Verification friction: a security code to an old phone or unreachable inbox can lock you out
Ongoing pattern
Dropbox sends one-time verification codes for new-device or unusual logins, but when the code goes to an outdated phone number or an inbox the user can no longer reach, legitimate owners report being unable to sign in — and the questionnaire-based recovery often fails.
What happened
Beyond opt-in 2FA, Dropbox triggers extra verification — a six-digit code by email or SMS — when it detects a new device or unusual login. The mechanism protects accounts, but it strands legitimate users when the destination is stale: a code sent to a phone number the user no longer owns, or to an email account they have lost access to. Community threads describe users who never receive the code, click a verification link that does nothing, or cannot pass the fallback.
Dropbox's documented recourse is a recovery questionnaire in which a user answers as many account-specific questions as possible, or a manual identity check by a specific support department. Users widely report that this path is slow and frequently unsuccessful, especially for older accounts where they cannot recall enough detail. The result is a verification system that, by design, can refuse the real owner while having no fast, reliable way to tell them apart from an attacker.
This entry documents an aggregated pattern set against Dropbox's official verification guidance; it is a recurring friction point rather than a single dated event.
Impact
Identity-verification lockouts hit exactly the users least equipped to recover — those who changed phones or emails and didn't update Dropbox first — and route them into the same slow, hard-to-reach support documented across this category. When the questionnaire fails, the practical outcome is the same as a 2FA lockout: a legitimate owner permanently separated from their files.