The largest social network VKontakte has introduced two-step authorization on the site. Now, if the user wishes, in addition to entering a login password, he can protect his account by entering a PIN code. The VKontakte pin code will provide better protection your data from hacking. How to activate and correctly configure the “Login Confirmation” function of VK. You can also find out how to use this function correctly by reading our article.

What is a PIN code for VKontakte?

So, let's get you up to speed. The developers have been seriously concerned about the problem of protecting the personal data of their VK users for a long time. At first, hacking the page was a piece of cake, but over time, security methods became more and more complex. And now in the battle of hackers against Contact there has been a serious advantage in favor of the latter.

After linking the account to the number mobile phone, the developers managed to significantly reduce the wave of page tampering. Soon the same developers optimized everything that had been developed over the years - by entering a PIN code for VK. Now everyone who has a VKontakte account can set up the PIN code function. Thus, the user receives double protection for his account.

To authorize, in addition to filling out the login and password fields, you will need to enter special code, which will be sent to you via free sms message. Naturally, this SMS will be tied to your number mobile operator. If you don't want to bother with SMS messages, then you can use special application for a smartphone - a code generator for VKontakte. It is also strongly recommended to copy yourself a list of backup codes that you can use if you don’t have your phone at hand. You should immediately reassure some “lazy” users - the PIN code comes only upon your request and only after you activate this function.

How to enable PIN code login confirmation?

In order to connect " Login confirmation» in Contact, you need to go to the menu on your page "My settings". In the tab "General"- find the settings group “Security of your page”. Opposite the point "Login Confirmation" you need to press the button "To plug".

Now, when you log into your VK account, you will be prompted to “Enter the code.” Which, in fact, is what you should do.

Message: “An attempt was made to log into your account from an IP address”

The pin code will only be valid once. One input - one PIN code. Even if “evil people” manage to get your PIN code and login with your VKontakte password, they will not be able to use them. And you will receive in the form of a pop-up window the message “An attempt was made to log into your account from an IP which will contain the IP address of the computer from which they tried to illegally log into your account.

In this case, you should not panic, because... The contact has already prevented an attempt to hack your page. And you will be able to identify and punish a person caught in trouble by the IP address of his computer.

“Remember browser” VKontakte or how to disable entering a PIN code

If you do not want to use the PIN input function because, for example, you are at home and log in from your PC. Then you should use the “Remember Browser” function; to activate it, you just need to check the box that pops up. The function will allow you to remember the location and your native browser from which you log in and you will no longer need to enter a PIN code to of this browser on your PC. At any time, you can reset all settings either on the current device or on all verified devices.

IMPORTANT! Just turn it off this function You will not be able to confirm your login with a PIN code. When you first log in from your browser on a computer, laptop, smartphone or telephone, you should enter your PIN code once and be sure to check the “Remember browser” box. After this, you will not need to enter your PIN code every time you log into VK from these devices.

If your SIM card is lost or fails, and the PIN code confirmation function is activated, you can use the recovery form via email. The introduction of two-step authorization will protect your personal data, and your account will always be protected by the VK security service.

The practice of double entry is already successfully used in many large in social networks such as Twitter, Facebook, Google. Many online banks also use a confirmation PIN. And finally, VK.com has also strengthened the protection of our personal data.

Why is quick password recovery not available to me?

How to log into the VKontakte website if you have forgotten your password and login protection is enabled (login confirmation)? You are trying to restore access, but you receive an error message:

Quick password recovery is not available. Your page has mobile phone login confirmation enabled.

Or this:

Unfortunately, you cannot recover your password by the specified number phone.

Or another option:

Error. This function is not possible for this page.

This means that once before you yourself enabled login confirmation by mobile phone, when to enter the page you need to enter not only a password, but also a code sent to your phone:

When is entry protection set? (two-factor authentication), this increases security and protects against hacking, but you forgot your password. What to do? It is now impossible to receive a recovery code on your phone because login confirmation- this is when you know the password and have access to the phone. Both together. This is the only way to ensure security, which you yourself voluntarily turned on. It is no longer possible to restore a page with only a phone number if you do not know the password. The VK website warned you about everything, but you didn’t read when you turned on the protection. Maybe that's why you feel like you weren't warned.

Attention! Here are absolutely all the ways you have in 2019. It's no use looking for anything else or asking in the comments. Only you can restore access yourself. Read to the end and do as written. Blue links take you to other pages that will help you.

How can I now recover my password and access to the page?

1. Recover by email

If you have an additional login confirmation enabled, then instead of quick recovery password via SMS, password recovery via e-mail is applied ( e-mail). Is your page linked to email? If yes, then you can request a link to reset your password. (instructions will open in a new window). It may turn out that the page is linked to the mail, but you cannot enter the mail (you don’t have access or you simply don’t remember it) - in this case, it is better to try to first restore access to the mail, otherwise you will be left with the only way, it is more complex and requires much more time - recovery through support.

2. Restore via support

When login confirmation is enabled, but you forgot your password and the page is NOT linked to an email (or you don’t have access to your email, or you don’t remember the address), the only way to restore the page is technical support request. This link will open an access restoration form that must be filled out. It's better to do this from a computer rather than from a phone. Look detailed instructions Here:

If it doesn’t work, do it through the full version on your computer.

You will have to prove that the page is yours. If your real photos are not there or your real name and surname are not indicated, then it is almost impossible (or very difficult) to restore the page. After all, you were warned about everything when you turned on the login protection. You can see why an application might be rejected. Of course, there is an opportunity to contact VK support and try to prove in some way that the page is yours. If they see you normal person and that the page is really yours, they can meet you halfway. If even then nothing works out, register a new page in VK. This is a lesson for the future.

Why can’t I recover my password via SMS if login confirmation is enabled?

Because you yourself enabled TWO-Factor (TWO-Step) authentication, and now you want to reset your password with only ONE factor (phone). But it doesn't work that way. Should have read the warning. We described all the ways to reset a password in this situation above, there are only two of them.

I have backup codes, why can’t I recover my password with them?

Because the backup codes that you wrote out or printed are needed when there is no access to the phone— that is, when you cannot receive an SMS to log in. And you don't have password, you forgot him. In this case, the backup code will not help.

There is no way to restore it anymore!

There are no other ways to restore access. There is no use looking for them. That is, there is no other way to restore it at all. You just read everything possible ways. , if you don't understand.

Is it possible to disable login confirmation?

Of course you can. But to do this you must first go to the page. And if you can’t do this yet, then you can’t disable login confirmation either. Restore access as written above.

We have already talked about hacking a VKontakte page (see). Attackers can find out your login and guess your password (see). And then they will be able to visit your page.

To prevent this from happening, VKontakte was introduced additional measure security - double authorization (two-factor). The meaning of this function is that after entering , you also need to indicate the secret code received via SMS or other means. Thus, the likelihood of hacking is reduced significantly. Even if attackers know your credentials, they won't have the code to log into the page.

Now I'll show you how to activate double authorization on VKontakte and set up an application for generating codes.

How to enable two-factor authentication on VKontakte?

Go to your page and go to the “Settings” section.

Open the “Security” tab. Here in the section "Login confirmation", click the “Connect” button.

A form will open - click the button in it "Start setting up".

You will be asked to re-enter the password for the page (see). Do this and click the "Confirm" button.

Receive the code on your phone and enter it in the form. Then click the "Submit Code" button.

Setting up an application for generating codes

The next step is setting up the application to generate codes. You are offered to install an application that will allow you to generate login codes, even without connecting to a cellular network.

Use Google Authenticator for iPhone and Android smartphones. AND Authenticator- for phones in Windows Phone. Install the appropriate application on your gadget.

This is what the window with the QR code looks like, and secret code in VK.

Now run installed application, and scan the specified code.

Now paste the received code from the application, and click the "Confirm" button.

The code generation application has been successfully configured!

You will be taken to the Security tab. Now you can do the following operations here.

• Change phone number (see);
• Show a list of backup codes;
• Set up an application for generating codes;
• Configure app passwords;
• Disable two-step authentication on VKontakte.

Video lesson: two-factor authentication on VKontakte

Conclusion

Today we will talk about one of the most effective methods protecting your VKontakte page. We will set up authorization on the site in such a way that it will be impossible to access your page until you enter the code received from the SMS that will be sent to your phone number linked to your account. That is, everything will happen in the same way as you use Internet banking.

Therefore, before you start setting up anything, make sure that the current number is attached to your VK page and you are not going to change it. .

The function is quite useful; if you are afraid for your page, then the steps taken will increase its security significantly.
Let's get to practice

How to enable login confirmation on VK

IN top menu In the right corner, click on the button with your miniature and select “Settings” from the drop-down list:

At the next stage, go to the “Security” tab. At the very top we find the “Login Confirmation” section and click on the “Connect” button:

Next, we are provided with a whole petition about confirming your password using a mobile phone. They write how good it is for you and how bad it is for attackers. They also warn that if you enable this function, password recovery by phone number will become unavailable, and therefore we are asked to link the current email and indicate all the correct data on the page. So that it can be easily restored later. ().

We read all this and click on the “Proceed with setup” button

A pop-up window pops up in which we need to enter the password for the page and click on the “Confirm” button:

We enter the confirmation code that should have arrived on our phone and click on the “Send code” button:

The following window pops up, in which they write to us about backup codes and ask us not to forget to print them.

Reserve codes– a list of 10 access codes. These are constant numbers, they do not change and can be useful if you want to go to the page and your phone is unavailable at that time. You can enter one of these codes and get to the page. That's why it's important to print this list and have it with you.

Click on the “Finish setup” button:

Backup codes can be viewed in the same “Security” section. Find the phrase “Backup codes” and opposite it click on the “Show list” link next to it.

That's it, the function is disabled, we have completed the task.

And this is where I will end this article, I hope the knowledge gained was useful to you and you implemented it, thereby securing your VKontakte account.

I’ll make a reservation that before starting work on the article, I outlined all my observations on HackerOne. None of the described bugs were recognized by VKontakte. But when, before publishing the article, I decided to take confirming screenshots, it turned out that one of the bugs had been fixed. The fact that they listened to my words cannot but rejoice. It’s just a pity that the guys didn’t even say “thank you.”

So, mistake number 1. Static secret key.

To connect an OTP generation application to his account, the user enters a password, after which a page opens with the secret key necessary to issue a software token. So far so good.

But if for some reason the user did not activate the software token immediately (for example, he was distracted by an important call, or simply changed his mind and returned to home page), then when after some time he decides to get a token, he will be offered the same one again The secret key.

What makes the situation worse is that within half an hour after entering your password, even if you went to the main page or logged out of your account and then logged in again, the password is not requested again before the QR code with the secret is displayed.

Why is this dangerous?

The VKontakte token, like any other TOTP token, works on a fairly simple principle: it generates one-time passwords according to an algorithm based on two parameters - time and a secret key. As you yourself understand, the only thing needed to compromise the second factor of authentication is to know the SECRET KEY.

Such a vulnerability leaves two loopholes for an attacker:

1. If the user walks away from the computer, the attacker will have enough time to compromise his private key.
2. Having taken possession of a user's password, an attacker can easily spy on his secret key in advance.

Solving the issue is simply simple. The secret key must change every time the page is updated, as happens, for example, on Facebook.

Mistake #2. The new token after reissue uses the same secret key.

At the time of publication of this article, this flaw had been corrected.

The situation described above is aggravated by the fact that when the token is re-issued, VKontakte will not offer you a new secret key. In fact, 1 secret key is tied to your page and you will no longer be able to change it.

Why is this dangerous?

If you find out that your private key has been compromised (for example, during the first issue of a token, as described in the first point), you no longer need VKontakte double authentication. Feel free to disable the second factor and choose a stronger password. It is not possible to reissue a token with a new secret.

If you have lost the phone on which the token was installed, you can do the same. Anyone who gets their hands on your smartphone will be able to safely use it to log into your account. All that remains is to find out the password. In this case, the whole essence of two-factor authentication is lost. It is clear that if a user notices that his account is discredited, he can contact support, but this will waste precious time that he may not have.

Mistake #3: Disabling the second factor without prompting for a one-time password.

Everything here is clear from the title. When the second factor is disabled, entering the password is enough, OTP is not requested.

Why is this dangerous?

If you only need to enter a password to disable double authentication on VKontakte, the very essence of two-factor authentication is lost. And the essence of two-factor authentication is that the disadvantages of one factor are offset by the advantages of another. In vk.com this is the knowledge factor (password) and the possession factor (phone). This was invented to ensure that compromising one of the factors would not be enough to gain access to the account. If an attacker has your password, he will not need a one-time password to hack your account, and vice versa, if he has taken possession of your phone, he will additionally need to know the password.

Here it turns out that it is enough to find out the user’s password to simply disable the second authentication factor. Essentially, this turns two-factor authentication VKontakte to one-factor.

VKontakte offers its users very convenient function“Remove confirmation from current browser" I am sure that the feature is popular and users are turning off confirmation, at least at home and at work. Moreover, most users have their passwords stored in their browsers, where they can be easily viewed and copied.

Let's imagine this situation: your colleague decided to play a joke on you. While you were not at work, he went to your computer, looked at the saved passwords in the browser, logged into VK and disabled 2FA. Now he will be able to log into your account until you notice changes, which may not happen soon. You haven't entered before one-time password on those devices that you use most often, then nothing will change for you. And the joker colleague will receive full access to your account, and no one knows what this could lead to.

If the bug with the token re-issuance had not been fixed, when the secret key did not change when the token was re-issued, the situation could have become even more interesting! Your colleague, already knowing the password, could disable 2FA, then re-enable two-factor authentication, see the secret key, issue himself a token identical to yours, and could read your messages as long as your account is alive.

conclusions

When connected two-step authentication to your VKontakte account, a memo appears that reads “Even if an attacker finds out your login, password and the verification code used, he will not be able to access your page from his computer.”

Unfortunately, it turned out that this is not entirely true. Under certain circumstances, an outsider will be able to recognize someone else’s VKontakte token or even completely disable the second factor by knowing your password. I'm waiting for your opinions.