Instagram adds support for third-party authenticators to let you bypass text-based 2FA
Two weeks after an unusually high number of users broadcasted complaints of hacked accounts, Instagram is giving users more ways to keep their accounts secure — and view information about other accounts they interact with.
Instagram is adding an “about this account” tab for some prominent accounts, which will tell users when and where an account was created. Instagram is also enabling support for third-party authenticator apps like Duo Mobile and Google Authenticator so Instagram users can get a login verification code sent to these apps, instead of by text message.
The changes were announced in a blog post attributed to Instagram cofounder and CTO Mike Krieger.
“Our mission is to bring you closer to the people and things you love. That closeness can only happen if Instagram is a safe place,” Krieger wrote.
The ability to use a third-party authenticator app has already started rolling out, and will be available for all users globally in the coming weeks. In order to enable the feature, users have to go to the two-factor authentication page under their settings tab and select “authentication app.”
If they have an authentication app already installed, Instagram will automatically send a login code to it. If users don’t already have a chosen authentication app, they can choose one from the App Store or Google Play Store.
Instagram hinted that it would add more two-factor authentication options earlier this month. The announcement came several days after a Mashable story reported on Instagram users taking to Reddit and Twitter with similar tales of their accounts being hacked.
Users told Mashable that their accounts were hacked by a Russian email address. The hacker then changed the user account name and deleted any existing photos and/or videos — not posting any new photos or videos of their own.
More disconcertingly, some users said that they had SMS two-factor authentication enabled on their accounts when they were hacked.
In July, Motherboard also reported of a case of SIM hijacking that allowed hackers to take over the phone number and the account of an Instagram user who had two-factor authentication installed.
Adding support for third-party authenticator apps is an important first step in creating stronger 2FA options, but relying on third parties comes with its own risks. Instagram doesn’t have any control over changes made to authenticator apps, and can only offer limited assistance if a user gets locked out of his or her account.
With the new “about this account” tab, users will be able to see the date, the account was created, the primary country location associated with the account, any active ads being run, and any username changes in the past year. This is essentially the same information that Facebook already displays on its “info and ads” tab for Pages.
Account holders will have the ability to hide primary country location — an Instagram spokesperson said that this is to protect users who may be put in harm’s way by revealing their country location, but that the information included in “about this account tab” will evolve over time.
Instagram said that this tab will be added to accounts that have “potential to reach large audiences.” However, a spokesperson declined to say specifically how the platform will determine which accounts fall into this category.
Starting in September, accounts that will be affected by this change will be able to review the information that will be displayed, before it’s available for users to view publicly.
As part of today’s news, Instagram also said that it’s released a new verification form globally, where accounts can apply for that coveted “verified” checkmark — and signal to users that they’re not run by hackers.
Source: VentureBeat