We're making changes to the Community, so you may have received some notifications - thanks for your patience and welcome back. Learn more here.
Forum Discussion
Potential security problem with Google Sign-In, even with 2FA when accessing my account.
I have an Android phone with a Google account. If I install the Dropbox app, the login screen prompts me to use Google Sign-In to log in to my Dropbox account. If I accept, I get automatically logged in without needing my username and password. If I activate 2FA beforehand from my PC and then use Google Sign-In, then I get an SMS code in the same phone where I'm trying to log in from.
This means that, even if I don't use Dropbox on my phone and only use it from my PC, anyone who has access to my phone could download the Dropbox app and access my account without needing my username and password, even if 2FA is activated.
I'd appreciate if anyone could tell me if I'm doing something wrong and this is normal behavior, or if this is a security problem, and in either case, how can I avoid it and completely disconnect my Google and Dropbox accounts from each other. Thank you!
icab_80 wrote:
Ideally what I want is to completely disable Google Sign-In ...
There is no option for that within Dropbox.
Auto sign-in is disabled ... Despite this, it still lets me auto sign-in in the Dropbox app.This sounds like an issue with your Google account or phone, rather than a problem with Dropbox. If you're signing in with Google and Google isn't allowing you to confirm the sign-in, that's on Google. Dropbox can't control that.
Perhaps it's happening because you've already signed in using Google and allowed access, so it's remembering that connection and just signing in. If so, disable the connection between Google and your Dropbox account (in your Google account settings).
Fix your Google auto sign-in and your issue is resolved.
- Megan
Dropbox Staff
Hey icab_80, welcome to our Community!
Let me ask a few things, to make sure we're on the same page.
You mentioned "If I activate 2FA beforehand from my PC and then use Google Sign-In, then I get an SMS code in the same phone where I'm trying to log in from". Is 2FA currently enabled for your Dropbox account?
I'm asking because if 2FA is enabled on a Dropbox account, you'll still need to enter a Dropbox multi-factor authentication code before logging in with Google. Is this not the case when you use your mobile app?
Let me know more, and we'll take it from there!
Hello Megan,
Thanks for your reply and apologies for the massive delay in getting back to you, I completely forgot about this.
Yes, 2FA is enabled in my Dropbox account, and yes, this means that I am asked for a multi-factor authentication code before logging in with Google. This is perfect when signing in from my PC: I enter my Dropbox password and the 2FA code that is sent to my phone.
The problem is that when I sign in using the Dropbox app on my phone, then the 2FA code is again sent to the same phone, and even automatically entered into the dialog box without me doing nothing, so it serves no security purpose.
Combined with the fact that Google Sign-In removes the need to enter my Dropbox account, this means that anyone that gains unauthorized access to my phone can download the Dropbox app and use Google Sign-In to access to my Dropbox account, simply by entering the 2FA code sent to the phone. There must be something that I'm doing wrong, because otherwise it's a massive security problem.
Thanks again for your help!
