When Dropbox acknowledged its recent data breach last week, the company noted that it will be adding a range of security solutions in an effort prevent such a breach from occurring again. One of the technologies that Dropbox plans to implement is two factor authentication, which requires another identifying item beyond your username and password to grant you access to your account.
The second item in two factor authentication can be any one of a range of technologies like a smart card that needs to be swiped, a USB flash drive or other mobile that contains security certifications, a one-time user password token like RSA’s SecurID, or a biometric input like a fingerprint scan.
One company has another interesting option, however, your location.
Toopher is a startup that’s focused on making two factor authentication easy and seamless. Rather than relying on physical or digital tokens, Toopher relies on your location data. The service works through a free mobile app that is available for Android and an iOS version is in the works.
When you install the app and link it to your Toopher account, you’re asked to select a location such as your home or office, that will be used in place of a physical or digital token. When you access a resource that requires two factor authentication, your iPhone or other device uses location services to determine whether or not you’re at your secure location. If you are, then entering standard login credentials like a username and password will grant you access. If you’re not, then access will be denied.
The technique isn’t that different from using geofencing to set Reminders in iOS 5.
It’s also very similar to the approach that some mobile management solutions use when granting access to corporate resources based on a mobile device’s location. If a device is located on or near company grounds, it can be assumed to being used for legitimate work purposes. If it’s located clear across the country from any company office, there’s a good chance that the device might have been stolen and therefore should be denied access to sensitive business data.