Instagram became the latest in a long line of services over the years to offer users two-factor authentication this week.
Kevin Systrom, co-founder and CEO of the Facebook-owned mobile photo-sharing app announced the feature on its blog Thursday afternoon. With the feature – accessible via Settings -> Two-Factor Authentication – users will be prompted to enter a code, delivered via SMS, every time they log in.
At first glance Instagram’s two-factor authentication mechanism is slightly more intuitive than others. Upon turning the feature on, Instagram also supplies users with five different backup security codes in case a user can’t receive a security code by text. The codes – sets of eight digits – can also be used if a user’s phone has been stolen, compromised, or misplaced. The service automatically saves a screenshot of the codes to the user’s Photos section of their phone and also allows users to copy the codes to the device’s clipboard.
Two-factor authentication has become fairly ubiquitous over the last several years. Google was one of the first companies to deploy it when it added a two-factor mechanism to its Google Apps offerings way back in 2010. Facebook introduced its version, Login Approvals, in 2011; Twitter added a mechanism for 2FA in 2013.
Given Facebook’s robust security settings, it was about time that Instagram, which Facebook acquired for $1 billion back in 2012, caught up. Many social media sites, Facebook in particular, have been keen on giving users an increasing number of options when it comes to logging into their services securely.
The company unveiled Code Generator, part of Login Approvals, several years ago. The service randomly generates six-digit security codes every 30 seconds that users can enter to access their account in the event they don’t have mobile service. The service can also be used to reset a user’s password. The company began offering users another service, Delegated Recovery, earlier this year. The feature gives users a mechanism similar to 2FA to set up an encrypted recovery token for sites like GitHub, and store it with Facebook.
“An email address alone can’t provide the same level of two-factor authentication to recover access,” Facebook security engineer Brad Hill said of the feature at the time.
Earlier this year the company began allowing users to tie a physical security key, like a Yubikey, to their accounts, for an added layer of security, as well.