Two-factor authentication (2FA) on Instagram requires a second code from your phone every time someone tries to sign in to your account from a new device. Even if a hacker has your password, they cannot get in without that code. Research from Microsoft shows that 2FA blocks over 99.9% of automated account attacks. Here is how to set it up on Instagram in a few minutes.

Instagram account takeovers are one of the most common types of hacking people experience. Attackers steal accounts to impersonate you, send scam messages to your followers, or sell your username. Once they are in, they can change your email and phone number, locking you out completely. Two-factor authentication prevents all of this by making your password alone not enough to sign in.

Why does Instagram 2FA matter?

Instagram accounts get hacked every day. The most common methods attackers use are:

  • Credential stuffing — using passwords stolen from other data breaches to try to log into your Instagram. If you use the same password on multiple sites, this can work
  • Phishing — sending you a fake “Instagram security alert” that tricks you into entering your password on a look-alike website
  • Social engineering — tricking you into sharing a login code by pretending to be Instagram support

As of 2026, billions of stolen email and password combinations are available on the dark web. If your email was part of any data breach, attackers may already have credentials that work on your Instagram. Check if your email was exposed in a data breach to find out.

Two-factor authentication stops all of these attacks. Even if an attacker has your password, they cannot sign in without the code from your phone.

How do you turn on 2FA on Instagram step by step?

Instagram uses Meta’s Accounts Center for security settings, the same system as Facebook. Here is the exact process as of 2026.

On the Instagram app (phone):

  1. Open Instagram and go to your profile by tapping your profile picture in the bottom right.
  2. Tap the three horizontal lines (hamburger menu) in the top right corner.
  3. Tap “Settings and privacy.”
  4. Tap “Accounts Center” near the top.
  5. Tap “Password and security.”
  6. Tap “Two-factor authentication.”
  7. Select your Instagram account from the list.
  8. Choose “Authentication app” as your preferred method (recommended).
  9. Instagram will show you a key or QR code. Open your authenticator app and add the account by scanning the code.
  10. Enter the 6-digit code from your authenticator app to confirm.

On a computer (instagram.com):

  1. Go to instagram.com and click your profile picture in the top right.
  2. Click “Settings” (the gear icon).
  3. Click “Accounts Center” in the left sidebar.
  4. Click “Password and security.”
  5. Click “Two-factor authentication.”
  6. Select your Instagram account.
  7. Choose “Authentication app” and follow the steps to scan the QR code and confirm.

Once completed, Instagram will require the second code whenever you or anyone else tries to sign in from a new device.

How do you set up an authenticator app for Instagram?

If you do not already have an authenticator app, here is how to get started:

  1. Download Google Authenticator or Authy from the App Store (iPhone) or Google Play Store (Android). Both are free.
  2. In Instagram’s 2FA settings (following the steps above), select “Authentication app.”
  3. Instagram will display a QR code or a setup key on your screen.
  4. Open your authenticator app and tap the plus icon to add a new account.
  5. If you see a QR code, scan it with your phone’s camera through the app. If you see a text key, type it in manually.
  6. The app will immediately start showing 6-digit codes that refresh every 30 seconds.
  7. Go back to Instagram and enter the current 6-digit code to confirm the link.

Your authenticator app now generates codes for your Instagram account. You can add other accounts to the same app — it handles multiple accounts at once.

Should you choose an authenticator app or SMS for Instagram 2FA?

Instagram offers two main 2FA methods:

Authenticator app (recommended). Codes are generated on your device and never travel over the network. This makes them impossible to intercept remotely. Free apps like Google Authenticator or Authy work perfectly.

SMS text message (acceptable). Instagram texts a code to your phone number. This is better than no 2FA, but SMS codes can be stolen through SIM swapping — where an attacker calls your phone carrier and convinces them to transfer your number to a new SIM card. As of 2026, SIM swapping remains a real threat.

If Instagram gives you both options, always pick the authenticator app. If SMS is the only option available in your region, use it — it is still far better than having no 2FA at all.

How do you save your Instagram recovery codes?

Instagram provides recovery codes when you enable 2FA. These are your lifeline if you lose your phone.

  1. After enabling 2FA, go back to the Two-factor authentication settings in Accounts Center.
  2. Look for “Recovery codes” or “Backup codes.”
  3. Instagram will display a list of codes. Each one works once.
  4. Write them down on paper and store the paper somewhere safe — a drawer at home, not in your wallet or on your phone.
  5. If you ever need to sign in without your authenticator app, enter one of these codes instead.
  6. You can generate a new set of codes from the same settings page whenever you need to.

Do not skip this step. Recovery codes are the difference between temporarily losing access to your phone and permanently losing access to your Instagram account.

What else should you do to protect your Instagram account?

After enabling 2FA, take these additional steps:

  • Use a unique, strong password — never reuse your Instagram password on any other site. Our guide on how to create a strong password explains the easiest way to do this
  • Check for data breachessee if your email has been exposed in any known breach. If it has, change your Instagram password immediately
  • Review login activity — in Settings, go to Password and security, then “Where you’re logged in.” Remove any sessions you do not recognise
  • Ignore DMs claiming to be Instagram support — Instagram will never ask for your password or 2FA code through a direct message. These are always scams
  • Enable login requests — with 2FA on, Instagram can send you a notification whenever someone tries to log in from a new device, letting you approve or deny the attempt

For a deeper understanding of how 2FA works across all your accounts, read: What is two-factor authentication and how do you set it up?

Also consider enabling 2FA on your Facebook account since they are connected through Meta: How to enable 2FA on Facebook

Browse our breach database to see which companies have had data exposed.

Frequently asked questions

Is Instagram 2FA free?

Yes. Two-factor authentication on Instagram is completely free. You just need a free authenticator app like Google Authenticator or Authy on your phone. There is no paid upgrade or subscription required.

Will 2FA stop someone who already hacked my Instagram?

No. If someone is already in your account, you need to change your password first and remove any devices you do not recognise from your active sessions. After you regain control, then enable 2FA to prevent it from happening again.

Can I use the same authenticator app for Instagram and other accounts?

Yes. Authenticator apps like Google Authenticator and Authy can hold codes for dozens of accounts at once. Each account gets its own entry in the app with its own code. You can use the same app for Instagram, Gmail, Facebook, and any other service that supports 2FA.

What happens if I get a new phone?

If you use Authy, your codes sync to your new phone automatically. If you use Google Authenticator, you need to transfer your accounts before switching phones — open Google Authenticator, tap the menu, and select “Transfer accounts.” If you forgot to transfer, use your recovery codes to sign in and set up 2FA again on the new device.