You might see that the Dropbox Community team have been busy working on some major updates to the Community itself! So, here is some info on what’s changed, what’s staying the same and what you can expect from the Dropbox Community overall.
Forum Discussion
Potential security problem with Google Sign-In, even with 2FA when accessing my account.
I have an Android phone with a Google account. If I install the Dropbox app, the login screen prompts me to use Google Sign-In to log in to my Dropbox account. If I accept, I get automatically logged...
icab_80 wrote:
Ideally what I want is to completely disable Google Sign-In ...
There is no option for that within Dropbox.
Auto sign-in is disabled ... Despite this, it still lets me auto sign-in in the Dropbox app.This sounds like an issue with your Google account or phone, rather than a problem with Dropbox. If you're signing in with Google and Google isn't allowing you to confirm the sign-in, that's on Google. Dropbox can't control that.
Perhaps it's happening because you've already signed in using Google and allowed access, so it's remembering that connection and just signing in. If so, disable the connection between Google and your Dropbox account (in your Google account settings).
Fix your Google auto sign-in and your issue is resolved.
Hello Megan,
Thanks for your reply and apologies for the massive delay in getting back to you, I completely forgot about this.
Yes, 2FA is enabled in my Dropbox account, and yes, this means that I am asked for a multi-factor authentication code before logging in with Google. This is perfect when signing in from my PC: I enter my Dropbox password and the 2FA code that is sent to my phone.
The problem is that when I sign in using the Dropbox app on my phone, then the 2FA code is again sent to the same phone, and even automatically entered into the dialog box without me doing nothing, so it serves no security purpose.
Combined with the fact that Google Sign-In removes the need to enter my Dropbox account, this means that anyone that gains unauthorized access to my phone can download the Dropbox app and use Google Sign-In to access to my Dropbox account, simply by entering the 2FA code sent to the phone. There must be something that I'm doing wrong, because otherwise it's a massive security problem.
Thanks again for your help!
Rich
Super User II
Super User II
icab_80 wrote:
There must be something that I'm doing wrong, because otherwise it's a massive security problem.
Are you not securing the device itself?
Hello Rich,
Thanks for your reply. Yes, the phone is secured with the usual screen lock, but if someone were to bypass that, nothing would stop them from gaining access to my Dropbox account, even if I'm signed out and the app is uninstalled, simply by reinstalling it and using Google Sign-In. I'm no security expert by any means, but I don't think that should be possible.
- Rich
icab_80 wrote:
Yes, the phone is secured with the usual screen lock, but if someone were to bypass that ...
Disable the auto sign-in on your Google account so you have to provide confirmation before signing in, use a secure passcode for the device itself, and don't use SMS for the Dropbox two-step verification. Use an authenticator app that you can further secure.
Any service is only as secure as the weakest link. If you're that worried about the device being compromised, you shouldn't have anything set up for auto sign-in, and you shouldn't be using a simple SMS message for multi-factor authentication.
Hello Rich,
Thanks for your advice. Auto sign-in is disabled on my Google account, and there are no passwords saved in Google's password manager. Under the third party apps settings in Google, "Sign in prompts" is also disabled. Despite this, it still lets me auto sign-in in the Dropbox app.
As for your suggestion of using an authenticator app instead of SMS for 2FA: it's sound advice, but Google's Authenticator app cannot be further secured, it can be accessed like any other app. I'm not sure if other authenticator apps can be secured with passwords or other features.
Ideally what I want is to completely disable Google Sign-In, or alternatively, have no access to my Dropbox account from my phone. As it stands right now, this is not possible: because of Google Sign-In, anyone with access to my phone automatically has access to my Dropbox account, whether 2FA is enabled or not, with SMS or an authenticator app.
Thanks for your help.
