Add1son's Blog

A place for pondering, planning and projects

Instagram 2 Factor Authentication is Broken

Reviewing some security settings on everyone’s favorite photo sharing app revealed to me some inadequacies in the security policy and implementation of Instagram.

Realizing that the setting lay dormant in my account information I decided to go ahead and implement what Instagram calls 2 factor authentication. Doing so didn’t prompt me to scan a QR code or choose an authentication app standard to TOTP (Time Based On Time Password), instead I was told that a phone number was required. I confirmed my phone number and received a text message. To make sure that no other setting was present I went back through the menu and realized this was the only option and had the code re-sent. When the code was sent back to my phone via SMS it was the same code despite a ~2 minute window passing by which indicates to me that this password may or may not be set to roll at a set interval. After this a standard screen was presented with backup codes so that if I were to no longer have access to the phone number in question I could still login to my account. This completed the setup of “2 factor authentication” within the Instagram application.

The problem with this being, NIST (National Institute of Standards and Technology) has ruled that 2 factor authentication is not to be done over a SMS message (TechCrunch Story NIST Digital Identity Guidelines). Accounts continue to get compromised via stolen / social engineered fraudulently issued SIM cards and this poor implementation just proves to be a security weak point in one of the most used applications on modern smartphones today. This reaches an interesting point of contention that is, how do you get companies to care about your security and the security of your data? Instagram provides a page with “security tips” including enabling 2 factor authentication but doesn’t seem to have an address to contact with these security concerns. All in all “The Register” provides a great article about this titled “Standards body warned SMS 2FA is insecure and nobody listened” published late 2016. Industry will continue moving forward with implementing 2 factor authentication for end users but hopefully in the future the options for authentication are more abundant than just a SMS code.

More information on sites that support 2FA @ https://twofactorauth.org/