This isn’t exactly a topic I normally write a post about, as I normally write posts related to the Microsoft 365 suite, but I find it important that also personal online accounts are kept secure. And as I already wrote an article related to personal email accounts with a FIDO security key, I know using a FIDO key isn’t accessible (and understandable) for most end-users. But I hope this post will get users to start using multifactor authentication (MFA) to secure their social media accounts as a beginning in further securing their online accounts. And as I’m not even sure this article is found by end-users as it’s not really related to the usual topics of this website, but I’ll give it a go. If only one user starts using MFA and secures his online accounts, the mission is accomplished 🙂
Why should we enable multifactor authentication?
Most people these days know a password isn’t secure enough anymore.
A simple password can be hacked in days or even hours. We (should) create stronger passwords, but these aren’t easy to remember, so these are written down on post-its.
We hear in the news websites are hacked and millions of user accounts and passwords are captured. And as a lot of people use the same password for multiple accounts, all those other accounts might be accessible for hackers as well when just one website is hacked.
So we should start using something different as a password to keep our accounts secure.
Microsoft engineers said 99,9% of the account compromise incidents they deal with could have been avoided by using multifactor authentication. So I assume that’s no different for our social media accounts.
But what is multifactor authentication?
This is the explanation by Microsoft:
Microsoft:
Multifactor authentication (MFA) adds a layer of protection to the sign-in process. When accessing accounts or apps, users provide additional identity verification, such as scanning a fingerprint or entering a code received by phone.
Multifactor authentication adds an additional authentication method to our authentication process. The traditional authentication process only uses something we know (a password in this case). MFA adds an additional method to this process, something we have (our smartphone on which we receive verification codes).
Another authentication method could be something we are (biometric verification, like a fingerprint).
Let’s explain it also with an example, signing in to a Twitter account. Without using multifactor authentication, we sign in to Twitter by providing our username (or email address) and our password. When we enable MFA for our Twitter account, we can’t sign in anymore with only our password, we need to provide a second factor to sign in. That second factor is provided to us for example by receiving an SMS text message which holds a verification code that you enter during the sign-in process. Or that verification code is generated by an Authenticator app that is installed on your mobile device. When MFA is enabled and our password is in the hands of a hacker, the hacker still can’t sign in to our account as access is blocked when the verification code isn’t entered.
I will show in this blog post how we can enable multi-factor authentication for Twitter, LinkedIn, Facebook, and Instagram. These social media services all support multifactor authentication by using an Authenticator app and/ or receiving a text message via SMS.
Enabling MFA doesn’t mean we need to provide the verification code every time we open the social media website or app. Only when we need to sign in (again) to the service, we’re asked to provide the verification code.
Setup an authentication app
I find it handy to use an authentication app for my social media accounts, as I already use this app to secure other accounts as well. You might also already have such an app installed because you’re already using it for the account of your employer.
And using such an app is considered more secure than via SMS (as even an SMS message can be intercepted). But MFA via SMS is accessible for most users and always better than no MFA.
There are multiple authenticator apps available in the Google Play store and the Apple App Store. Well-known apps are for example the Microsoft and Google Authenticator apps.
In my examples, I used the Microsoft Authenticator app (on Android) as I already use it for securing my Outlook account and a benefit of this app is that we can save a backup of our added accounts (to an Outlook/ Hotmail account) with cloud backup.
Adding an account to the Microsoft Authenticator app is pretty straightforward. When we open the app for the first time it asks to sign in with a Microsoft account, or Work- or schoolaccount. If you have one of these accounts, you can sign in (for example to save a backup to the Microsoft account), but you can also skip this.
To add a new account click on the three dots on the top right and choose +Add account.
Choose Other account.
The QR code scanner is started.
When adding an authenticator app as an authentication method, mostly this can be done by scanning a QR Code.
If this is not possible, we can manually add a code to add the account.
After adding an account, it is shown on the home tab.
And that’s all to add a new account to the authenticator app.
Now when you’re asked to provide an authentication code, just open the app, click on the social media account, and a code is shown.
When you need to authenticate on your mobile phone, you can copy the code and paste it into the app.
Setup MFA for Twitter
Let’s start with the first social media service, Twitter. I’ll show how we can enable multifactor authentication via a web browser on a Windows laptop.
When signed in to Twitter, click on More and choose Settings and privacy. Next, browse to Security and account access and choose Security.
Select Two-factor authentication.
After providing our password and clicking Start, we’re shown a QR Code.
Now we need to switch to our mobile phone, open the authenticator app and scan the QR Code as shown in the previous section.
Still on the mobile phone, click on Twitter, and an authentication code is shown. Enter the code in the web browser and click Verify.
After verification, a single-use backup code is shown.
This code can be used to log in to Twitter when we can’t generate an authentication code, for example, because we don’t have access anymore to our mobile phone. Save this code to a safe place. Or add another multifactor authentication method as a backup.
When we’re back at the two-factor authentication tab, we can also add Text message as an (additional) authentication mode.
Click on Text message and click on Get started.
After re-entering our password we need to enter our mobile phone number and click Next.
In a couple of seconds, our first authentication code is received via SMS. Enter the code and click Next to verify the code.
The next time we sign in to Twitter, we’re asked to provide an authentication code after we’ve entered our username and password.
In case that you ever receive a notification code (via SMS) and you didn’t sign in to Twitter yourself, you can check Account access history to check if you see an unknown location in the list. And it is a good idea to change your password, just to be sure.
Account access history can be found in Settings, under Security and account access, Apps and sessions.
Setup MFA for LinkedIn
Let’s also make our LinkedIn account a bit more secure.
When you’re signed in to LinkedIn via a web browser, click on your profile picture in the top bar and choose Settings & Privacy. Open the Sign in & Security section and choose Two-step verification. Choose Turn on.
Select Authenticator app from the drop-down list and click Continue.
Open the authenticator app on the mobile phone to scan the QR code, as shown in the Setup an authentication app section. This adds LinkedIn as an account to the app.
Click on LinkedIn in the mobile authenticator app to show an authentication code. Enter the 6-digit code on the LinkedIn website and click Continue.
Multifactor authentication is turned on.
We can also add Phone Number (SMS) as multifactor authentication, but unfortunately we can’t add both methods at the same time.
To set up a phone number as a method, enter your mobile phone number and an authentication code is sent to your mobile.
Enter the code on the LinkedIn website and click Verify.
After enabling multifactor authentication, every time you sign in to LinkedIn, you’re asked to provide an authentication code after providing the username and password.
In case that you ever receive a notification code (via SMS) and you didn’t sign in to LinkedIn yourself or there is another reason you think somebody else tried to access your account, you can check sign in history to check if you see an unknown location in the list. And it is a good idea to change your password, just to be sure.
To see from where your account is signed in, browse to Sign in & Security, Where you’re signed in. When you find an unknown session, you can click Sign out, to sign out that particular session.
Setup MFA for Facebook
Another much used social media network is Facebook. As Facebook is used by people of all ages, I guess a lot of accounts can be a bit more secured by enabling multifactor authentication.
The Settings section from Facebook can be found by clicking on the arrow button in the top right corner. Browse to Settings & Privacy, Settings. Under Security and Login, we find Two-factor authentication. Click Edit.
We have the option to set up an Authentication app or Text message (SMS) (or both).
Click on Use authentication app to get started.
A QR code is shown.
Switch to the mobile phone, open the Authenticator app and scan the QR code as shown in the Setup an authentication app section. This adds Facebook to the authenticator app.
To verify the setup, click on Facebook in the mobile app which shows an authentication code. Enter the code on the Facebook page.
Two-factor authentication is turned on.
We can also add Text message (SMS) as an authentication method (as a backup).
Enter your mobile phone number and click Continue to receive an authentication code.
Enter the code on the Facebook page and click Continue again to finish setting up SMS as a method.
Two-factor authentication is set up with text message and authentication app. Both can be used as second-factor authentication method.
After enabling multifactor authentication, every time you sign in to Facebook, you’re asked to provide an authentication code after providing the username and password.
Whenever you think somebody else tried to sign in to your Facebook account, you can check where your account is signed in via the Security and Login section on Facebook, found under Settings.
If you find an unknown session, you can Log out of that session. And it is advised to change your password, just to be sure.
Setup MFA for Instagram
Also for Instagram we can set up multifactor authentication, but at the moment of writing, we can only enable Text message as an authentication method via a web browser. We can’t enable the Authentication app via a web browser #fail.
So let’s switch to the Instagram app on our mobile phone to enable the authenticator app as second-factor authentication method.
Open Settings in the app and choose Security.
Here we choose Two-factor authentication.
Choose Authentication app.
If you have already installed the Microsoft Authenticator app as I have, choose Set up another way.
Copy the key by choosing Copy key.
Switch to the Microsoft Authenticator app. As explained in the Setup an authentication app section we can add an account by scanning the QR Code. But this time at the QR scanner we choose Enter code manually.
Enter Instagram as the account name and paste the code in the Secret key box and click Finish.
Click on Instagram in the authenticator app and copy the code.
Switch back to Instagram, click Next and enter (paste) the code and click Next again.
Two-factor authentication is on!
After we have clicked Done, we are presented recovery codes. These codes can be used to recover your account when you for some reason can’t generate an authentication code.
Choose Text message if you (also) like to turn on SMS as second authentication method.
Enter your mobile phone number and click Next.
Enter the code you have received on your mobile phone and click Next again.
MFA is turned on with the authenticator app and text messages.
Next time we sign in to Instagram, we’re asked to provide an authentication code.
Remark
When you have enabled multifactor authentication, make sure you save the recovery key(s) to a safe place to not lose access to your account, otherwise, you need to contact the social media helpdesk. If it’s possible to set up different authentication methods, authenticator app and text message, this could also be used as backup.
That’s it for this post. I hope you enabled multifactor authentication on every social media account you use and on which it is available. And if you are more familiar with using MFA, enable MFA also on your other online accounts like your email account.