Dropbox: When Account Security Goes Too Far

Editorial / Tech

There’s no doubt in this day and age that online security is at the top of most people’s minds, and if it’s not, it should be. Two factor authentication has gained popularity as a common practice for logging into various accounts and services, and the file-sharing/storage service Dropbox was one of the first to get on board years ago. First enabled back in 2012, Dropbox’s two-factor authentication requires a code from an app like Google Authenticator or it can be set up to send that code via SMS to a mobile number. But what happens if your phone dies or you can no longer access the mobile number associated with your Dropbox two-factor authentication?

Simply put, you’re straight out of luck. I’ve had a Dropbox account for as long as I can remember, most likely shortly after the service first launched. As soon as two-factor authentication was added to the service, I promptly set it up and added it to my Google Authenticator app. Sadly I didn’t have the foresight to enable SMS as well for whatever reason. Then I had troubles with my Samsung Galaxy SII Skyrocket, namely the mainboard crashed. And with that, I kissed my Dropbox account goodbye — though not through any desire to do so on my part.

Try as I may, I could not recover my Dropbox account. Because I had lost the backup code (I know I had emailed it to myself, but that’s another rant for another day) and didn’t have SMS set up, there was no way I could log in to my Dropbox account. Even the computer I had the Dropbox desktop app installed on wouldn’t let me log in because I didn’t have my two-factor authentication code. I attempted to contact Dropbox support about it, but my contact form submissions and emails were ignored — and according to the FAQ I was simply out of luck. I couldn’t sign up for a new Dropbox account with my primary email address either because it was already attached to a Dropbox account. So I wrote off Dropbox and pretty much started exclusively using Google Drive for my cloud storage and file sharing. No big deal.

Fast forward to about a week ago. I received an email stating that my Dropbox account would be closed in 90 days if I didn’t log into it due to inactivity. Near the bottom of the email, I noticed an email address you could contact if you were having issues. Finally, maybe I could somehow recover my Dropbox account! So I forwarded the email and explained my situation and waited for a response. Sadly, after multiple back and forths with Dropbox support, I basically received the following response:

I’m very sorry, but if you’ve lost or reset your phone and don’t have any of the following items, then there’s nothing we can do to disable two-step verification.


Google gives you other recovery options.

So why the rant? I understand the need and desire for secure logins. I love two-factor authentication. But sometimes due to circumstances beyond our control, we find ourselves locked out of our accounts. The problem with Dropbox is if your phone dies, you change your phone number, or otherwise lose access to your two-factor authentication app, backup codes, or linked smartphone, you’re just plum straight out of luck. Other companies like Google and Blizzard on the other hand have other methods to login and verify your identity if you can’t use the app or SMS. Granted it’s a pain in the butt: going through Google support takes 3-5 days and Blizzard requires you to email them a scan of your driver’s license. When I had to do that it took about a week before they removed the Blizzard Authenticator from my account.

While it’s not my fault that my smartphone died, in hindsight it is my fault I didn’t have SMS set up for two-factor authentication as well. However, the email account it’s attached to is from my own domain which I’ve owned since 2003. I wasn’t using Dropbox with a free Gmail or Hotmail account. With the right documents, it would take all but 5 minutes for them to verify my identity, and in my opinion that’s taking two-factor authentication too far — especially if other companies like Google and Blizzard are willing to help you access an account you had set up for two-factor authentication but can no longer access.

Long rant story short, if you have a Dropbox account set up with two-factor authentication, make sure you have the SMS option enabled as well, lest your phone dies or some other unfortunate incident causes you to lose access to your two-factor authentication app on your device.

Have you been locked out of your Dropbox account because your phone crashed or otherwise could no longer access the authenticator or mobile phone you had SMS authentication attached to? Do you think Dropbox’s two-step verification policy is fair by having no recourse to recover an account without two-factor authentication? Let us know in the comments below, or on Google+, Twitter, or Facebook.

To Top