Child Item

Potential security problem with Google Sign-In, even with 2FA when accessing my account.

I have an Android phone with a Google account. If I install the Dropbox app, the login screen prompts me to use Google Sign-In to log in to my Dropbox account. If I accept, I get automatically logged in without needing my username and password. If I activate 2FA beforehand from my PC and then use Google Sign-In, then I get an SMS code in the same phone where I'm trying to log in from.

This means that, even if I don't use Dropbox on my phone and only use it from my PC, anyone who has access to my phone could download the Dropbox app and access my account without needing my username and password, even if 2FA is activated.

I'd appreciate if anyone could tell me if I'm doing something wrong and this is normal behavior, or if this is a security problem, and in either case, how can I avoid it and completely disconnect my Google and Dropbox accounts from each other. Thank you!

Find more posts tagged with

Security

Account Access

Disagree

Accepted answers

Rich

@icab_80 wrote:
Ideally what I want is to completely disable Google Sign-In ...

There is no option for that within Dropbox.

Auto sign-in is disabled ... Despite this, it still lets me auto sign-in in the Dropbox app.

This sounds like an issue with your Google account or phone, rather than a problem with Dropbox. If you're signing in with Google and Google isn't allowing you to confirm the sign-in, that's on Google. Dropbox can't control that.

Perhaps it's happening because you've already signed in using Google and allowed access, so it's remembering that connection and just signing in. If so, disable the connection between Google and your Dropbox account (in your Google account settings).

Fix your Google auto sign-in and your issue is resolved.

All comments

Megan

Hey @icab_80, welcome to our Community!

Let me ask a few things, to make sure we're on the same page.

You mentioned "If I activate 2FA beforehand from my PC and then use Google Sign-In, then I get an SMS code in the same phone where I'm trying to log in from". Is 2FA currently enabled for your Dropbox account?

I'm asking because if 2FA is enabled on a Dropbox account, you'll still need to enter a Dropbox multi-factor authentication code before logging in with Google. Is this not the case when you use your mobile app?

Let me know more, and we'll take it from there!

icab_80

Hello Megan,

Thanks for your reply and apologies for the massive delay in getting back to you, I completely forgot about this.

Yes, 2FA is enabled in my Dropbox account, and yes, this means that I am asked for a multi-factor authentication code before logging in with Google. This is perfect when signing in from my PC: I enter my Dropbox password and the 2FA code that is sent to my phone.

The problem is that when I sign in using the Dropbox app on my phone, then the 2FA code is again sent to the same phone, and even automatically entered into the dialog box without me doing nothing, so it serves no security purpose.

Combined with the fact that Google Sign-In removes the need to enter my Dropbox account, this means that anyone that gains unauthorized access to my phone can download the Dropbox app and use Google Sign-In to access to my Dropbox account, simply by entering the 2FA code sent to the phone. There must be something that I'm doing wrong, because otherwise it's a massive security problem.

Thanks again for your help!

Rich

@icab_80 wrote:
There must be something that I'm doing wrong, because otherwise it's a massive security problem.

Are you not securing the device itself?

icab_80

Hello Rich,

Thanks for your reply. Yes, the phone is secured with the usual screen lock, but if someone were to bypass that, nothing would stop them from gaining access to my Dropbox account, even if I'm signed out and the app is uninstalled, simply by reinstalling it and using Google Sign-In. I'm no security expert by any means, but I don't think that should be possible.

Rich

@icab_80 wrote:
Yes, the phone is secured with the usual screen lock, but if someone were to bypass that ...

Disable the auto sign-in on your Google account so you have to provide confirmation before signing in, use a secure passcode for the device itself, and don't use SMS for the Dropbox two-step verification. Use an authenticator app that you can further secure.

Any service is only as secure as the weakest link. If you're that worried about the device being compromised, you shouldn't have anything set up for auto sign-in, and you shouldn't be using a simple SMS message for multi-factor authentication.

icab_80

Hello Rich,

Thanks for your advice. Auto sign-in is disabled on my Google account, and there are no passwords saved in Google's password manager. Under the third party apps settings in Google, "Sign in prompts" is also disabled. Despite this, it still lets me auto sign-in in the Dropbox app.

As for your suggestion of using an authenticator app instead of SMS for 2FA: it's sound advice, but Google's Authenticator app cannot be further secured, it can be accessed like any other app. I'm not sure if other authenticator apps can be secured with passwords or other features.

Ideally what I want is to completely disable Google Sign-In, or alternatively, have no access to my Dropbox account from my phone. As it stands right now, this is not possible: because of Google Sign-In, anyone with access to my phone automatically has access to my Dropbox account, whether 2FA is enabled or not, with SMS or an authenticator app.

Thanks for your help.

Rich

@icab_80 wrote:
Ideally what I want is to completely disable Google Sign-In ...

There is no option for that within Dropbox.

Auto sign-in is disabled ... Despite this, it still lets me auto sign-in in the Dropbox app.

Fix your Google auto sign-in and your issue is resolved.

icab_80

Hello Rich,

I'll try fixing it with Google. Thanks for all your help.

Kind regards