Multi Factor Authentication: How it Works and How Instagram Hackers Bypass It

 Multi Factor Authentication: How it Works and How Instagram Hackers Bypass It
Elool Jacoby, Co-Founder of Notch


Elool Jacoby, Co-Founder of Notch

Go Back

In Notch’s analysis of our “How I Got Hacked” series, in which we interview victims of Instagram hacks, we identified commonalities of each victim and concluded that 44.4% of the victims could have prevented hacks through the use of Multi-Factor Authentication (MFA).

So, we thought it only appropriate to discuss MFA in more detail. It’s important to acknowledge that everyone, of all shapes and sizes, is susceptible to falling victim to hackers - that can, in turn, destroy businesses and communities. Therefore it’s crucial to take proactive steps to prevent such outcomes.

MFA is a valuable layer of protection that will slow down, if not stop many hacking attempts - but, evidently, not enough creators use it or fully understand what it is.

There’s also a harmful misconception that having MFA set up makes you invincible against hacks - unfortunately many creators with MFA still end up getting hacked - just ask Jessica Wenjia or What The Fab.

By the end of this article, you’ll understand how MFA helps to secure your Instagram against hacks, how to set MFA up for your Instagram, and equally importantly - how you can still get hacked even with MFA. Let’s dive in.

What is Multi-Factor Authentication?

Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an online account. Two-factor authentication requires exactly two factors of verification. Think of both as a way of adding layers of security to an account.

How do you setup Multi-Factor Authentication?

Instagram, like many other online platforms, offer the ability for a user to add MFA to their account. In this case, Instagram uses two-factor authentication (2FA), creating a two-step verification method. Their process works by requiring a verification code, sent via text to your mobile phone, whenever there's a login attempt from an unrecognized location or device.

This would mean that logging into your account would consist of two steps, first entering your password, and then entering the verification code. Instagram’s full guide on how to activate 2FA and how it works can be found here - alternatively just watch the video below

Why should you activate Multi-Factor Authentication?

The security of your online platforms matters. As you have seen with the analysis of our ‘How I got hacked’ series, 44.4% of the hacks could have been prevented by using unique passwords and multi-factor authentication. The implications of these Instagram hacks are real: not only do we see the mental toll on victims, but also the damaging impact and destruction for their businesses.

And, while MFA will not stop every attack, it certainly creates a much more difficult barrier to entry for an attacker.

Verizon’s recently published 2022 Data Breach Investigations Report (DBIR) summarized that compromised credentials are the main path to a data breach. Essentially, credentials such as passwords are the main way an attacker can gain access to your account.

The beauty of MFA is that if your password was obtained, the hacker would still have to verify through two factor authentication, in order to pass Instagram’s authentication. It all boils down to reducing as many areas of vulnerability to make life as difficult as possible for a hacker.

The limitations of Multi-Factor Authentication

So at this point you may be thinking that MFA makes sense and is all you need to protect your account. However, this unfortunately is not the case - so don’t get complacent with your Instagram security. Although MFA is another layer of security, it is not a perfect solution. MFA, like every security tool, is not unhackable.

General ways in which MFA can be exploited include techniques such as social engineering, sim swapping attacks, technical manipulation, physical attacks and a mixture of two or more methods. KnowBe4 have published an article which goes into greater detail.

A prime example of MFA being bypassed can be seen with Jessica Wenjia’s case. The lifestyle influencer, who has over 166,000 followers, received a message from her friend’s account. Her friend wrote that she needed urgent help, and asked Jessica for her mobile number (which was her vector for verification) and later the code that got sent her way.

Conversation with a hacker
Screenshot courtesy of Jessica Wenjia

Her friend’s account, she later discovered, had been stolen by a hacker who was using it as a launchpad to hack other creators. Oblivious to the scam, Jessica sent over the code - highlighting how scarily effective social engineering is and how it can completely undermine multi-factor authentication.

“Oblivious to the scam, Jessica sent over the code - highlighting how scarily effective social engineering is and how it can completely undermine multi-factor authentication.”

Insure Your instagram

If MFA can be bypassed, how do I protect my Instagram from hackers?

The 2FA function implemented within Instagram is definitely something to activate, however as mentioned above, this should be implemented alongside measures such as using complex unique passwords.

Just as important is being hyper alert about social engineering and phishing, and understanding how they work. When looking at how Cuddle Buddy’s Instagram was hacked, Richie unfortunately fell for a fake email from “Instagram” offering the blue tick verification. Hackers use multiple other phishing tactics, which you can learn about in this article. Also consider taking Google’s phishing quiz to educate yourself  on this topic.

Insurance for your Instagram: The only way to truly protect your business

Notch dashboard

The unfortunate reality is that no matter how much we try to stay secure, no measure will ever guarantee 100% protection against hacks. Hackers target content creators of all sizes and are only getting more sophisticated. That’s why Notch - the first ever insurance against hacks for Instagram creators - was born.

With Instagram insurance, creators finally have a way to protect their content businesses and get peace of mind.  

Get Covered

To conclude, here’s our simple framework for stronger Instagram security against hacks:

  1. Use strong, unique passwords - integrate these within a password manager
  2. Enable 2FA on Instagram
  3. Train yourself and any user who manages your account on phishing techniques
  4. Get Instagram insurance

Elool Jacoby, Co-Founder of Notch

Schedule a demo to learn how Lumanu can help your business pay out TikTok influencers hassle-free.

Schedule a Demo

Download the app

Download the app

Built for marketers.
Loved by finance teams.

Header - designer

Create. Get paid. Repeat.

You focus on creating. We'll help with the business stuff.

Influencer Header