Introducing WebAuthn support for secure Dropbox sign in

The easiest way to keep a secret is to not tell it to anyone. Unfortunately passwords don’t work that way. Every time you sign in you have to tell the website your password, making it more challenging to keep the secret safe. That’s why we recommend turning on two-step verification for your account, which adds an extra layer of difficulty for anyone who has guessed, eavesdropped on, or tricked you into giving them your password. And it’s why we’re excited today to announce support for WebAuthn (“Web Authentication”) in two-step verification, a new standard for strong authentication on the web.

In most forms of two-step verification, a user enters a one time code after providing their username and password, and before being signed in. While easy to adopt, using one time codes for two-step verification has weaknesses. For example, a fake Dropbox sign in page could ask for your username, password, and the two-step code. That’s why Dropbox was one of the first services to adopt Universal 2nd Factor (U2F) for security keys in 2015. Security keys prevent phishing by giving Dropbox cryptographic proof that you both have your key and are using it on (instead of a phishing page).

Introducing WebAuthn
This cryptographic proof makes U2F security keys a very strong form of two-step verification, but adoption of U2F has been limited by browser and hardware support. We hope WebAuthn will change that. It’s a new way to interact with security keys and other “authenticators” that standardizes and builds on key parts of U2F, the result of a collaboration between the W3C and FIDO Alliance. While for years only Chrome supported U2F, browser vendors have committed to bringing WebAuthn to Chrome, Firefox, and Edge. More and more devices will have WebAuthn support built in, bringing stronger security to the many users who don’t own special security keys. These could include your laptop or phone, which might prompt you for your fingerprint or a PIN code as part of the authentication process. But this only matters if services actually let you use WebAuthn to securely sign in. Today, Dropbox is proud to help lead the way.

What does this mean for me?
You’ll now be able to use more types of security keys on more browsers for two-step verification. That starts with support for security keys in Firefox 60, releasing on May 9th. You can use security keys previously registered with U2F and register new ones with WebAuthn. Chrome and Edge support for WebAuthn will be coming soon, and you can still use your security keys in Chrome today with U2F.

This means that as a user, you’ll enjoy much stronger sign in security on more browsers. Unlike passwords, the secrets used in WebAuthn never leave your security key, so they are significantly harder to steal. And before using a secret to authenticate to Dropbox, the security key checks that you are signing in to the right place. You can feel confident when signing in that it’s really us, and we can be confident it’s really you.

Will this replace passwords?
Right now, we’re using WebAuthn to make it easier for you to add an extra level of security to your account. A natural question is if we still need passwords too. Your credentials could be stored on a device like your phone, laptop, or security key, and services could use WebAuthn to sign in to your account after you scan your fingerprint or input a PIN on the device. There are still many security and usability factors to consider in these scenarios before replacing passwords entirely, and we believe that enabling WebAuthn for two-step verification strikes the right balance for most users right now.

How do I use WebAuthn?
To start using security keys that support WebAuthn on Dropbox, take a look at our Help Center article.

Curious to know more?
We collected a few helpful references with more technical details for you below: