Someone would need to not only have possession of your phone, but your password as well. So for a hacker to work this:
First, get your password. Second, find your location. Third, steal your phone, which for most people, is almost always on their person. Finally, crack whatever security mechanism you have on your phone.
For someone to go through all that trouble ... you must be storing some very valuable info. If that's the case, may I suggest that Dropbox is probably not the right platform? In fact, any internet connected platform is probably not the right answer.
No. First, get password. Second, get phone number. Third, pretext to gain control of the account and forward/copy texts, view them via web interface, or replace the phone.
The point isn't the security mechanism, but for consumer products the point is physical location. Without two factor authentication, a sweat shop in China could hack you (and thousand others) easily. With two-factor authentication they would need physical proximity to you, so they won't even try.
First, get your password. Second, find your location. Third, steal your phone, which for most people, is almost always on their person. Finally, crack whatever security mechanism you have on your phone.
For someone to go through all that trouble ... you must be storing some very valuable info. If that's the case, may I suggest that Dropbox is probably not the right platform? In fact, any internet connected platform is probably not the right answer.