Instagram accounts are worth stealing. Now at 400 million users including celebrities, brands, and artists making a living, it’s time to add another lock to its doors. In November I wrote that “Seriously, Instagram Needs Two-Factor Authentication”, and a tipster just told me they’ve spotted it in testing. Today, Instagram confirmed to me that it’s beginning to roll out two-factor authentication.
The tool allows Instagram users to verify a phone number. Then, if anyone tries to log into your account with your email and password, you’ll be texted an authentication code that must also be entered to gain access to your account. That means hackers need more than your email and password that could be guessed, stolen, or tricked out of you with a phishing scam.
Instagram is working on a two-factor authentication solution that would not require a user’s phone number, according to a report from TechCrunch. Instagram has confirmed that it’s working on the more secure method, just hours after a prominent Motherboard investigation on SIM hacking was published earlier today. Like other social media platforms, the upcoming option will let you authenticate with code-generating apps like Google Authenticator and Authy.
Though Instagram’s confirmation was likely prompted by the investigation, it appears that the company has been working on moving beyond phone numbers for some time. Engineer and tipster Jane Manchun Wong discovered a prototype version of the updated two-factor feature in the Android version of Instagram’s APK code and publicized it yesterday on Twitter.
Instagram is finally working on token-based two-factor authentication!! 🎉
Thank you Instagram! I have been waiting for this since 2016! We finally won't have to rely our account's security on SMS! 😍 pic.twitter.com/u0iIPTaZO2
— Jane Manchun Wong (@wongmjane) July 17, 2018
While Instagram had made two-factor available to a select group of users previously, the extra layer of protection is now available to all. Two-factor isn’t a security cure-all, but it does make it that much harder for someone to illicitly access your account. With two-factor on, they’d need access to your phone, or to take the extraordinary step of spoofing or stealing your SIM card. It’s especially important if you store and share sensitive images on Instagram, either in your private feed or through direct messages.
Right now, Instagram lets you recover your account and log in on new devices so long as you can confirm your identify via a phone number associated with your account. But, as the Motherboard article makes clear, a growing new form of online theft has resulted in hackers illegally gaining access to a user’s phone number and tying it to a new SIM card. They do so by using a bit of information like a social security number, perhaps leaked during one of countless data breaches, to trick a telecom customer service agent into reassigning a phone number to a new SIM.
From there, the hackers can extort a victim for financial gain, or they can use the phone number and its recovery benefits to reset Amazon, Instagram, Twitter, and other accounts. Specifically, hackers are targeting rare and lucrative Instagram and Twitter handles because those go for high sums on virtual underground markets, Motherboard reports.
Many tech companies have built tools to protect against the vulnerability of SMS-based two-factor authentication. For instance, Google has its Authenticator app that uses randomly generated numeric code with a strict time limit, and Facebook now uses a similar tool built into the Facebook app itself. It’s good to see Instagram now following suit.
Instagram today also introduced a system to flag and blur mature content. A “review team” screens any photos or videos that users report to Instagram, and determines whether they need a filter to hide what’s underneath. Think of it as the opaque plastic shields that some grocery stores put in front of especially racy Cosmo covers, but in your feed. To reveal what’s underneath, just tap.