Instagram accounts are among the most targeted on the internet. Enabling two-factor authentication (2FA) is the single most effective step you can take to stop unauthorised access.
In This Guide
Why You Need 2FA on Instagram
Instagram uses email and phone number for account recovery โ both commonly exposed in data breaches. With 2FA enabled, even if someone has your password, they cannot log in without the time-based code from your phone.
Method 1: Authenticator App (Recommended)
Using an authenticator app is more secure than SMS because codes are generated locally and cannot be intercepted via SIM swapping.
- Open Instagram and tap your profile picture in the bottom right
- Tap the menu icon (โฐ) โ Settings and privacy
- Go to Accounts Centre โ Password and security โ Two-factor authentication
- Select your Instagram account, then tap Authentication app
- Instagram will display a QR code and a 32-character secret key
- Open your authenticator app (or use 2faco.com) and scan the QR code or paste the secret key
- Enter the 6-digit code displayed to confirm setup
Method 2: SMS
Follow the same steps but choose Text message instead of Authentication app. SMS is better than nothing but significantly weaker than an authenticator app โ SIM swapping attacks can bypass SMS 2FA entirely.
Save Your Backup Codes
Instagram provides 5 backup codes. After enabling 2FA, return to the Two-factor authentication screen and tap Backup codes. Save these in a password manager โ they're your only way in if you lose your phone.
What if I get a new phone?
Transfer your authenticator accounts before switching phones. Always do this before factory-resetting your old device.
Why Instagram Accounts Are Targeted
Instagram accounts with significant followers are valuable and frequently targeted. Attackers use compromised accounts for sponsored post scams, to steal verified account badges, or to sell the account. Even accounts with small followings are targeted if they can be repurposed for spam or phishing. Two-factor authentication prevents unauthorised sign-ins even when your password has been obtained through phishing or credential stuffing.
Instagram's 2FA Methods
Instagram offers three second-factor options. Authentication apps (TOTP) โ recommended for the highest security. SMS โ convenient but vulnerable to SIM swapping. WhatsApp โ similar to SMS, sends a code via WhatsApp message. For accounts with a business following or monetisation, use an authenticator app rather than SMS or WhatsApp.
Using an Authenticator App with Instagram
When you select "Authentication app" in Instagram's 2FA settings, Instagram either automatically links to the authentication app on your phone or shows a QR code you can scan. Open your authenticator app (Google Authenticator, Authy, 1Password, etc.), add a new account, scan the code or enter the text key, then enter the 6-digit confirmation code Instagram asks for. Your setup is complete.
Instagram Recovery Codes
Instagram generates five 8-digit recovery codes when you enable 2FA. These can each be used once to sign in without your 2FA device. Copy them and store them separately from your phone. If you lose your codes, generate new ones from Settings โ Security โ Two-Factor Authentication โ Additional methods โ Recovery codes. Generating new codes invalidates the old ones.
Trusted Devices on Instagram
After completing 2FA on a device, Instagram asks if you want to save it as a trusted device, skipping 2FA checks on future sign-ins from that device. This is convenient for your personal phone but never enable it on a shared, borrowed, or public device. Manage your trusted devices from Settings โ Security โ Two-Factor Authentication โ Additional methods โ Trusted devices.