Two-step verification (also known as two factor authentication or 2FA) is a highly recommended security feature that adds an extra layer of protection to your Dropbox account. Enabling two-step verification means that Dropbox will require a six-digit security code (in addition to your password) when you sign in to your account or link a new computer, phone, or tablet.
In order for two-step verification to work correctly, you'll need a mobile device capable of receiving text messages or running a compatible mobile authenticator app.
If you see Managed by single sign-on under the Security tab, your team uses single sign-on (SSO). This means you might not be able to use two-step verification with Dropbox. Contact your admin to learn more.
If you choose to receive your security codes by text message, you need a phone capable of receiving text messages (carrier rates may apply). A text message containing a security code will be sent to your phone each time you sign in to Dropbox.
Enter the phone number where you'd like to receive text messages.
You’ll receive a security code via text message. Enter this code into the prompt on dropbox.com.
If you choose to receive your security codes through an authenticator app, you’ll first need to download one. The authenticator app you choose will need to generate a unique time-sensitive security code. Most authenticator apps can generate security codes even when cellular/data service is not available, which can be useful when traveling or where coverage is unreliable. Any app that supports the Time-based One-Time Password (TOTP) protocol should work, including:
You'll be prompted to enter your password to continue
How to add a backup method for two-step verification
After enabling two-step verification, consider adding a backup phone that can receive text messages as well. If you ever lose your primary phone, or can't use your authenticator app, you can send a security code to your backup phone number instead.
When entering a backup code, be careful to transcribe the code correctly. The number "1" can look like an "L," a "0" (zero) can look like an "O," etc.
If you've used your last backup code, you will be prompted to generate new backup codes.
We also recommend changing your password if you've lost your phone.
How to use a security key for two-step verification
You can use a security key for two-step verification, rather than a 6-digit security code. A security key is a small USB, Bluetooth, or Near Field Communication (NFC) device that follows one of the open standards:
‘FIDO Universal 2nd Factor (U2F)'
'Web Authentication (WebAuthn)', also known as 'FIDO2’
Unlike SMS or mobile app verification, a security key doesn’t require a separate battery or network connection. Most importantly, security keys use authenticated communication to defend against phishing attacks.
Insert your security key into a USB port, then click Begin setup.
Where can I use my security key?
Once you have a security key, it can be enabled for both your personal and work Dropbox accounts. It can also be used with other WebAuthn or U2F enabled services, such as Google apps.
Currently, security keys are only supported on select devices and browsers, so you must first set up two-step verification for your Dropbox account and select to receive codes via SMS messages or a mobile app. This step ensures that you have a backup method, in case a device doesn't support your security key.
Dropbox only supports using a security key when signing in to dropbox.com using the Chrome or Firefox web browsers. You can’t use a security key to sign in to the desktop or mobile apps at this time. Don’t worry, you still have the option to use text or mobile app two-step verification on devices and platforms that don’t support U2F or WebAuthn, or if you don't have your security key available.
Note: Security keys differ in the exact instructions to activate them. Your key may require a tap or button press to activate registration. If you are having difficulty completing security key registration, verify that your security key is U2F or WebAuthn capable. You can also refer to the manufacturer instructions specific to your device.