Dropbox 2fa

Posted onby admin

Locate 2FA Setting After logging in, click on your Dropbox avatar from the upper-right of any page to open the account menu. Click ‘Settings’ from the drop-down. On the next page, select the ‘Security’ tab. A Dropbox account. If two-step verification is not enabled in your Dropbox account, continue the next procedure to enable it. If two-step verification is enabled already, skip to Step 2. Step 1: Enabling two-step verification. Sign in to your Dropbox account. Click your profile picture in.

Overview

The LoginTC AD FS Connector protects access to your Microsoft Active Directory Federation Services (AD FS) by adding a second factor LoginTC challenge to existing username and password authentication. The LoginTC AD FS Connector provides a LoginTC multi-factor authentication (MFA) method to your AD FS deployment, used by your Dropbox Enterprise account.

Dropbox got this right in my view. Adding app-based 2FA for mobile smartphone users for whom securing accounts is a top priority, and continuing allowing for SMS-based 2FA, so that those who have. Use Dropbox in the taskbar/menu bar. If you have a computer that automatically signs you in to your Dropbox account, then you don’t need two-step verification to sign in. Click the Dropbox icon in your taskbar (Windows) or menu bar (Mac), and then click the globe icon to open dropbox.com.

Subscription Requirement

Your organization requires the Business or Enterprise plan to use the LoginTC AD FS Connector. See the Pricing page for more information about subscription options.

User Experience

After entering the username and password into the AD FS login page, the user is shown a selection of second factor options. The user clicks a button to receive a LoginTC push notification, authenticates and is logged in.

Architecture

Authentication Flow

  1. A user attempts access to Dropbox with username / password
  2. A SAML request is made to AD FS
  3. The username / password is verified against an existing first factor directory (i.e. Active Directory)
  4. The request is trapped by LoginTC AD FS Connector and an authentication request is made to LoginTC Cloud Services
  5. Secure push notification request sent to the user’s mobile or desktop device
  6. User response (approval or denial of request) sent to LoginTC Cloud Services
  7. The LoginTC AD FS Connector validates the user response
  8. User is granted access to Dropbox
Dropbox

Prefer Reading a PDF?

Download a PDF file with configuration instructions:

Prerequisites

Before proceeding, please ensure you have the following:

  • Dropbox configured with federation to your on-premise AD FS
  • LoginTC Admin Panel account
  • Active Directory Federation Services (AD FS) Host, Microsoft Windows Server 2016 (or Windows Server 2012)

Working Dropbox Federation Deployment

Verification

It is strongly recommended that you have a working Dropbox with federation against your on-premise AD FS prior to adding LoginTC multi-factor authentication. Please see the guide, How do I connect Dropbox to AD FS 3.0 for single sign-on (SSO) to configure your Dropbox to use your on-premise AD FS.

Create Application

Start by creating a LoginTC Application for your deployment. An Application represents a service (e.g. An application is a service (e.g., VPN or web application) that you want to protect. e) that you want to protect with LoginTC.

Dropbox

Create a LoginTC Application in LoginTC Admin Panel, follow Create Application Steps.

If you have already created a LoginTC Application for your deployment, then you may skip this section and proceed to Installation.

Normalize Usernames

Usernames in ADFS are typically in the form “CORPjohn.doe”, while in the LoginTC Admin Panel it is generally more convenient to simply use “john.doe”.

Configure Normalize Usernames from the Domain settings by navigating to Domains > Your Domain > Settings.

Select Yes, Normalize Usernames scroll down and click Update.

Installation

  1. Download the latest version of the LoginTC AD FS Connector
  2. Run the installer file as a privileged administrator user on the Windows Server with the AD FS role. Also ensure that the AD FS service is running prior to installing.
  3. Press Next
  4. Read the License Agreement and press Next if you accept the terms.
  5. Change the LoginTC API Host only if you have a private enterprise LoginTC deployment. Press Next:
  6. Enter your LoginTC Application ID and Application API Key. These values are found on your LoginTC Admin Panel. Press Next
  7. Press Install. Note that the AD FS service will be restarted during installation and may be temporarily unavailable to your users.

AD FS Configuration

Windows Server 2016 (AD FS version 4.0)

The instructions below are for AD FS (version 4.0) running on Windows Server 2016. If you have AD FS (3.0) running on Windows Server 2012 R2, see AD FS Configuration in Two-factor authentication for AD FS on Windows Server 2012 R2.

Dropbox 2fa Download

To configure your AD FS to use the LoginTC MFA method:

  1. Open the AD FS Management console.
  2. Click on the Services > Authentication Policies directory in the left side menu.
  3. Click on Edit Global Multi-factor Authentication…
  4. Check LoginTC in the list of MFA methods.
  5. Click on Relying Party Trusts in the left side menu
  6. Select the Relying Party you wish to add LoginTC MFA to
  7. Click on Edit Access Control Policy… under Actions in the right sidebar
  8. Select an access control policy that uses MFA (e.g. Permit everyone and require MFA)
  9. Press Apply and OK
Dropbox 2fa

Your AD FS login will now present the user with a secondary LoginTC authentication page.

Usage

User Usage

The user proceeds to the Dropbox sign in page as they normally would where they enter their username.

The user is brought to your on-premise AD FS where they are prompted to enter their username and password.

After successfully authenticating with their username and password, the user is presented with options to log in with LoginTC. The user may select to authenticate using LoginTC push, bypass codes, or OTPs.

If the user selects LoginTC push, they are informed to approve the LoginTC request on their device. The user is also presented with an option to remember their LoginTC login choice. The next time the user logs in they will automatically receive a LoginTC push notification. The user may also cancel the login attempt and return to the login page.

The user receives a push notification on their device where they have provisioned their LoginTC token.

After successfully authenticating with LoginTC, the user is redirected back to Dropbox.

Logging

The LoginTC AD FS Connector logs events to the Microsoft Event Viewer under Applications and Service Logs → LoginTC. In some cases, it may be helpful to also look at the general AD FS logs under Custom Views → ServerRoles → Active Directory Federation Services.

Uninstallation

To uninstall the LoginTC AD FS Connector, simply navigate to the Add or remove programs in the Windows Control Panel, find LoginTC AD FS Connector in the list and follow the prompts.

Prior to Uninstalling

Prior to uninstalling the LoginTC AD FS Connector, ensure that the LoginTC MFA method is not being used in any of your AD FS authentication policies. The uninstallation will fail if the LoginTC MFA method is being used in any of your AD FS authentication policies.

Troubleshooting

Email Support

Dropbox 2fa

For any additional help please email [email protected] Expect a speedy reply.

Online file-backup and storage service Dropbox has begun offering a two-step authentication feature to help users beef up the security of their accounts. The promised change comes less than a month after the compromise of a Dropbox employee’s account exposed many Dropbox user email addresses.

Dropbox users can take advantage of the new security measure by logging in at this link, and then clicking the “Security” tab. Under account sign in, click the link next to “Two-step verification.” You’ll have the option of getting security code sent to your mobile device, or using one of several mobile apps that leverage the Time-based One-Time Password algorithm.

If you’re already familiar with the Google Authenticator app for Gmail’s two-step verification process (available for Android/iPhone/BlackBerry) this is a no-brainer: When prompted, open the app and create a new token, then use the app to scan the bar code on your computer screen. Enter the key generated by the app into your account settings on the site, and you’re done. Other supported apps include Amazon AWS MFA (Android) and Authenticator (Windows Phone 7).

Note that DropBox users will need to download the latest version of the Dropbox client (1.4.17 on Windows/Mac) to access their files via the Dropbox desktop software interface after enabling two-step authentication.

Dropbox 2fa Android

Some readers have asked which method of two-step verification is more secure: Text message or mobile app? Text messages are perhaps faster and easier, but they introduce yet another potential avenue of compromise: The mobile provider. In a recent attack against the chief executive of Cloudflare, for example, miscreants were able to break into the executive’s Gmail account even though he had instructed Google’s 2-step verification feature to send codes to his phone. That attack succeeded because the miscreants were able to trick a customer service representative at his mobile phone provider — AT&T — into forwarding his messages to another account.