Two-factor authentication is often held up as a best practice for
security in the online world, but Dropbox on Wednesday announced a new feature
that's designed to make it even more secure. Whereas two-step verification most
commonly involves the user's phone for the second authentication method,
Dropbox's new U2F support adds a new means of authenticating the user via
Universal 2nd Factor (U2F) security keys instead. What that means is that users
can now use a USB key as an additional means to prove who they are. "This
is a very good advancement and adds extra security over mobile notifications
for two-factor authentication," said Rich Mogull, Securosis CEO.
"Basically, you can't trick a user into typing in credentials,"
Mogull explained. "The attacker has to compromise the exact machine the
user is on."For most users, phone-based, two-factor authentication is
"totally fine," he said. "But this is a better option in
high-security environments and is a good example of where the FIDO standard is
headed." Security keys provide stronger defense against credential-theft
attacks like phishing, Dropbox said. "Even if you're using two-step
verification with your phone, some sophisticated attackers can still use fake
Dropbox websites to lure you into entering your password and verification
code," the company explained in a blog post. "They can then use this
information to access your account." Security keys, on the other hand, use
cryptographic communication and will only work when the user is signing in to
the legitimate Dropbox website. Dropbox users who want to use the new feature
will need a security key that follows the FIDO Alliance's Universal 2nd Factor
(U2F) standard. That U2F key can then be set up with the user's Dropbox account
along with any other U2F-enabled services, such as Google. Currently, U2F is
supported for Dropbox.com using only the Chrome browser. Once set up, users
simply insert their key into a USB port when prompted after typing in their
password. (Computerworld)
No comments:
Post a Comment