Instagram Working on Stronger 2FA That Won't Use Your Phone Number

SIM hijacking, when a hacker takes over your phone number to break into your online accounts, is a real problem. As Motherboard found in an in-depth investigation published Tuesday, Instagram users with novel handles are particularly at risk, with hackers sometimes stealing those Instagram accounts to sell for thousands of dollars worth of bitcoin.

With great timing, Instagram is now introducing a more robust form of two-factor authentication, one that uses an app on the user’s smartphone rather than by sending a text message. The move, if implemented in a certain way, will make it much harder for hackers to break into Instagram accounts.

“We’re continuing to improve the security of Instagram accounts, including strengthening 2-factor authentication,” an Instagram spokesperson told Motherboard in an email.

On Tuesday, Jane Manchun Wong from UMass Dartmouth tweeted several screenshots of the app-based two-factor authentication setup. The process seems like the standard affair, with Instagram walking users through the process, as well as recommending an authentication app to users if they don’t already have one installed (many apps can check what other software is installed on a phone). The screenshots say Instagram recommends the Google Authenticator app, but it is also compatible with other authentication apps, like Duo Mobile.

How secure a user’s account actually will be depends on the specifics of how Instagram deploys its new form of two-factor authentication. If the user still has to have a phone number linked to their account and two-factor options, then they—or potentially a hacker—can still simply request to receive a text message to access the account instead. Motherboard was unable to independently test whether it is possible to remove the SMS option from Instagram altogether—the new option is not yet available for all users—but the tweeted screenshots do show an on-and-off toggle for text messages.

Any decision on that front, however, is one likely heavily rooted in usability concerns: if a user loses their smartphone, or uninstalls the app, and doesn’t have some sort of alternative way to access their account, they may get locked out altogether. (Instagram does provide users with a list of backup codes they can screenshot or write down when setting up two-factor authentication more generally.).

Considering SMS is steadily emerging as the weak chain in a number of different attacks, more companies will likely deploy app-based authentication. Users might want to take advantage of that, too.