We are aware of the issue with the badge emails resending to everyone, we apologise for the inconvenience - learn more here.
Forum Discussion
Is there an ultimate recourse for 2FA deactivation ? (entirely locked out of my account)
Hi there,
The situation is simple: I used to have dropbox and stopped using it years ago. Now i'd like to come back. I have lost access to my account and have no recovery option available at all.
- I don't own any device that is still connected to the account through the app
- I don't own any device that still has the 2FA token installed on an authentication app
- I don't have the 2FA recovery codes anymore
- I have changed phone number since then
So this is a case where I have no solution at all to regain access, which is ok. It's my fault, and there is no data loss involved at all.
That being said, now that I'd like to come back, I'd ideally like to use my main email address / historic account.
My question therefore is:
Is there a team inside the Dropbox company that can, on a case-by-case basis, turn off 2FA for a lost account ?
I understand that this would only be on very select case-by-case basis because otherwise it opens up potential attack vectors.
I also understand that this is my fault and no one else's so I'm not here to assign blame or to complain.
I'm just wondering if there is a team inside the Dropbox company that does that.
I can provide a ton of proof of my identity, my ownership of the email address (and of the domain name that email address is on), my being the original user (with IP addresses used at the time and other information), etc.
Also, I have access to the email address of the account in question (it's my main address) and I have the valid password for it.
So, are there any documented cases of such a thing being possible ?
Microsoft once saved my ass during a similar situation after a catastrophic business IT event, although that was with a paid account. In the case of this issue here, I'm not a paying customer anymore, alhough I was and would like to be again...
If no solution exists, I'll simply use another email address and create a new account, although I'd prefer to find a solution and regain access to the account based on my main email.
Thank you everyone for your time, cheers !
PS: I have already contacted the support team (in my country, not the english-speaking support) and they keep answering with boilerplate "use your recovery codes / your phone number" eventhough I've explained what I just laid out here, so I'm simply here in the hopes that I can get an unambiguous "yes" or "no" answer to the question of whether or not an ultimate, case-by-case recourse procedure exists.
Bumping the thread for future readers in search of a definitive/authoritative answer on that question.
Dropbox support finally gave me an unambiguous answer, and it's a no.
They do not have a process for unlocking accounts if you lose all your means of access as described in my original post. So, if you do, you're done.
Excerpt from the exchange I had with them (translated from the original language):
"""
For security reasons, we can't disable 2FA for you because your email address isn't proof enough of your identity. If you can't use your 2FA code and don't know you recovery codes, we can't help you in accessing your dropbox account
"""
Note that there is still some wiggle room where they say "your email address isn't proof enough", when I told them I could provide much, much more proof of identity and ownership of the account, BUT it seems to me that their internal processes stop there when it comes to account recovery for reasons other than death of a user (see prior messages in this thread for details on that).
- Rich
Super User II
nodesk wrote:
Is there a team inside the Dropbox company that can, on a case-by-case basis, turn off 2FA for a lost account ?
You can try contacting Support, but without access to the emergency backup codes it's very unlikely that you'll be able to gain access to the account again. Ultimately, you enabled a system to prevent access to the account without an authorization code, and now you're trying to sign in without that code. It would be a pretty big security issue if Dropbox bypassed that.
To contact Support, visit the Support page while you're NOT signed in to a Dropbox account, including these forums, and you'll see an option for sign in issues. It's best to use an Incognito or Private browsing session to make sure you're not signed in.Yes, you are correct on all points.
One thing that should be 100% impossible is for a company that says the user's data is encrypted with unknown-to-them keys, to be able to decrypt the data. Obviously, that would indicate they're not being truthful.
In this particular case though it's not about the data but rather about reseting the 2FA codes or disabling them entirely, which the company surely has the ability to do, although it may be entirely out of their procedure, which I would find perfectly understandable. As you said, that can open potential avenues for foul-play and not every company may want to have such a procedure exist at all, eventhough it would be technically possible.
One last thing to consider is: deceased person account recovery.
I unfortunately have had to go through that procedure myself not so long ago. Dropbox, like many companies (I don't know if it's a legal obligation or not), have procedures for people to recover access to deceased people's account, provided you can show legal proof that the person is indeed deceased and that you are a spouse, a heir or a person with legal authorisation to access the defunct's account.
In my family's case, we followed the procedure, and Dropbox did indeed provide us access to my relative's account eventhough it was a 2FA protected account that we didn't have access to.
So this is just another anecdotal but relevant information to drive the point that technically, they can do it.
But of course, in this case, I'm still alive and kicking 🙂
Anyways your point still stands. Thank your for your suggestions, I have a ticket open already.
Cheers 🙂
-----
For reference:
https://help.dropbox.com/en-en/account-settings/access-account-of-someone-who-passed-away
Bumping the thread for future readers in search of a definitive/authoritative answer on that question.
Dropbox support finally gave me an unambiguous answer, and it's a no.
They do not have a process for unlocking accounts if you lose all your means of access as described in my original post. So, if you do, you're done.
Excerpt from the exchange I had with them (translated from the original language):
"""
For security reasons, we can't disable 2FA for you because your email address isn't proof enough of your identity. If you can't use your 2FA code and don't know you recovery codes, we can't help you in accessing your dropbox account
"""
Note that there is still some wiggle room where they say "your email address isn't proof enough", when I told them I could provide much, much more proof of identity and ownership of the account, BUT it seems to me that their internal processes stop there when it comes to account recovery for reasons other than death of a user (see prior messages in this thread for details on that).
My dropbox account got hacked this morning. The hacker logged into my dropbox, changed the password AND SET UP 2 factor authentication on THEIR device. They also canceled my original Dropbox Plus subscription & changed my account settings by adding "Pay App" to my dropbox account. So now when I try to reset my password, it sends a code to their autenticator app, preventing me from being able to change my password & regain account access.
Please help! I've reached out to support many times, but only get generic reply messages with vauge support links that often tell me to sign in....wish I could! Thanks
