Instagram is working on a two-factor authentication solution that would not require a user’s phone number, according to a report from TechCrunch. Instagram has confirmed that it’s working on the more secure method, just hours after a prominent Motherboard investigation on SIM hacking was published earlier today. Like other social media platforms, the upcoming option will let you authenticate with code-generating apps like Google Authenticator and Authy.
Though Instagram’s confirmation was likely prompted by the investigation, it appears that the company has been working on moving beyond phone numbers for some time. Engineer and tipster Jane Manchun Wong discovered a prototype version of the updated two-factor feature in the Android version of Instagram’s APK code and publicized it yesterday on Twitter.
Instagram is finally working on token-based two-factor authentication!!
Thank you Instagram! I have been waiting for this since 2016! We finally won’t have to rely our account’s security on SMS! pic.twitter.com/u0iIPTaZO2
— Jane Manchun Wong (@wongmjane) July 17, 2018
Right now, Instagram lets you recover your account and log in on new devices so long as you can confirm your identify via a phone number associated with your account. But, as the Motherboard article makes clear, a growing new form of online theft has resulted in hackers illegally gaining access to a user’s phone number and tying it to a new SIM card. They do so by using a bit of information like a social security number, perhaps leaked during one of countless data breaches, to trick a telecom customer service agent into reassigning a phone number to a new SIM.
From there, the hackers can extort a victim for financial gain, or they can use the phone number and its recovery benefits to reset Amazon, Instagram, Twitter, and other accounts. Specifically, hackers are targeting rare and lucrative Instagram and Twitter handles because those go for high sums on virtual underground markets, Motherboard reports.
Many tech companies have built tools to protect against the vulnerability of SMS-based two-factor authentication. For instance, Google has its Authenticator app that uses randomly generated numeric code with a strict time limit, and Facebook now uses a similar tool built into the Facebook app itself. It’s good to see Instagram now following suit.