Don’t Be the Next Instagram Hack — Lock It Down with MFA

This all sounds way too familiar — like the story of someone that hasn’t started using Multi Factor Authentication (MFA).

Makes you wonder: why a hacker’s fake post about how wealthy and successful your life has become through trading bitcoin is what finally gets your attention? Then of course reality hits that we need to make our accounts more secure.

We’ve all seen this happen time and time again. That one friend gets their Instagram hacked, and of course, our first reaction is, “That would never happen to me.” Funny you say that, I’m pretty sure that is exactly what they said when they saw it happen to someone else. And that’s where the problem lies. We have these moments that we experience through other misfortunes and we believe we’re untouchable and can never be affected, so we don’t take any action. Then, inevitably one day, we are on the receiving end — a flood of texts and calls from close friends and family pouring in saying, “Hey, I think someone hacked your Instagram account.”

Yes, you might get lucky and get notified that someone attempted to log in to your account from somewhere in Australia when, in fact, you are sitting comfortably in your New York City apartment giving you the opportunity to quickly change your password, but this may not be your story when the time comes.

Why isn’t the fear of losing your account enough to preemptively make it secure?

If you got hacked today, I am not saying it is impossible to get your account back — just that it may be through various inconvenient ways you may not want to deal with. If you have enough patience, saving your account could be as simple as updating your password and locking the hacker out, or… it might involve paying a ransom (crazy, I know, but some people have a huge following, and rely on their accounts to influence), or possibly even worse you are jumping through hoops with account support — if they even actually help beyond automated emails. And even then there’s no guarantee that you’ll actually get your account back. So why would you ever want to remain vulnerable to something when there are plenty of great solutions out there that can protect you from hackers?

So, the picture is painted, and I am sure you are here wondering, “How can I prevent this from happening to me?” “I want to be a person of action and want to be proactive,” but you aren’t that techy and don’t have the slightest idea of where to begin. Well, lucky for you, below is a list of different types of authentication that will require, minimally, some second method of authentication outside of your initial password. This extra layer of authentication is considered to be MFA (Multi Factor Authentication). You may have seen online methods like 2FA, 2-step verification (as Google calls it), Two-Factor Authentication (as Instagram calls it), or dual factor, but ultimately, these all fall under the same MFA umbrella. These of course — based on the name (hint hint) — require just two methods, while MFA can involve more.

Ranking from least protective to most:

Security Questions:

• An answer to a question that you should only personally know or is something that is not public. This would be stronger than only having a password, but at the same time, still a high risk, as we tend to use what may seem personal to us, but we have publicized it at some point, making it vulnerable for a hacker to find online.

Text or Phone call:

• A code is sent to your phone via SMS or voice call. While this seems to be the most convenient, it is the least secure, as hackers can now spoof (imitate) your phone number and can intercept text messages through SIM swapping tricks.

Biometric Authentication:

• Utilizing your face or fingerprint to secure devices, accounts, applications, etc., this is something that would be tough to fake since it would require your physical body to be present at the time, making this very secure. The only downside to this is that it requires secure hardware that can handle this function.

Authenticator App (Time-Based One-Time Password Applications)

• An application that lives on a device — either computer, phone, or tablet — that provides a code that is generated every 30 seconds or so. Once the timer on that code runs out, it will no longer allow you to use it, making this the most secure option out of all mentioned.

Now that we have gained some understanding of what MFA means and the different options that we have to protect ourselves from malicious intruders, which would you say is the best? (I have already listed them in order 🙂) Yes, you guessed it: utilizing the authenticator app would be the best and most secure option that everyone should be using to protect any and all accounts that we own.

Of course, while education is great and all, and being informed of how we can protect our accounts is valuable, taking action is always the most important part. Are you ready to get your accounts more secure? Below are the top 5 most utilized authentication applications that people love, in no particular order. The best part is that they are also FREE (no, but seriously, they are free). Each application is listed with its corresponding website and setup steps, to make this journey of MFA simpler for you!

Google Authenticator

Website: https://support.google.com/accounts/answer/1066447

Setup Steps:

1. Download from Google Play Store (Android) or App Store (iOS).
2. Open the app and tap “Get Started.”
3. On the site you’re securing (e.g., Gmail), go to Security > 2-Step Verification > Authenticator App.
4. Choose “Set Up” and scan the QR code displayed with the app’s camera.
5. Enter the 6-digit code from the app to verify and save. Done — codes refresh every 30 seconds.

Microsoft Authenticator

Website: https://www.microsoft.com/en-us/security/mobile-authenticator-app

Setup Steps:

1. Grab it from Google Play Store or App Store.
2. Open it, tap “Add Account,” and select “Other (Google, Facebook, etc.).”
3. On your target site (e.g., Outlook), go to Security > 2-Step Verification > Authenticator App.
4. Scan the QR code shown on-screen with the app.
5. Input the code it generates, confirm, and you’re set. Bonus: enable cloud backup in Settings.

Twilio Authy

Website: https://authy.com/

Setup Steps:

1. Download from Google Play Store or App Store.
2. Open Authy, enter your phone number and email, then verify with the code sent.
3. On your site (e.g., Dropbox), go to Security > Two-Factor Authentication > Authenticator App.
4. Tap “Add Account” in Authy and scan the QR code.
5. Enter the code it spits out, save it on the site, and you’re good. Syncs automatically across devices.

Duo Mobile

Website: https://duo.com/product/multi-factor-authentication-mfa/duo-mobile-app

Setup Steps:

1. Download from Google Play Store or App Store.
2. Open Duo Mobile and tap “Get Started.”
3. On your site (e.g., university login or GitHub), go to Security > Two-Factor Authentication > Authenticator App.
4. Tap “Add Account” and scan the QR code provided.
5. Enter the code it generates, verify on the site, and you’re done. Push notifications optional.

2FAS

Website: https://2fas.com/

Setup Steps:

1. Download from Google Play Store or App Store.
2. Open the app, tap “Add your first token.”
3. On your site (e.g., Instagram), go to Settings > Security > Two-Factor Authentication > Authenticator App.
4. Scan the QR code with 2FAS’s camera.
5. Enter the 6-digit code it shows, confirm on the site, and you’re locked in. Backup to iCloud/Google Drive optional.

Set up one of these applications with all of your social media, email, cloud software accounts, etc. Just make sure they support these time-based one-time password applications. Once you are done, you’ll be confident knowing you are more protected.

All that we covered should better prevent malicious activity from hackers attempting to access your accounts. Keep in mind though MFA is an important start, but it’s not the only “best practice” you should always consider. These next few things could help seal the deal in heightening your account security.

A few things to avoid to better protect yourself:

Clicking Links in Unsolicited Emails or Texts

• Why Avoid: Phishing scams trick you into entering your login details on fake sites. That “Your account is locked!” email with an interesting-looking link? It’s a hacker’s bait. One click, and you can give them your password.

Reusing Passwords Across Accounts

• Why Avoid: If one website gets breached, hackers will then use programs to try that password everywhere — email, Instagram, you name it. If that password is the same elsewhere, they will gain access to your account.

Falling for “Urgent” Account Verification Requests

• Why Avoid: Scammers love to cause panic — “Verify your account now or lose access to it forever!” Real platforms will never rush you like that, they will notify you multiple times with an advanced date. Those fake forms are used to steal your info.

Storing Passwords in Plain Text

• Why Avoid: Leaving your password written on a sticky note or in an unencrypted application will make it very easily accessible. You make it easy for hackers.

In 2020, Microsoft reported 1.2 million accounts compromised in January alone, with 99.9% (1,199,000) lacking MFA, based on over 1 billion monthly active users.

Lock out hackers, be stronger with MFA!