Yubico’s U2F-compliant YubiKeys provide an additional secret beyond your password for when you access Dropbox. The extra layer of protection is called a second factor. So even if your username and password (first factor) is stolen, hackers cannot get into your account without having possession of your YubiKey (second factor). The only way someone could get in to your account would be to have both your password and your physical key — not very likely.

A stolen YubiKey is useless without the account username and password. No secrets are stored on the key. If a key is lost, a new key can be added to a Dropbox account and the lost key deleted. Dropbox users can be assured their account is secure when they activate what Dropbox calls two-step verification.


What’s the Secret

The YubiKey 4 (and YubiKey 4 Nano), the YubiKey NEO (and YubiKey NEO-n), and the U2F Security Key, support the emerging FIDO Alliance standard called U2F (Universal Second Factor). U2F uses something called public key cryptography, which involves using a really hard math problem to create a pair of keys used to verify access to an app, such as Dropbox. The key pair is one portion of the strong authentication equation: “something you know” (such as your username/password) and “something you have” (such as a YubiKey). You just plug the Yubico device into your USB port, enter your existing username and password, then touch the YubiKey button when prompted. There is no installation of software required and there is no battery to charge.


How To Use Your YubiKey as a Security Key for Dropbox

Congratulations, you have a U2F YubiKey! So how do you set it up to protect your Dropbox accounts? Follow these easy instructions and you’ll be protected with the simplicity of YubiKey two-factor authentication in no time!

Requirements

  • Latest version of Google Chrome browser (or at least version 38)
  • A YubiKey 4, YubiKey Nano, FIDO U2F Security Key, YubiKey NEO, or YubiKey NEO-n
  • One finger (the YubiKey button is a capacitive sensor, not a biometric)
  • A Dropbox Account

Setting Up Your Dropbox Account

  1. Set up Two-Step Verification for your Dropbox account, if you have not yet done so. This is also where you will set up your mobile device as a back up.
    • If you already have Two-Step Verification set up, click your account name, then the Security tab, then continue step 8.
    • To set up Two-Step Verification, in your Chrome browser, click your account name, then click Settings and continue to step 2.
  2. Click the Security tab.
    Dropbox: Enable two-step verification
  3. Click Enable, read the information in the message box that appears, and then click Get started.
  4. Enter your password, and click Next.
    Dropbox: How would you like to receive verification codes
  5. This step specifies how you will access Dropbox if you don’t have your YubiKey with you. Click Use text messages, and then click Next. Note that we recommend that you have a second YubiKey for backup so that you can always access your accounts – similar to how you have an extra copy of your keys for your house and car.
    • You can also use Yubico Authenticator or Google Authenticator as your backup to authenticate to your account.  Under Backup Options, click Add a phone number.
  6. Enter your phone number, and click Next.
  7. Enter the six-digit security code you received as a text message on your mobile phone, and click Next.
  8. Do one of the following:
    • If you want to set up a backup mobile phone, enter the number and click Next. A text message will be sent to the backup phone. Enter the code you received as a text message, and click Next.
    • If you do not want to set up a backup mobile phone, click Next.
  9. You also have a backup code that you can use to gain access to your account. This is an additional mechanism to use if you do not have access to your YubiKey or your phone. Copy this backup code and put it in a safe place.
  10. Click Enable two-step verification. Review the message and click Done.
  11. Now you are ready to register your YubiKey as your two-step verification device.  Click Security Keys,  and then click Add.
  12. Enter your password, and click Next.
  13. This is the really cool part! Click Begin setup.
    Dropbox: Begin setup to add a security key
  14. Insert your U2F YubiKey, wait a few seconds, and then click Key inserted.
  15. When you see the message “Scanning for security key,” your U2F device should start to flash. Wait for it to blink, and tap the YubiKey button. Your YubiKey is now registered to your account as your default Two-Step Verification device!
    Dropbox: Scanning for security key
  16. Click Finish.
  17. The screen now displays that you have a security key registered to your account.
    • To add another key, click Edit and repeat the steps by clicking Begin setup, and then following the prompts.
    • If you accidentally lose a YubiKey, click Edit, identify the key you want to remove from the account, and click X. However, remember that no one could log in to your Dropbox account because they would still need to know your username and password.

Logging in to Your Dropbox Account

Logging in to your Dropbox account with your YubiKey is refreshingly simple.

  1. The next time you need to login to your Dropbox account, enter your user name and password, and click Log in.
  2. When prompted for 2-Step Verification, insert your YubiKey, wait for it to blink, and then tap it.
    Dropbox login

    • If you want to trust this computer, so you do not have to insert your YubiKey each time you log in, check the box to Trust this computer. (Note that you are trusting this computer always if you check this box.)
    • If you do not have your YubiKey with you, click Use mobile authenticator instead. You can then use either an SMS text message (or one of the other backup authentication methods you saved).

Congratulations!  Your Dropbox account is now secure with Yubico two-factor authentication!


Even Better for Businesses

Dropbox Business is ready for YubiKey out-of-the-box. Find out more about YubiKey and Dropbox Business.

Running Microsoft Internet Explorer or Mozilla Firefox?

Soon adding FIDO-based second-factor verification will be easier on these two platforms as Mozilla is currently building support for U2F and Microsoft is working within the FIDO Alliance to eventually bring support to Windows 10. But for now, there are some additional technical steps to take for Yubikey two-factor authentication if your browser isn’t Google Chrome.

Here is a solution for Dropbox that works with YubiKeys that do not currently support U2F. It relies on free Windows-based or Android-based authenticator apps built by Yubico.

Secure Your Dropbox Account Today

YubiKeys are available worldwide on Amazon and through the Yubico Store.

What is a U2F-compliant YubiKey and how do I get one?

Yubico has three different YubiKeys that support the FIDO Alliance U2F protocol: U2F Security Key, YubiKey Edge and YubiKey NEO. As support for the U2F protocol, which is based on public key cryptography, begins to spread across internet applications, each of these three YubiKey types will work with U2F-enabled applications. The keys are available worldwide from Amazon.com and the Yubico Store.

What version of the Chrome browser supports the U2F-compliant YubiKeys?

You must be running at least version 38 of the Google Chrome browser, which includes support for the U2F protocol. To check the version number, in your browser, click the Chrome menu in the toolbar, then select About Google Chrome. (Support for U2F was added in version 38.)

Does my current YubiKey work with Chrome?

YubiKey Standard and YubiKey Nano do not support the U2F protocol. The Security Key has U2F capabilities as its only supported protocol. Both the Yubikey Edge and Yubikey NEO are multi-protocol devices that include U2F support.

Is the YubiKey a biometric device?

No, the YubiKey is a capacitive sensor. It uses the small bit of electricity naturally in your body to produce a tiny electrical charge that activates the key. There are no false positives or negatives to worry about.

Can I use the U2F YubiKey I have for Gmail and Google apps with Dropbox?

Yes!! The same U2F YubiKey can be used with any number of services and there is no practical limit to the U2F-secured services the U2F Security Key, Yubikey Edge and Yubikey NEO can be associated with.

During the registration process, the key pairs are generated on the device (secure element) but the key pairs are not stored on the YubiKeys. Instead, the key pair (public key and encrypted private key) are stored by each relying party/service that initiated the registration. Therefore, this approach allows for an unlimited number of services to be associated with the U2F-compliant YubiKeys.