We have already talked about hacking a VKontakte page (see). Attackers can find out your login and guess your password (see). And then they will be able to visit your page.
To prevent this from happening, VKontakte introduced an additional security measure - double authorization (two-factor). The meaning of this function is that after entering, you also need to indicate the secret code received via SMS or other means. Thus, the likelihood of hacking is reduced significantly. Even if attackers know your credentials, they won't have the code to log into the page.
Now I will show you how to activate double authorization on VKontakte and set up an application for generating codes
.
Second Factor: Authentication Codes and Backup Codes
What is an authentication code
An authentication code is a code that is generated by a special mobile application and is used to log into your account and other important operations if you have a second account security factor enabled.
The code is valid for 30 seconds and cannot be used again. This increases the protection of the account to which the second protection factor is connected.
How to get it
To receive authentication codes, install the Wargaming Auth or Google Authenticator application on your mobile device and enable the second account security factor.
After this, when logging into your account and other important operations (password recovery, etc.), you will additionally use the authentication code generated by this application.
What are backup codes and what are they for?
When you activate the second protection factor, 10 backup codes will be automatically generated, which you can save using one of the suggested methods.
Backup codes are useful if you lose access to your mobile authenticator or phone - then you can enter the backup code instead of the authentication code.
Using backup codes, you can restore your password and account access at any time, as well as disable the second protection factor.
You can always create new backup codes and view active backup codes.
Be sure to save your backup codes and do not show or share them with anyone.
One backup code can only be used once.
How do I know if the code worked?
When you enter the backup code, a corresponding message will appear in the notification menu. The message will indicate from which IP address and for what operation the code was used.
The same message will be sent to the email to which your account is linked.
As soon as you have less than three codes left, you will receive a notification:
The same notification will appear in your Personal Account:
How to view active backup codes
- Log in to your Personal Account, find the “Second protection factor” field and click on the icon with a question mark.
- Click "Show remaining backup codes."
- Enter the authenticator code or backup code and click Activate.
How to create new backup codes
- Log in to your Personal Account, find the “Second protection factor” field and click on the icon with a question mark.
- Click "Show remaining backup codes."
- Click "Create new backup codes".
After creating backup codes, the old codes will stop working. You can generate a new set of backup codes no more than twice in 15 minutes. - Click the "Create" button.
- Enter the authenticator code or backup code and click Activate.
- Save the codes using one of the suggested methods.
- Done, you can use the backup codes to access your account.
Keep your backup codes and secret key in a safe place. Do not give or show them to anyone.
www.wargaming.net
If you don't remember your password
In this case, it is impossible to restore access via SMS alone. After all, with two-factor authentication, it is unacceptable that you can enter a page with only one of the two factors (access to your phone).
All recovery methods are listed here:
- VKontakte: quick password recovery is not available. Why? What to do?
One way to restore access when login confirmation is enabled
Quick password recovery is not available. Why? What to do
The largest social network VKontakte has introduced two-step authorization on the site. Now, if the user wishes, in addition to entering a login password, he can protect his account by entering a PIN code. The VKontakte PIN code will provide better protection of your data from hacking. How to activate and correctly configure the “Login Confirmation” function of VK. You can also find out how to use this function correctly by reading our article.
So, let's get you up to speed. The developers have been seriously concerned about the problem of protecting the personal data of their VK users for a long time. At first, hacking the page was a piece of cake, but over time, security methods became more and more complex. And now in the battle of hackers against Contact there has been a serious advantage in favor of the latter.
After linking the account to a mobile phone number, the developers managed to significantly reduce the wave of page tampering. Soon the same developers optimized everything that had been developed over the years - by entering a PIN code for VK. Now everyone who has a VKontakte account can set up the PIN code function. Thus, the user receives double protection for his account.
To authorize, in addition to filling out the login and password fields, you will need to enter a special code that will be sent to you via a free SMS message. Naturally, this SMS will be linked to the number of your mobile operator. If you don’t want to bother with SMS messages, then you can use a special application for your smartphone - a code generator for VKontakte. It is also strongly recommended to copy yourself a list of backup codes that you can use if you don’t have your phone at hand. You should immediately reassure some “lazy” users - the PIN code comes only upon your request and only after you activate this function.
In order to enable “Login Confirmation” in Contact, you need to go to the “My Settings” menu on your page. In the “General” tab, find the “Your Page Security” settings group. Opposite the “Login Confirmation” item, you must click on the “Connect” button.
Now, when you log into your VK account, you will be prompted to “Enter the code.” Which, in fact, is what you should do.
The pin code will only be valid once. One input - one PIN code. Even if “evil people” manage to get your PIN code and login with your VKontakte password, they will not be able to use them. And you will receive in the form of a pop-up window the message “An attempt was made to log into your account from an IP which will contain the IP address of the computer from which they tried to illegally log into your account.
In this case, you should not panic, because... The contact has already prevented an attempt to hack your page. And you will be able to identify and punish a person caught in trouble by the IP address of his computer.
If you do not want to use the PIN input function because, for example, you are at home and log in from your PC. Then you should use the “Remember Browser” function; to activate it, you just need to check the box that pops up. The function will allow you to remember the location and your native browser from which you log in and you will no longer need to enter a PIN code for this browser on your PC. At any time, you can reset all settings either on the current device or on all verified devices.
IMPORTANT! You cannot simply disable this function of confirming entry with a PIN code. When you first log in from your browser on a computer, laptop, smartphone or telephone, you should enter your PIN code once and be sure to check the “Remember browser” box. After this, you will not need to enter your PIN code every time you log into VK from these devices.
If your SIM card is lost or fails, and the PIN code confirmation function is activated, you can use the recovery form via email. The introduction of two-step authorization will protect your personal data, and your account will always be protected by the VK security service.
The practice of double entry is already successfully used in many large social networks, such as Twitter, Facebook, Google. Many online banks also use a confirmation PIN. And finally, VK.com has also strengthened the protection of our personal data.
Greetings! In this detailed step-by-step instructions, with photographs, we will show you how to further protect your page from unauthorized access on the VKontakte social network.
By enabling login confirmation via SMS, in addition to the login and password that you use to access your VKontakte page, you will also need to enter a one-time code that will be sent to the phone linked to your profile.
In other words, even if someone else finds out your username and password, he will still not be able to log into your VKontakte page because Additionally, you will need a code that will be sent to your phone in the form of an SMS message.
This protection technology, which is referred to as “two-factor authentication,” not only protects against hacking, but also against page theft. Cases have become more frequent when fraudsters using fake documents received duplicate SIM cards, which were subsequently used for hacking and stealing pages.
Restoring access in this case takes some time, which is quite enough to commit illegal actions: sending spam and viruses, and if the user is also the head of a large community, then this kind of action can cause serious damage to the reputation and even blocking a group or public .
Taking into account all these circumstances, with “two-factor authentication” activated, the ability to recover the password to the VKontakte page via SMS becomes impossible, and if such a need arises, password recovery via the E-Mail linked to the page is used. By the way, you can read about how to link an E-Mail to your page here.
It should be noted that even with two-factor authentication enabled, it is possible to create a list of trusted devices, from which additional SMS confirmation will not be required when logging in.
To do this, during the authorization process, you must check the box Remember browser.
Enable login confirmation via SMS on VKontakte
While on the VKontakte website, click on the menu in the upper right corner. In the list that appears, select Settings.
On the page that appears, click on Security. In this block, p
iuni.ru
VKontakte login confirmation
So, the next update is the “Login Confirmation” function, and today we will do a full review of it. We'll tell you how it works, how to enable it, configure it or disable it.
Each registered user wants to save his personal data, which is used when logging in, and does not want his personal documents (photos, correspondence, etc.) to become public. This is why the developers of the social network are doing everything to prevent this from happening.
What is login confirmation
Login confirmation provides an additional level of protection for your VKontakte page from hacking. When using this function to access the page from unregistered browsers and devices, in addition to the password, you will need to enter a security code.
The code can be obtained using the phone number linked to your page.
Attention! When login confirmation is enabled, the password recovery service by phone number becomes unavailable. Therefore, we strongly recommend that you attach a current e-mail to the page, indicate your true first and last name, and upload your real photos as the main ones before continuing with the setup.
How to connect login confirmation to VK
To enable this option, you will need to go to the “Settings” menu item and there, on the “General” tab, find the “Your Page Security” section.
By clicking on the “Connect” button, a system window will open in front of you, where you will need to click “Go to settings”. Next, the system will ask you to confirm your action by entering a password:
By entering your password and clicking on the “Confirm” button, you will launch this option. But, do not forget that after connecting it, one mobile number for password recovery will not be enough. You will need to submit your application for consideration by moderators.
If you have any questions, ask them on our vk.com forum and our moderators will answer you as soon as possible!
VKontakte login confirmation, 4.8 out of 5 based on 4 ratings
socialnie-seti.info
Two-factor authentication has appeared on VKontakte - Oftopic on TJ
The social network VKontakte has enabled two-factor authentication, which further protects access to the page from hackers. This was reported in a company press release received by TJournal.
Two-factor authentication involves two stages of logging into your account. One of them is traditional - entering a login and password.
The user will be able to turn on the second stage and choose at his discretion from three options. The first is a unique code via SMS, the second is a list of backup codes, each of which is valid once.
The third method is to use special mobile applications to generate codes, for example, Google Authentificator. To set it up, you need to scan the QR code specified in the VKontakte settings and enter a special confirmation code.
The VKontakte press release notes that for most users of the social network, two-factor authentication will be unnecessary, but accounts of some categories - administrators of large communities and application owners - become targets for “hunting”.
With new security measures, the user's account will be protected from intruders, even if they manage to take possession of his SIM card: to recover the password to the page with two-factor authentication enabled, you will need to gain access to the linked email.
Additionally, users will see pop-up notifications for all login attempts. Two-factor authentication is described in detail on the special page of the VKontakte developers.
#Micropost #VKontakte #security #two-factor_authorization #two-factor_authentication_VKontakte #security_VKontakte
tjournal.ru
How to enable two-factor authentication on VKontakte?
Go to your page and go to the “Settings” section.
Open the “Security” tab. Here in the “Login Confirmation” section, click the “Connect” button.
A form will open - in it, click the “Proceed with configuration” button.
You will be asked to re-enter the password for the page (see). Do this and click the "Confirm" button.
Receive the code on your phone and enter it in the form. Then click the "Submit Code" button.
Setting up an application for generating codes
The next step is setting up the application to generate codes. You are offered to install an application that will allow you to generate login codes, even without connecting to a cellular network.
Use Google Authenticator
for iPhone and Android smartphones.
And Authenticator
- for phones in Windows Phone. Install the appropriate application on your gadget.
This is what a window with a QR code and a secret code in VK looks like.
Now launch the installed application and scan the specified code.
Now paste the received code from the application, and click the "Confirm" button.
The code generation application has been successfully configured!
You will be taken to the Security tab. Now you can do the following operations here.
- Change phone number (see);
- Show a list of backup codes;
- Set up an application for generating codes;
- Configure application passwords;
- Disable two-step authentication on VKontakte.
Double authentication on VKontakte - sex or imitation? / Sudo Null IT News
Hi all! Recently I decided to test a hardware OTP token with the ability to flash it via NFC by connecting it to my vk.com account. At the same time, I came across shortcomings in the VKontakte two-factor authentication system, which seemed quite significant to me. I want to share my observations with you, since VK itself did not admit any mistakes. Perhaps I'm a little paranoid? I wonder what you, Khabrovsk residents, will say.
I’ll make a reservation that before starting work on the article, I outlined all my observations on HackerOne. None of the described bugs were recognized by VKontakte. But when, before publishing the article, I decided to take confirming screenshots, it turned out that one of the bugs had been fixed. The fact that they listened to my words cannot but rejoice. It’s just a pity that the guys didn’t even say “thank you.”
So, mistake number 1. Static secret key.
To connect an OTP generation application to his account, the user enters a password, after which a page opens with the secret key necessary to issue a software token. So far so good.
But if for some reason the user did not activate the software token immediately (for example, he was distracted by an important call, or simply changed his mind and returned to the main page), then when after some time he decides to receive the token, he will again be offered the same secret key.
What makes the situation worse is that within half an hour after entering your password, even if you went to the main page or logged out of your account and then logged in again, the password is not requested again before the QR code with the secret is displayed.
Why is this dangerous?
The VKontakte token, like any other TOTP token, works on a fairly simple principle: it generates one-time passwords according to an algorithm based on two parameters - time and a secret key. As you yourself understand, the only thing needed to compromise the second factor of authentication is to know the SECRET KEY.
Such a vulnerability leaves two loopholes for an attacker:
- If the user walks away from the computer, the attacker will have enough time to compromise his private key.
- Having taken possession of a user's password, an attacker can easily spy on his secret key in advance.
Solving the issue is simply simple. The secret key must change every time the page is updated, as happens, for example, on Facebook.
Mistake #2. The new token after reissue uses the same secret key.
At the time of publication of this article, this flaw had been corrected.
The situation described above is aggravated by the fact that when the token is re-issued, VKontakte will not offer you a new secret key. In fact, 1 secret key is tied to your page and you will no longer be able to change it.
Why is this dangerous?
If you find out that your private key has been compromised (for example, during the first issue of a token, as described in the first point), you no longer need VKontakte double authentication. Feel free to disable the second factor and choose a stronger password. It is not possible to reissue a token with a new secret.
If you have lost the phone on which the token was installed, you can do the same. Anyone who gets their hands on your smartphone will be able to safely use it to log into your account. All that remains is to find out the password. In this case, the whole essence of two-factor authentication is lost. It is clear that if a user notices that his account is discredited, he can contact support, but this will waste precious time that he may not have.
Mistake #3: Disabling the second factor without prompting for a one-time password.
Everything here is clear from the title. When the second factor is disabled, entering the password is enough, OTP is not requested.
