Those that use Dropbox and worry about its security depending solely on a password and don't mind living on the Beta-release bleeding edge may be interested in the latest build of the Dropbox client (1.5.12). This includes 2-factor authentication. The passcode, either generated by Google Authenticator or sent to you by SMS, has to be supplied whenever you supply your password, which means whenever you link a new machine to Dropbox. https://forums.dropbox.com/topic.php?id=66910 It seems to work at least as far as generating a code and letting you log in. I don't think it provides much additional security against Dropbox's server-side security being compromised. If Dropbox were to allow the bad guys to access their authentication database then the bad guys would have the plaintext of the shared secret for the one-time password generator. The bad guys would then trivially be able to generate passcodes. Your security would then rely on the strength of the hash function used to store passwords and the strength of your password in the face of a brute-force offline attack on that hash function, as before. I also don't think it protects you against an active attacker who can access your security credentials. If the attacker has the ability to steal your credentials, by reading the local security state or in some way attacking the protocol between you and Dropbox, then they can masquerade as the machine whose credentials they have access to and bypass the two-factor stage. Dropbox doesn't seem to have any way to stop the client from storing security tokens: you cannot get it to ask for fresh authentication each time it starts up, and it doesn't appear to have any TPM support. It does protect you against an attacker able to run a keylogger and able to coerce you into reauthenticating, but not able to otherwise read your security state. A risk it also mitigates is an attacker who obtains your username/password pair from another insecure site, possibly one that you care about less than Dropbox, and then finds that you've used the same username/password on Dropbox. For large-scale deployments of Dropbox to less security-aware staff this might be very useful. ian