Universal 2nd Factor (U2F) security key


Introducing U2F support for secure authentication


Published on August 12, 2015

Making sure only you can access your account is an important part of keeping Dropbox safe. Today, we’re adding Universal 2nd Factor (U2F) security keys as an additional method for two-step verification, giving you stronger authentication protection.

Why should I care?
Security keys are an easy way to use two-step verification when signing in to dropbox.com. After typing in your password, just insert your key into a USB port when you’re prompted, instead of typing in a six-digit code. And unlike two-step with a phone, you’ll never have to worry about your battery going dead when you use a security key.

Security keys provide stronger defense against credential theft attacks like phishing. Even if you’re using two-step verification with your phone, some sophisticated attackers can still use fake Dropbox websites to lure you into entering your password and verification code. They can then use this information to access your account.

Security keys are designed to protect against these types of attacks. By using cryptographic communication, they will only work when you’re signing in to the legitimate Dropbox website.

How do I use it?
You’ll need a security key that follows an open standard called “FIDO Universal 2nd Factor (U2F)” from the FIDO Alliance. This U2F key can then be set up with your Dropbox account and any other U2F-enabled services, such as Google.

Once you have a key, go to the Security tab in your Dropbox account settings and click Add next to Security keys. Currently, U2F is only supported for dropbox.com using the Chrome web browser. Signing in from a device or platform U2F isn’t supported, or don’t have your key on hand? Don’t worry — you’ll still have the option to use two-step verification through text message or an authenticator app.

You can find detailed information on how to get started in our Help Center. And be sure to check out these tips to learn how you can better protect yourself from phishing and malware.