How to Set Up 2FA on Instagram with an Authenticator App

Protect your Instagram account from hijacking with two-factor authentication. Step-by-step guide to setting up 2FA using an authenticator app instead of SMS.

Instagram account hijacking is an epidemic. Creators, small businesses, and everyday users lose access to their accounts daily — often permanently. Attackers use phishing, SIM-swapping, and credential stuffing to take over accounts, then ransom them back or sell them. Two-factor authentication with an authenticator app is the most effective defense, and Instagram makes it straightforward to set up.

Why Use an Authenticator App, Not SMS?

Instagram offers two 2FA methods: SMS and authenticator app. Choose the authenticator app:

  • SIM-swapping is real. Attackers call your carrier, convince them to transfer your number to a new SIM, and intercept your SMS codes. Instagram accounts are a frequent target.
  • SMS delays happen. Carrier issues, international roaming, or congested networks can delay SMS codes. Authenticator apps generate codes instantly, offline, every time.
  • No phone number sharing. You don’t need to give Instagram your phone number to use an authenticator app.

What You’ll Need

  • The Instagram app (iOS or Android) — 2FA setup is done in the mobile app, not the website
  • An authenticator app on your phone (FactorCat, Google Authenticator, or any TOTP-compatible app)

Step-by-Step Setup

1. Open Security Settings

In the Instagram app:

  1. Tap your profile icon (bottom-right)
  2. Tap the hamburger menu (top-right, three lines)
  3. Tap Settings and privacy
  4. Scroll to Accounts CenterPassword and security
  5. Tap Two-factor authentication
  6. Select the Instagram account you want to protect

2. Choose Authentication App

You’ll see two options: Authentication app and Text message (SMS). Select Authentication app.

Instagram will either:

  • Auto-detect an installed authenticator and offer to set it up directly (if you use certain apps)
  • Show a setup key that you copy to your authenticator app manually
  • Show a QR code (if setting up via a linked device or browser)

3. Add the Token to Your Authenticator

  • If Instagram shows a key: Copy the key, open your authenticator app, tap +Enter manually, paste the key, and name it “Instagram.”
  • If Instagram auto-opens your authenticator: Follow the prompt.
  • In FactorCat: If you’re shown a QR code, tap +Scan QR Code. If you’re given a text key, tap +Enter manually, paste the key, and FactorCat will label it “Instagram” automatically.

4. Enter the Verification Code

Go back to Instagram and enter the 6-digit code currently displayed in your authenticator app. Tap Next or Confirm.

5. Save Recovery Codes

Instagram will display recovery codes. Screenshot them or write them down and store them somewhere safe.

These codes are your lifeline if you lose your phone. Instagram’s account recovery process without them is notoriously slow and unreliable — some users never regain access.

6. Done

2FA is active. Anytime you (or anyone else) tries to sign into your Instagram from a new device, a code from your authenticator app will be required.

What About Instagram’s “Login Request” Feature?

If you’re already signed in on one device, Instagram can send a login request to that device when a new sign-in is attempted (similar to Google Prompts). This is a convenience feature, not a replacement for 2FA. It requires an internet connection and can be bypassed by session hijacking. Keep your authenticator app as the primary 2FA method.

If Your Account Is Already Compromised

If you’ve already lost access to your account:

  1. Check your email for a message from security@mail.instagram.com about an unrecognized login or email change. If present, click “revert this change.”
  2. Request a login link from Instagram’s sign-in page → “Get help logging in.”
  3. If the attacker changed your email and phone number, use Instagram’s video selfie verification (if available for your account).
  4. File a report at Instagram’s help center.

Set up 2FA immediately after recovering your account to prevent it from happening again.

Tips

  • Beware “verification” scams. Messages claiming your account will be deleted unless you verify via a link are phishing. Instagram doesn’t communicate this way.
  • Don’t click suspicious DM links. Even from accounts you follow — they may be compromised.
  • Check login activity. Settings → Security → Login activity shows where you’re signed in. Remove any sessions you don’t recognize.
  • Protect your email too. If the email connected to your Instagram isn’t secured with 2FA, an attacker can reset your Instagram password through it. Set up 2FA on Google/Gmail if that’s your email provider.

Next Steps

Instagram is locked down. Keep going:

Switching between Instagram and your authenticator app every time you sign in? FactorCat pairs your phone with a browser extension. When Instagram asks for a code, your phone buzzes, you tap approve, and the code fills in. No app switching, no typing digits.

Try FactorCat — launching soon

An authenticator that auto-fills MFA codes in your browser. Get notified when it's ready.

Protect your other accounts

Facebook

How to Set Up 2FA on Facebook with an Authenticator App

Discord

How to Set Up 2FA on Discord with an Authenticator App

Google & Gmail

How to Set Up 2FA on Google & Gmail with an Authenticator App