You might see that the Dropbox Community team have been busy working on some major updates to the Community itself! So, here is some info on what’s changed, what’s staying the same and what you can expect from the Dropbox Community overall.
Forum Discussion
Potential security problem with Google Sign-In, even with 2FA when accessing my account.
I have an Android phone with a Google account. If I install the Dropbox app, the login screen prompts me to use Google Sign-In to log in to my Dropbox account. If I accept, I get automatically logged...
icab_80 wrote:
Ideally what I want is to completely disable Google Sign-In ...
There is no option for that within Dropbox.
Auto sign-in is disabled ... Despite this, it still lets me auto sign-in in the Dropbox app.This sounds like an issue with your Google account or phone, rather than a problem with Dropbox. If you're signing in with Google and Google isn't allowing you to confirm the sign-in, that's on Google. Dropbox can't control that.
Perhaps it's happening because you've already signed in using Google and allowed access, so it's remembering that connection and just signing in. If so, disable the connection between Google and your Dropbox account (in your Google account settings).
Fix your Google auto sign-in and your issue is resolved.
Megan
Dropbox Staff
Dropbox StaffHey icab_80, welcome to our Community!
Let me ask a few things, to make sure we're on the same page.
You mentioned "If I activate 2FA beforehand from my PC and then use Google Sign-In, then I get an SMS code in the same phone where I'm trying to log in from". Is 2FA currently enabled for your Dropbox account?
I'm asking because if 2FA is enabled on a Dropbox account, you'll still need to enter a Dropbox multi-factor authentication code before logging in with Google. Is this not the case when you use your mobile app?
Let me know more, and we'll take it from there!
Hello Megan,
Thanks for your reply and apologies for the massive delay in getting back to you, I completely forgot about this.
Yes, 2FA is enabled in my Dropbox account, and yes, this means that I am asked for a multi-factor authentication code before logging in with Google. This is perfect when signing in from my PC: I enter my Dropbox password and the 2FA code that is sent to my phone.
The problem is that when I sign in using the Dropbox app on my phone, then the 2FA code is again sent to the same phone, and even automatically entered into the dialog box without me doing nothing, so it serves no security purpose.
Combined with the fact that Google Sign-In removes the need to enter my Dropbox account, this means that anyone that gains unauthorized access to my phone can download the Dropbox app and use Google Sign-In to access to my Dropbox account, simply by entering the 2FA code sent to the phone. There must be something that I'm doing wrong, because otherwise it's a massive security problem.
Thanks again for your help!
- Rich
Super User II
icab_80 wrote:
There must be something that I'm doing wrong, because otherwise it's a massive security problem.
Are you not securing the device itself?
Hello Rich,
Thanks for your reply. Yes, the phone is secured with the usual screen lock, but if someone were to bypass that, nothing would stop them from gaining access to my Dropbox account, even if I'm signed out and the app is uninstalled, simply by reinstalling it and using Google Sign-In. I'm no security expert by any means, but I don't think that should be possible.
- Rich
icab_80 wrote:
Yes, the phone is secured with the usual screen lock, but if someone were to bypass that ...
Disable the auto sign-in on your Google account so you have to provide confirmation before signing in, use a secure passcode for the device itself, and don't use SMS for the Dropbox two-step verification. Use an authenticator app that you can further secure.
Any service is only as secure as the weakest link. If you're that worried about the device being compromised, you shouldn't have anything set up for auto sign-in, and you shouldn't be using a simple SMS message for multi-factor authentication.
