Engineering Manager at Dropbox here. Sorry for the confusion! This is an error on that page, presumably some miscommunication between groups at Dropbox. 2FA continues to be an available feature for all Dropbox users. The only difference between plans is that team plans allow administrators to require 2FA for all members of the team. That page will get updated soon to explain that feature properly.
Just to close the loop here, we’ve updated the page to include a checkmark for 2FA in the Pro column too. Again, all account types can use 2FA (and we recommend that they do!), and teams can additionally require 2FA for all their members.
I'm not 100% sure what that is about, but I'm pretty sure it relates to new functionality for migrating data from existing file servers.
The API at https://www.dropbox.com/developers works for all account types. (Note that there are endpoints specific to team accounts when the functionality only makes sense there, like methods to add or remove members from a team, etc.)
I'm sure Dropbox is going to get a lot of flak for this. 2FA based on the provider that they use may not have been cheap. Authy is $0.09 an auth, if you integrate with Twilio, you get SMS charges that vary on price based on country / provider.
The easiest/cheapest solution is to roll your own TOTP and build an app. This is useful for web, but may be pointless on mobile (if the mobile device is unlocked, then you have access to the TOTP app or SMS).
Business people probably looked at the cost per user and couldn't offer it at a lower rate.
You wouldn't need to roll your own app. Just use the Microsoft Authenticator app or the Google Authenticator app, they're the same thing and don't require a direct connection to the user account. Lots of articles on the net on how to accomplish this kind of thing for $0 in extra services.
Isn't 2fa by sms bad though? You hear a new case almost every week of someone whose telco was socially engineered to gain access to their phone number linked 2fa/account recovery.
Bad is relative, it is bad compared to other more secure methods. But if you can't guarantee that your users have a smartphone, SMS is still a needed option.
They upgraded "Pro" accounts to "Advanced" accounts without cost changes for ~1 year. After that you will have to pay $4.25 more per month for the "Standard" plan in order to keep MFA.
"To give you the most powerful admin control and security features, we’ve upgraded you to Advanced at no extra charge. You’ll keep your original pricing until January 6, 2018. After that, your account will adopt our new storage plans and pricing. If you want to downgrade to Standard, you’ll have until January 6, 2018 to do so."
You're conflating a few different plans here -- "Standard" and "Advanced" are for teams only (minimum of 5 people). The only paid plan available for individuals is "Pro", which no longer offers TFA.
Hmm, I have no idea then. I just renewed my $99 personal account a few weeks ago. Not a business account from what I can tell. Invoice: http://imgur.com/eUpsaem
My account still shows Pro, not Advanced. Also, why didn't I get any emails from DB about this? Maybe they are rolling things out gradually and my account is not affected yet.
This is sad news. While they've had their issues, I've always found dropbox to be one of the more responsible and reliable tech companies. Supplying 2fa for only paid users almost seems like they're taking hostages - "Pay us more or your account will be less secure" doesn't sound like a company whose services I would want to be using. Shame.
Not seeing anything about this. When I clicked the link I got pushed to a re-subscribe page since I previously signed up. Opening in Incognito also doesn't show anything about 2FA.
EDIT: Screenshots provided below now. They already rolled the page back.
The paid "pro" plan has no 2FA. "standard" does, but is a few extra dollars a month.
Beside the poorly named accounts, the idea of paying for security is a good one, but not when it affects the customer experience of securing their own passwords. Security in the infrastructure is an option. Optionally securing my account using 2FA is not.
That's the kicker to me as well. It suggests that Dropbox doesn't appreciate their self-employed customers.
That and showing prices "per month" on the billed annually plan just suggests deceit and greed. All of this confusion for an extra ~$25 per year per user.
The $25/user/year increase is if you downgrade to "Standard". To keep the existing features, you need to select the "Advanced" plan, which is a $115/user/year increase!
See https://www.dropbox.com/help/363 for more information.