Multi-factor authentication (MFA) Multi-factor authentication (MFA) is when you use two or more steps to verify your identify, and you may already be using MFA. For example, when you receive an authentication code by text message after entering your password to log into your online banking account. MFA is one of the best ways to protect against someone breaking into your account. It makes it harder for cybercriminals to take over your account, by adding extra layers of protection. MFA requires you to use a combination of two or more of the following factors to access your accounts: Something you know (e.g. a PIN, password or passphrase); Something you have (e.g. a smartcard, physical token, authenticator app, SMS or email); and Something you are (e.g. a fingerprint, facial recognition or iris scan). MFA defends against the majority of password-related cyberattacks. For example, MFA protects against credential stuffing where cybercriminals use previously stolen passwords from one website and try to reuse them elsewhere so they can gain access to more accounts. Think of adding MFA to your account like adding a locked security screen to your home. It provides you with an extra layer of protection from cybercriminals trying to break in. Even if they break through one layer (for example, by guessing your password), they still need to break a second barrier to access your account. Having an extra step can be inconvenient at first, but remember that taking shortcuts leaves your system more vulnerable. You are better off spending a few seconds entering a one-time code now, to avoid spending hours later on trying to regain access to stolen data. MFA often goes by different names. You may see it called two-factor authentication (2FA) or two-step verification. No matter what it’s called, these are still types of MFA and will help keep your account secure. Turn on MFA for your Instagram account 1. Tap your profile picture in the bottom right to go to your profile. 2. Tap the three stacked lines in the top right. 3. Tap Settings. 4. Tap Security. 5. Tap Two-factor authentication. 6. Tap Get Started. 7. Follow the on-screen instructions to set-up two-factor authentication, using your WhatsApp account, an authentication app (recommended), or text message. Authenticator apps are mobile applications that generate a random ‘one-time password’ to verify your identity when you log in. They are generally considered more secure than a text message. 8. If you select Authentication app, you will have two options to finish setting up two-factor authentication. Note that the example below is for an iPhone, however the process will be similar with another mobile device. 9. Option 1: Click on Next and enter the six-digit login code sent to, or generated by, your phone to finish setting up two-factor authentication. 10. Option 2: In step 8, select Set up another way and you will receive a key that you need to enter in the authentication app to finish setting it up. 11. Once you have turned on two-factor authentication and a code cannot be seen due to connectivity or delivery issues, you will still be able to complete the process with a recovery code. Go back to step 5, and tap Two-factor authentication. Tap Additional methods. 12. Tap Backup codes. Save the Backup Codes in a safe place you will remember. Without these codes, you might not be able to log in to your account if you lose access to your phone or if the authenticator is not working. Learn more about recovery codes. Security Tips We have included some additional security tips to help keep your account secure. Log out of Instagram if you are using a device that you share with other people, each time. Never tick the ‘remember me’ or ‘trust this device’ box when you log in with a public computer, or it will keep you logged in even after you close the browser window. Even better: don’t use a public computer to access your social media accounts. Pick a strong password and never share it with anyone. It is also a good idea to change your password regularly. Check your privacy settings. By default, everyone on Instagram will be able to see your profile and some people can see if you’re online. If you don’t want this to be the case, you can change these in your account settings. For more information on privacy settings, refer to Instagram’s guidance and for more information on how to stay safe on Instagram, refer to the eSafety Guide. Check third-party apps. It is a good idea to review which apps and websites you’ve given access to your Instagram account. If you find any that are unfamiliar to you, you should remove their access. For more information, refer to Instagram’s guidance. Never click on links in emails or messages, or open attachments, from people or organisations you don’t know, and do not reply to unsolicited friend requests on Instagram. Crafty scammers may pose as someone you know, or even gain unauthorised access to your friends’ social media account and send you a message that contains a link or attachment, or unusual requests (e.g. asking for money). It can be hard to know if it is legitimate, but the best way to know if your friend or a scammer is behind the message is to check with your friends, offline. Always be wary of opening attachments. If you expected to receive one and it’s a common file type (such as a .PDF or .doc file) then treat the content as read-only: never enter your sign-in details and don’t follow additional links to initiate transactions. If it is a file type that you don’t recognise, then leave it alone. After you have already signed in to use MFA, you have the option to mark your personal device as a trusted device by tapping ‘Trust this device’. This way, you won't have to enter a security code when you log in every time. However, you should only do that with your own device. Do not tap Trust this device if you're using a public or shared device that other people you may not know can access.