Instagram is working on two-factor authentication without SMS

Instagram is working on integrating two-factor authentication that will work with a security code that won’t be sent via SMS, but will instead be generated by an app like Google Authenticator. This method, which is not new, was not available with the service until now.

Image through JM Wong

Instagram confirms to TechCrunch that it is working on the feature, after Twitterer Jane Manchun Wong before had found clues in the android app apk. The ability to generate a code for two-factor authentication via an app is not new and is available for many services. However, according to TechCrunch, it was missing from Instagram, which only introduced two-step authentication in 2016. At that time, the service already had 400 million users. This form of authentication is an additional layer of protection, so that, for example, a stolen password is not sufficient to enter an account.

The news follows an article by Motherboard in which the site describes the practice of acquiring and selling sought-after accounts on Instagram and Twitter, among others. For example, very short account names or certain words are very popular and can be sold on internet marketplaces for significant amounts. Account takeovers would often occur through SIM swaps or port out scams, where an attacker has a target’s phone number transferred to a SIM card in their possession through social engineering by a carrier’s customer service team. The attacker then has access to the sent SMS codes for two-factor authentication and to the account.

Several companies are phasing out SMS for two-factor authentication, including Google. The US NIST said in 2016 that it considers SMS unsuitable for authentication purposes.