Skip to main content

Two-factor authentication (Janathon day 14)

Written Jan 14, 2023, tagged under post

Today has not gone to plan. Early signs were a bit worrying - today's Wordle was a nightmare (more of that tomorrow). And then, while stuck on the last chance to guess the words with only a few letters known, an email arrived which made it clear that someone had just succeeded in hacking in to Ellie's Instagram account.

The next half hour or so was basically a high-octane battle of wits as the hacker, believed to be based in Nigeria with a VPN appearing in New York, worked to change the key account details (email, phone number, password) while we tried to stop them and kick them out. For about a quarter of an hour it looked like they had actually succeeded - it was a low point when it became obvious they'd just switched on two-factor authentication on the account for them, making it really hard for us to get back in.

Thankfully, after reading through a fair amount of material on the Instagram help site, it became apparent that if there was a picture of the account owner in the account then it should be possible to retrieve the account by creating a video showing different views of the owner's head to perform verification. In reply an email came saying they'd get back in the next three days, but thankfully they actually got back to us in about ten minutes. The confirmation email was enough to get back in to the account, reset the details and password, and finally - the key step - enable two-factor authentication ourselves.

So we did end up recovering the account completely, and no harm appears to have been done. But I would strongly recommend setting up 2FA for your own accounts, to help protect you from going through the same nightmare. We used an app called Google Authenticator (there are other options though), which generates a six-digit number which changes every half-minute or so. When you sign in, you just need to give the number - it isn't hard. This feels safer to me than using text messages for authentication, since that is more easily intercepted either by creating hacked SIM cards or maybe using iCloud (I'm not an apple person so can't be sure about the last bit).

The net effect, though, was that my adrenaline has been running really high all day. Also, my morning boot camp went out the window (we hadn't recovered the account in time to get there). To top it all, I just tried to get to the gym for a catch-up, only to find it shut, so I'm now doomed! Oh well, an early night and then let's see what tomorrow brings.

Oh yes: I came back to the Wordle later in the day, and worked the answer out on the last guess. Phew!

Janathon entry: 20 sit-ups

Photo by marcos mayer on Unsplash