Dropbox's two factor authentication and what happens when it fails(Update)

Some time ago, Dropbox offered two-factor authentication. This means, that you need to prove that you are in possession of something that only the owner of the account has. This is usually a mobile phone, but it can be also an application which generates a unique code.

This type of authentication adds another layer of security on top of the classical username and password authentication.

For a reason which can’t be explained, Dropbox apparently started about a day ago to force the passwords of the users who have activated the two factor authentication to expire. An affected user is forced to reset the password in order to access his account. When trying to login, the user receives an email with the subject “Please update your expired Dropbox password” and it is asked to click on a link in order to reset the password.

We noticed that you recently tried to log in to Dropbox with a password that you haven’t changed in a while. Your old password has expired and you’ll need to create a new one to log in.

The only information provided is that the password is old and needs to be changed.

Until the password is changed, any application or service using the Dropbox account of the user affected will not be able to login. The error message is very generic, pointing toward an unknown error on the website. The error code returned by the webserver appears to be 500, which is usually returned when a service is unavailable.

Once the user resets the password, there is a second email with the subject “Dropbox password reset confirmation” and the text:

You recently requested a link to reset your Dropbox password.
Please set a new password by following the link below:

After clicking on the link and resetting the password, the user should use the two-factor authentication system to receive an SMS in order to double authenticate the user.

For more than 5h today, September 12, between 16.30 and 21.36 GMT+1, the two factor authentication service hasn’t function, potentially preventing all users who have the two step authentication enabled to login. After this hour, the service started to function only partially, allowing logins on the website, but not via the Dropbox application.

The error received wasn’t pointing toward the authentication service, but a login wasn’t possible. An account without two-step authentication active could login without problems.

In the Dropbox forums, the thread  “500 Error- Connecting” has first reported the problem four days ago and the “Getting Error 500 when resetting the expired password” about a day ago.

Apparently, only later a Dropbox employee reported that the problem is fixed, but as we can see, it is not.

In the same forum, another thread started a day before has asked “Who decided to expire my password ?” pointing to the exact the same behavior described a the beginning of the article.

Is this behavior something that Dropbox introduced recently? There is no information on their blog or on the forums.

Was the Dropbox site hacked, passwords got stolen and now they force everybody to reset their password? Probably not, because they should have done this with all accounts.

Did they experience again another bug like last time, when they allowed any user to access any other Dropbox account?

Or it is only a way to annoy the users?

We will see soon if a Dropbox official bothers to answer to the questions in the forum.

As a temporary solution, disable the two-step authentication until the problem is completely solved.

 

Update:

One hour later Dropbox posted in the forum that they fixed the problem.

We pushed another fix that we believe should resolve the issue, but would like to confirm with you. Sorry for the trouble. The issue was related to how we were handling non-english languages during authentication.

 

Sorin Mustaca

Data Security Expert