In addition to podcast episodes, we'll also be covering some security- and privacy-related topics in blog-style articles, where we can go into more detail than we could in an episode. This is our first article, a deeper dive into a strange problem with Instagram logins that Liz ran into recently. Stay tuned for both upcoming posts and podcast episodes!

Liz's experiences with "Unusual Login Attempt" verification loop failures

Last week, I got locked out of my personal Instagram account for about an hour. Here's what happened and how I found another way back in.

On August 2, 2019, I logged into my personal Instagram account on my laptop and changed the password as a part of my routine security checkup. As I also post to another Instagram account, namely @looseleafsecure, I logged out after changing my personal account's password to update that account's password as well. After updating @looseleafsecure's password, I logged out and attempted to log back into my personal Instagram account. For whatever reason, I believe the 1Password extension autofilled my old password - my new password was longer than my old password, and I remember the dots representing hidden character covering less of the text field than I expected. Of course, Instagram didn't log me in and told me the password I put in was incorrect.

I checked my.1password.com, and saw that it did have my updated password. Something weird was happening with my 1Password extension and autofill, and logging out of the extension and then back in fixed my autofill issue. I went back to Instagram to log in with my updated password.

This time, 1Password did fill the correct password into my laptop's web browser, but instead of taking me back to Instagram's home page logged in, I got the following:

We Detected An Unusual Login Attempt

We noticed a login attempt to your account that seemed suspicious. We'll send you a security code to verify your identity. How do you want to receive the code?

This screen gave me the option to receive the code by email because I removed the phone number associated with my Instagram account since they began allowing two-factor authentication via authenticator apps. (SMS is particularly insecure and vulnerable to SIM-jacking. We talk about SIM-jacking in the news section of our episode "Comparing Android and iOS security" (July 10, 2018) and discuss better second factors in our episodes "Two-factor authentication and account recovery" (June 12, 2018) and "Two-factor tidying" (May 16, 2019).) Another user reported Instagram also offers to send these codes over SMS text message. I retrieved the code from my email, entered it into the verification page, and then, Instagram redirected me to their home page without logging me in. It is worth noting that I have two-factor authentication set up via an authenticator app, yet I was also never asked to input the 6-digit code generated by my authenticator app.

I tried to log into about eight more times, sometimes in a private browsing session, but the same "Unusual Login Attempt" loop and silent failure to authenticate with the verification code continued. I looked around Instagram's Help Center to see if there were any official suggestions to help me get back into my account, but I didn't find anything. To see if anyone else was encountering this issue, I searched Twitter for"Instagram unusual login" and "Instagram suspicious activity" and found I wasn't the only user encountering this issue, e.g. 1, 2, 3, 4, 5

I also tried to find somewhere to contact Instagram for support with failing logins, but I couldn't find a contact form or email address to get into some sort of support queue or report a bug with their service.

I was worried that any login attempts would put me into the "Unusual Login Attempt" loop, but that wasn't the case - I was able to successfully log into another device on the same wireless network. I then tried to log in on my laptop again, but that didn't work.

I then wondered if the "Unusual Login Attempt" loop was related to the specific network connection I was on, where I had previously used the old password by accident. When I connected my laptop to a different wireless network, I was able to log into Instagram without encountering the "Unusual Login Attempt" loop. I suggested trying a different wireless network to another person who mentioned hitting the broken "Unusual Login Attempt" loop, and that person replied that logging on the same device from a different wireless network worked. Another Instagram user avoided the broken "Unusual Login Attempt" verification loop by connecting over a VPN, which makes sense because when you're using a VPN, you're connecting to Instagram through a different internet connection.

Three days later, I logged out of my Instagram from my laptop while on the wireless network where I mistakenly input the old password a few days before, but I didn't encounter the "Unusual Login Attempt" verification process when logging back in. When I had previously searched Twitter for comments on this failing verification loop, I didn't find anyone directly suggesting that just waiting for a day solved this issue, but I did notice a tweet that suggested others had success by simply waiting.

As I successfully logged on by connecting to a different network and could not recreate the situation a few days later, I did not try anything else to gain access to my account again, though I did find another user reporting that turning off two-factor authentication from another device where you're already logged into your Instagram account will allow you to log in. So it's possible that Instagram's "Unusual Login Attempts" broken loop only occurs for users who have enabled two-factor authentication. (Reminder: If you turn off two-factor to get back into your Instagram account on a device, make sure to turn two-factor authentication back on after logging in successfully!)

Takeaways for Instagram users, and social media users more generally

There are a few security-related takeaways here aside from what to try when this happens to you:

1. Make sure you're keeping a copy of any photos you're taking in the Instagram app outside of the app so that you have access to those photos if you're ever locked out of your account. Download a copy of your Instagram data periodically.
2. Large tech companies like Instagram often have terrible account support, and if you find yourself locked out of your account, you may just be out of luck. This is frustrating for personal accounts where you may have lots of memories or spend time socializing with friends, but it can also be devastating for business accounts. Many artists, in particular, depend on Instagram, and losing access to their accounts can have devastating effects. If you're using Instagram for business, make sure you and your customers have another way to reach each other, like another social media profile or an email list. Include at least one of these other contact methods (likely email as some social media services don't want you linking to your accounts on competitors) in your social media profiles.
3. Avoid features like "Login with Instagram" for accessing unrelated websites. If you get locked out of your Instagram account for any reason, you're now unable to access these other websites too. Worse, if someone breaks into your Instagram account, they can now get into these other websites too. A better way to make logging into many different accounts easier is to use a well-respected digital password manager with a good security record, so you're only trusting something on your own computer, instead of trusting one website to log into another. We talk more about the downsides to third-party logins in our episode "Using a password manager effectively" (March 20, 2019) and discuss how to choose a password manager with a strong security record in our episode "Password managers: how they should work and when they didn't" (June 27, 2019).

Suggestion for developers

When you allow your users to enable two-factor methods (awesome! especially if they are strong two-factor methods), make sure to think carefully about how second factors interact without other account verification processes. If someone enables one of the stronger two-factor authentication methods, like using an authenticator app with Instagram, it probably doesn't make sense to go back to using a lower signal ad hoc second factor like email or SMS text messages instead of asking for the 6-digit code from their authenticator app. Using email or SMS as an ad hoc second factor makes sense for users who aren't using stronger two-factor methods, but you should be very clear that emails and phone numbers added to accounts may be used for authentication when your users are adding this information to their accounts.