Popular image-based social media site Instagram recently announced several security upgrades including compatibility with third-party authentication services that allows for alternative two-factor authentication (2FA) — DUO and Google Authenticator, on top of 2FA SMS they already had in place.
Why Does Instagram Care About User 2FA Security?
Instagram started out as a carefree social media image sharing site that has little business value thus it remained off the radar of malicious actors. A simple user/password authentication mechanism sufficed as the possibility of threat and the value of hijacked Instagram accounts were very low.
As Instagram gained popularity — celebrity and famous people shared their lifestyles, companies paraded their wares, and individuals made their living as influencers, it attracted bad actors; attackers will attempt to gain unauthorized access to accounts and ask for ransom, which if unpaid, will result in valuable contents being deleted and followers being blocked, as what happened to Rachel Ryle a talented stop-motion animator. The rise of threat, and value of hijacked Instagram accounts, convinced Instagram to commit resource and money to introduce SMS based two-factor authentication (2FA) in 2016 to protect its 400M users & USD2B revenue. With 2FA, attackers need to acquire not only the username/password but also hijack the phone to which a one-time PIN (OTP) is sent to by SMS/voice, in order to complete the login process. This security effort seems noteworthy if not for the fact that it was 5 years late; parent company Facebook rolled out 2FA SMS in 2011.
Fast-forward to Jun 2018, with Instagram at a billion users and a revenue of USD5.5B, Instagram has again upped the ante by with altnenative 2FAs in the form of DUO mobile, and Google Authenticator. DUO mobile offers 2FA through push notification technology that prompts a user to click on ‘Approve’ to complete any logins on Instagram, while Google Authenticator requires the user to enter a time-based one-time password (TOTP) that ‘magically’ appears on the Google Authenticator app, into the Instagram OTP input field to complete the login. Both methods, like 2FA SMS, require the possession of the user’s phone in order to complete the login process.
2FA Security Must Be A Choice
Throughout all these security upgrades, Instagram has not forced all its users to use the strongest security available. Why?
Think about the trinity of security – asset value, usage convenience, and security cost. Now think of the stakeholders in Instagram – users, companies/influencers/celebrities (business owners), and Instagram itself.
Notice something?
The asset value varies across users, business owners, and Instagram. To the user, if her account is hijacked, she lost some photos, to the business owner, she loses revenue and followers, to Instagram, every hijacked account erodes the community trust, which has strong and lasting repercussions to its revenue.
Thus despite all stakeholders desire for convenience of usage, business owners, and Instagram, who have a lot to lose, will sacrifice inconvenience for extra protection. Users, on the other hand, if inconvenienced, will wean off Instagram, which results in the loss of potential customers to the business owners, and trips the growth of Instagram; how many users would bother to download another mobile application that enables them to login to another mobile application (sounds ridiculous just reading that), read through a set of instructions to setup a technology, which they hardly understand, while struggling with the worry of accidentally locking themselves out in the process, and having to deal with the totally unresponsive customer support.
The Instagram ecosystem demonstrates why security choice is important and there is a right time and place for different security protection – SMS/voice OTP, DUO mobile, and Google Authenticator. The only people who are constantly clamoring for the highest security are those with a product to sell, and those who are not involved in the rigors of running a real business.
Does your business have multiple stakeholders like Instagram? You definitely do if you are operate a sharing economy, or marketplace business. On the other hand, you may have only end-users as stakeholders but they may be situated in different parts of the world where smartphone penetration, and security technology-savviness is still developing. If so, you need to give your users an alternative phone-based 2FA in SMS, voice, missed-call/touch-free to keep your business growing healthily. We are here to help: https://calendly.com/ringcaptcha.