Two-factor authentication (also called two-step verification and 2FA) is a security measure for online accounts that requires a password and an additional code — and, until now, Instagram’s implementation of 2FA wasn’t as secure as it could have been. After security researchers’ many complaints, Instagram is finally introducing the ability to receive login codes through an app, instead of over text message. SMS messages are a less secure way to verify someone’s identity because mobile accounts are vulnerable to SIM hijacking, an increasingly prevalent hack.
The company announced today that it is currently rolling out support for third-party authentication apps, and it will make the feature available to its 1 billion users “in the coming weeks.”
Hackers have attacked Instagram many times over the past year. SIM hackers are known to target desirable Instagram usernames (like “@Rainbow”) and gain access to the accounts by taking control of the user’s phone number and routing all of the victim’s texts and calls to a different SIM card. Hackers then sell hijacked Instagram handles for thousands of dollars’ worth of bitcoin. A number of Instagram users who were hacked said they had two-factor authentication enabled and Instagram didn’t warn them that their two-factor settings had been bypassed, changed, or disabled. These victims only realized they’d been hacked when they found that their accounts’ handles and avatars had been changed, and their accounts’ associated email addresses had been switched to ones with Russian .ru domains.
While support for authentication apps is certainly an improvement over Instagram’s previous text message–based 2FA, Instagram — along with PayPal, Twitter, and others — still allows users to reset passwords over SMS, even though this form of verification has documented vulnerabilities.
An Instagram spokesperson confirmed the app will continue offering the option to reset your password via SMS, but did not address the vulnerability it poses.
That’s why you should add a PIN (the longer, the better) to your mobile account, *in addition to* adding app-based authentication to your Instagram account.
Here is a guide on why you should create a mobile carrier PIN that has shortcuts to how-tos for T-Mobile, AT&T, Verizon, and Sprint customers. Adding a PIN will make your mobile account more secure in the first place, and reduce the likelihood of a hacker being able to steal your Instagram account or extort you to regain access to it.
To set up two-factor authentication via app on Instagram (something everyone should do), first you need to download a third-party authenticator app, if you haven’t already.
Using an authenticator app is much better than using text messages for two-factor authentication. Apps work even if you’re traveling abroad and your phone is offline or just connected to a Wi-Fi network (SMS only works when your device has an active cellular connection). It’s also more secure because the codes can’t be intercepted by a hacker.
You can choose from several apps. Google Authenticator, free for iOS and Android, is a very simple, bare-bones authentication app. You set it up, and it spits out a login code. There’s a countdown timer indicating how long the code is valid for, and that’s about it.
Other apps offer a few more bells and whistles. Two such apps are Duo, which lets users hit “approve” through a push notification instead of copying a code, and Authy, which gives you access to login codes on desktop (you typically get them through an app on your phone). Both support Touch ID on iPhones for even more security.
It doesn’t matter which authentication app you download — just that you do, and set it up for every account that will support it (including Google, Facebook, Amazon, Dropbox, and Twitter).
Next, open Instagram and go to “Settings.”
You’ll find Settings by going to your profile and tapping the top-right menu icon. Settings will be on the bottom right.
Scroll down and tap “Two-Factor Authentication.” If you don’t have two-factor already set up, tap “Get Started.”
Enable “Authentication App” by tapping the slider to the right of it. Follow the instructions. That’s it!*
*Don’t forget to save your backup codes in a safe space, just in case your phone is ever lost or stolen.
In order to add more transparency around accounts with large followings, Instagram is also adding an “About This Account” option in the “...” menu on the top right of every profile page for popular accounts.
Instagram’s parent company, Facebook, recently removed hundreds of fake accounts designed for political meddling that were associated with Russian and Iranian political influence operations. “About This Account” appears to be Instagram’s effort at preventing the same kind large-scale coordinated manipulation scheme on the platform.
The About This Account page includes what date the account joined Instagram, where the account is located, former usernames, the ads the account is running, and accounts with followers in common. The feature is rolling out to users in the coming weeks, after accounts with large followings have a chance to review the information.