Guide

How to Enable Two-Factor Authentication on Dropbox

2026-01-24 ยท 4 min read ยท Steven Adams ยท Last reviewed: March 2026

Dropbox stores files you cannot afford to lose โ€” documents, photos, backups, and sensitive personal and business data. A compromised Dropbox account can expose all of this content to an attacker, and because Dropbox syncs across devices, a breach can happen silently without any obvious signs. Two-step verification (Dropbox's name for 2FA) adds a critical extra layer of security to your account.

In This Guide

  1. How to Enable 2FA on Dropbox
  2. Dropbox 2FA Methods
  3. Two-Step Verification for Dropbox Business Teams
  4. Dropbox App Passwords
  5. Lost Access to Dropbox 2FA?

How to Enable 2FA on Dropbox

  1. Sign in to dropbox.com and click your avatar in the top right corner.
  2. Click Settings.
  3. Click the Security tab.
  4. Under "Two-step verification", click Enable.
  5. Click Get started and enter your Dropbox password to confirm.
  6. Choose your method: Use a mobile app (recommended) or Use SMS.
  7. For the mobile app option: scan the QR code with your authenticator app, enter the 6-digit code to verify, then click Next.
  8. Dropbox asks you to add a backup phone number for SMS recovery โ€” enter one and verify it.
  9. Dropbox provides a 16-digit emergency backup code. Write it down or save it securely before clicking Done.
Important: The 16-digit backup code is shown only once. If you lose it and lose your 2FA device, Dropbox may not be able to restore your account. Store the code somewhere permanent, like a password manager or physical safe.

Dropbox 2FA Methods

Mobile Authenticator App (Recommended)

Dropbox works with any TOTP-compatible authenticator: Google Authenticator, Authy, Microsoft Authenticator, 1Password, and many others. After entering your password, Dropbox asks for the 6-digit code currently displayed in your app. The code rotates every 30 seconds and works without an internet connection. This is the most secure everyday option.

SMS Text Message

Dropbox can send a verification code to your registered phone number. This works as a fallback but is less secure than an authenticator app, primarily because SMS codes can be intercepted through SIM-swap attacks. Use SMS only if you have no other option.

Hardware Security Keys

Dropbox supports security keys via FIDO2/WebAuthn for personal and Business accounts. You plug in or tap a hardware key when prompted. This is the most phishing-resistant option and is recommended for business accounts or anyone with highly sensitive files.

Two-Step Verification for Dropbox Business Teams

Dropbox Business admins can enforce two-step verification for all team members. In the Admin Console, go to Security โ†’ Two-step verification and select the enforcement level: optional, required for admins only, or required for all users. When enforcement is turned on, users who have not yet enabled 2FA will be prompted to do so the next time they sign in.

Dropbox App Passwords

If you use older third-party apps that connect to Dropbox and do not handle 2FA prompts correctly, Dropbox allows you to generate app-specific passwords. These bypass 2FA for that specific app while keeping your main account protected. You can create and revoke app passwords from the Security tab in your account settings.

Lost Access to Dropbox 2FA?

At the sign-in screen, click Trouble signing in? to access recovery options. You can use your backup phone number (SMS recovery), your 16-digit emergency backup code, or contact Dropbox support. For Business accounts, your team admin may also be able to reset 2FA for your account. If none of these work, Dropbox support requires identity verification before granting access.

Related Articles

Guide

How to Enable 2FA on GitHub

Protect your code repositories.

Read โ†’
Guide

How to Enable 2FA on Amazon

Secure your Amazon account.

Read โ†’
Guide

2FA Backup Codes Explained

What they are and how to use them safely.

Read โ†’

Why Dropbox Accounts Are Worth Protecting

Dropbox is where many people store their most sensitive files โ€” tax documents, contracts, personal photos, business data, and sometimes even password lists or ID documents. A compromised Dropbox account gives an attacker access to everything you have ever saved there, potentially including files shared with colleagues or clients. Unlike a social media hack, a Dropbox breach can expose years of private documents in seconds.

Emergency Recovery Codes: The Most Important Step

When you enable 2FA on Dropbox, you are given emergency backup codes. These are the only way to recover your account if you lose access to your authenticator app and your backup phone number. The Dropbox community forum is filled with users permanently locked out of accounts they held for years because they did not save their backup codes.

Dropbox's position is unambiguous: if you lose both your 2FA method and your backup codes, they cannot help you. Their support team has confirmed in writing that they do not have a process for unlocking accounts when all authentication methods are lost. Save your backup codes the moment you enable 2FA, and store them in a password manager or encrypted file.

2FA on Dropbox for Teams

Dropbox Business and Teams administrators can require 2FA for all team members through the Admin Console under Security settings. When 2FA is enforced at the team level, members who have not enabled it will be prompted to do so on their next login. Admins can also see which team members have 2FA enabled and send reminders to those who have not set it up.

Frequently Asked Questions

Does enabling Dropbox 2FA log me out of all devices? No โ€” enabling 2FA does not terminate existing sessions. However, any new sign-in on any device will require the 2FA code going forward.

Can I use Dropbox 2FA with a hardware security key? Dropbox does not natively support hardware security keys. The available options are authenticator apps and SMS only.

What happens to my Dropbox 2FA if I get a new phone? Transfer your authenticator accounts first before wiping the old phone. If you have already wiped the old phone, use your emergency backup codes to log in, then disable and re-enable 2FA to set it up on your new device.