key

Note: Security keys differ in the exact instructions to activate them. Your key may require a tap or button press to activate registration. If you are having difficulty completing security key registration, verify that your security key is U2F capable. You can also refer to the manufacture instructions specific to your device.

Dropbox Business

If you lose your phone and can't sign in with two-step verification, your admin can turn off two-step verification for you in the admin console.

If your admin requires that you sign in using single sign-on (SSO), you’ll see Managed by single sign-on under the Security tab in your account settings.

Dropbox Business admins: You can require two-step verification for your team. You can do this through the admin console or your identity management provider if you use single sign-on (SSO).

Learn more

Linux users: Generating a security code from the command line

Those of you using a Unix or Linux shell might consider generating a security code using the OATH tool. This way you can generate a security code from your computer safely from the command line.

Did this article answer your question?

We’re sorry to hear that. Let us know how we can improve:

Thanks for your feedback!

Community answers
    Community answers

      Other ways to get help


      Twitter support

      Guided help