Let’s take a look at Instagram’s security, for example.
Instagram does not require any type of verification for changing an email address from an account. This allows for easy phishing and compromising of accounts that belong to gullible people. Although Instagram does help recover the accounts, this is only the case if you remember your original sign up email. In my opinion, this is heavily flawed, because many accounts that have been hacked are old accounts, and do not remember the sign up email, or the email that was used to sign up is something like email@example.com (dumb, but it happens).
Due to this, many are unable to access their accounts again.
Now let’s look at the phone number verification. This can be good for some, but once again, Instagram requires no confirmation whatsoever that the phone number is being changed. Just by knowing someones password, you can remove all security from them.
I have come up with a couple solutions to these problems.
- Google Authenticator or any 2FA. This generates a new code every 10 seconds, making it impossible to hack someone this way
- Email confirmations. I know this is flawed, because someone can lose access to their email, so pairing this with 2FA would be a good idea as a backup.
- Security questions. Requiring security questions would help as an extra security measure before allowing the change of a password or any verification method.
- IP Verification. When you log in from a never before used IP, it requires phone/email confirmation beforehand.
These are security measures based on the surface of the account, but there should be more in the settings, such as:
- Device Force Logout. This would allow a user to remove and force log out of devices that they aren’t familiar with, or just simply forgot to log out of.
- Manual IP Removal. This should not show the actual IP of the area logged in from due to security reasons, but should show the general area of the login, and allow people to remove that specific IP, to require an email confirmation the next time.
- Automatic IP Removal. If the person has not logged in from a specific IP for x amount of days/weeks, the IP should automatically be removed from the trusted IP sections and be required to pass through email confirmation for the next time.
If you have any security suggestions, leave them down below and I’ll have them added to the list of suggestions.
Also, @dom, I have a PM regarding a similar issue that I’ve decided not to post due to potentially dangerous intents it may cause.