Hardening Google Drive, iCloud, OneDrive, and Dropbox: a settings checklist

The big four cloud storage providers — Google Drive, iCloud Drive, OneDrive, and Dropbox — have reasonable defaults, not strong defaults. The difference is a handful of settings most people never open. This article walks through the settings that actually matter on each, in the order you should change them.

Work through each provider you use. Total time: about fifteen minutes per account.

Google Drive (Google Account)

1. Run the Security Checkup at myaccount.google.com/security-checkup. Work through every prompt.
2. Two-factor authentication. Under 2-Step Verification:
   • Add a hardware security key (YubiKey, Titan) as your primary second factor.
   • Add a second hardware key as a backup; store it somewhere separate from the first.
   • Generate and download backup codes, print them, and store them in a safe.
   • Remove SMS 2FA if possible (it is phishable and SIM-swap vulnerable).
3. Advanced Protection Program. If you are a journalist, activist, politician, executive, or just want the strongest posture Google offers, enroll at g.co/advancedprotection. It enforces hardware keys, blocks most third-party apps, and slows down account recovery to resist social engineering.
4. App passwords. Delete any that exist. Modern apps should be using OAuth, not app passwords.
5. Connected apps and services. Under Security → Third-party apps with account access, review every app. Revoke any you do not actively use. Each app with Drive access is a potential pivot.
6. Active sessions. Under Your devices, sign out any device you no longer use, especially any you have sold, given away, or lost.
7. Drive settings.
   • Settings → Offline — disable unless you need it. Offline mode means decrypted copies live on every browser where it is on.
   • Settings → Managing access for creators — review link-sharing defaults for your shared folders.
8. Shared items audit. Go to Drive → Shared → Shared with me and Shared — review what is shared to whom. Remove anything historical.

iCloud (Apple ID)

1. Two-factor authentication is required for all modern Apple IDs. Confirm at appleid.apple.com that at least one trusted phone number is set and at least one trusted device is signed in.
2. Turn on Advanced Data Protection. On an iPhone or iPad: Settings → [your name] → iCloud → Advanced Data Protection → Turn On. This changes iCloud Drive, Photos, Notes, Reminders, Safari bookmarks, and most other categories to end-to-end encryption. Before Apple lets you enable it, you’ll be asked to set up an account recovery contact or a recovery key, or both.
3. Print the recovery key and store it in a safe place. If you lose both your trusted devices and forget your password, this key is your only way back in.
4. Trusted contacts. Under Account Recovery, designate a trusted contact who can help you reset. Pick someone unlikely to be compromised at the same time as you.
5. App access review. Under Apple ID → Sign in with Apple, review every app that has sign-in access. Revoke any you don’t use.
6. Find My. Enable Find My iPhone / Mac on every device. Lost devices can be locked and wiped remotely.
7. Family Sharing. If you’re in a Family, note that Family members do not see your Drive contents — but they do see purchases and subscriptions by default.

OneDrive (Microsoft Account)

1. Strong password in your password manager, unique to this account.
2. Two-factor authentication. At account.microsoft.com/security:
   • Use the Microsoft Authenticator app as a primary second factor, or a hardware key (supported for passwordless sign-in on modern Microsoft accounts).
   • Avoid SMS if you can.
   • Generate a recovery code (at account.live.com/proofs/ Manage/additional) and print it.
3. BitLocker recovery key review. Microsoft accounts silently store BitLocker recovery keys for Windows Home Device Encryption. Check account.microsoft.com/devices/recoverykey; you may find keys for devices you have sold. Remove those entries.
4. Personal Vault. OneDrive’s Personal Vault adds a second factor for a specific folder, and auto-locks after inactivity. Move sensitive documents into it.
5. Ransomware protection. Under OneDrive settings, enable “version history” (on by default on paid plans) and ensure “Restore your OneDrive” is available (paid plans only).
6. Connected apps. Review under account.microsoft.com/privacy.
7. Shared link audit. On the OneDrive website, Shared → Shared by you. Remove old links.

Dropbox

1. Strong password. Dropbox has had password-related incidents in the past; your password for Dropbox should be unique and long.
2. Two-factor authentication. Dropbox supports TOTP apps and hardware security keys. Use keys if possible; TOTP as a fallback.
3. Emergency codes. Generate and print.
4. Web session and device review. At dropbox.com/account/ security, sign out any session or device you don’t recognize.
5. Shared link audit. At dropbox.com/share/links, review every active link. Disable any you don’t need. Dropbox links that have been shared for years are one of the most common sources of accidental leaks.
6. Linked third-party apps. Under dropbox.com/account/ connected_apps, revoke anything stale.
7. Version history. Confirm your plan’s version history duration (30 days on free, up to 180 on paid tiers). Do not treat this as backup.

A universal second step

After hardening the account settings, the next question is whether you want a client-side encryption layer on top of the cloud provider for your most sensitive files. The next article in this topic explains how to do that with Cryptomator without giving up the convenience of the provider you already use.

An annual ritual

Put a reminder in your calendar for this exact checklist, once a year. Accounts drift. Apps get added. Devices change. Shared links accumulate. Fifteen minutes once a year keeps the big four in reasonable shape.