Showing results for 
Search instead for 
Did you mean: 
Update: Find information on Dropbox support during COVID-19 here
Showing results for 
Search instead for 
Did you mean: 

2FA should be required to change password, change email and disable 2FA

Matteo R.1 New member | Level 2
New member | Level 2

2FA is a great thing to have. It is based on the idea that a password alone is not enough to authenticate.

However, if the password of an account is compromised by an unauthorized person, and this person gets access to a signed-in device, they can

- change the password
- change the email address and
- disable 2FA

without having to go through the 2FA - thus effectively preventing all means of access to the owner.

What is worse (and this is the personal experience of a colleague here), the Dropbox support will not be helpful in regaining access to the account for the legitimate owner. Their comment was simply "Unfortunately, there may be no action that we can take since the account's email was changed using the legitimate password to the Dropbox account."

I believe that in addition to asking the current password, a 2FA code should be required when editing the password, email and for disabling the 2FA, as these are very security-sensitive settings.

1 Comment

Hey @Matteo R.1, thanks for sharing your thoughts with us!

This idea is going to need a bit more support before we share your suggestion with our team.

We’ve updated the status to encourage more users to back you up!

In the meantime, if you have any other questions or ideas about features that you'd like to see implemented in the future, just give us a shout. Cheers!

Status changed to: Needs more votes
Vote for this idea

Like this idea? Vote for it and we will give it the attention it deserves!

0 votes received

Top voted ideas from the Community