About us
The product has been added to the shopping cart Show shopping cart
Your current path:

How 2FA and TOTP secure social media services

Reading time: 6 minutes

Table of contents

Malware, hackers and identity theft are a serious social media risk. In addition to damage to their image, companies are threatened with financial losses or even the loss of their own social media channels. Two-factor authentication with time-limited TOTP one-time passwords is therefore also a must for Facebook & Co. “It was pure hell” – this is how web video producer Julien Bam describes the hack of his three YouTube channels with a total of over eight million subscribers. The influencer has been in the business for around ten years and fell victim to a cyberattack over the Easter holidays in 2022. Hackers renamed his YouTube channels, deleted his videos and posted crypto-advertisements with fraudulent links online instead. YouTube then removed two of the three channels. A super-GAU for the long-time most successful YouTuber in Germany! A super-GAU that also threatens many companies. (More)

Why hacker attacks destroy social media investments

According to the “Marketing Measures and Budget Study 2021” by the industry association Bitkom, the company’s own website still plays a dominant role in online communication (97%). However, investment in social media channels is increasing. A total of 97 percent of the companies surveyed are active with their own content on social media such as Facebook, Twitter or LinkedIn and 70 percent with paid content. For good reason, as social media also offers small and medium-sized companies the opportunity to achieve greater reach and visibility, strengthens customer loyalty and provides a communication channel that is open in both directions. 97% of companies use social media services as a communication tool (source: Bitkom study 97% of companies use social media services as a communication tool (source: Bitkom study “Marketing Measures and Budget Study 2021”) However, even if employees take over the regular maintenance of social media accounts as company ambassadors, this kind of commitment naturally also costs money. An investment that needs to be well protected, as the recent attacks on company and public authority pages on Facebook, Instagram and the like prove:

  • A self-proclaimed “super hacker” takes over the Disneyland Resort’s Instagram and Facebook accounts in July 2022. Due to racist posts, the Instagram account (8.4 million followers) was deactivated and then went back online without the posts.
  • A few days earlier, the British military was the victim of a hacker attack. Fraudulent cryptocurrency and phishing messages appear on the public channels on Twitter (362,000 followers) and YouTube (177,000 subscribers) instead of regular content.
  • In February 2022, hackers hijacked the Instagram accounts of several German museums and galleries. Among those affected were the Ulm Museum, the Stuttgart Art Museum and the Schauwerk Sindelfingen.

Source: https: //www.heise.de/news/Facebook-Twitter-Youtube-Social-Media-Kanaele-des-britischen-Militaers-gehackt-7161407.html and https://futurezone.at/digital-life/hackerangriff-britische-armee-british-army-twitter-youtube/402061966 Source: https://www.swr.de/swraktuell/baden-wuerttemberg/ulm/hackerangriff-museum-ulm-100.html and https://www.monopol-magazin.d e/instagram-konten-mehrerer-museen-gehackt Such actions can have fatal consequences for companies. This is particularly true for small and medium-sized companies, which usually do not have a rapid response force available to counter cyber attacks. In the worst case scenario, there is a risk of losing the social media channels that have been painstakingly built up. For example, Facebook deleted the private and business account of a hairdressing salon owner from the Vogtland region after hackers flooded her Facebook account with Islamist hate messages. Appeal? Without success! https://www.tag24.de/nachrichten/regionales/sachsen/nachrichten-vogtland/friseurin-fassungslos-hilfe-islamisten-haben-mein-facebook-konto-gekapert-2318118

How companies secure their social media pages

Many strategies for security on the various social media platforms are based on common security standards for the use of cloud and online services. Companies should ensure that at least the following basics of basic protection are adhered to through appropriate social media training and administrative measures:

  • Passwords and 2FA: The greatest protection is provided by a strong password that is only used for one service, paired with secure two-factor authentication. Exemplary: Google has automatically activated 2FA log-in for YouTube accounts in 2021.
  • Monitored log-ins: Social media employees should activate warnings in the notification settings for suspicious login attempts and regularly check which devices, apps and websites are linked to their Facebook account, for example.
  • Task-based access: If several people are working on a social media channel, companies should restrict employees’ access rights to a minimum via page roles in accordance with the principle of least privilege.
  • Current virus protection: Social media access data is also the target of new types of malware such as FFDroider. The malware accesses log-in information and valid cookies that the user’s browser uses for authentication on the platforms.
  • Data backups: Some platforms offer a backup of your own social media channel. This gives administrators the opportunity to make a copy of their Facebook page. Alternatively, a backup of the original upload files is recommended.

Sensitive handling of strong passwords and ideally two-step authentication combined with TOTP one-time passwords are essential. Companies should make 2FA mandatory for all employees on their social media channels. Administrators of Facebook pages, for example, use the “Security Center” in the “Company Settings” of the Meta Business Manager. Under “Two-step authentication”, simply select the “Everyone” option under “Who needs to activate two-step authentication?”.

Which social media services offer 2FA and TOTP

Almost all popular social media platforms now offer the option of additionally securing logins with two-factor authentication. The services usually provide their users with several verification methods. Verification via time-limited TOTP one-time passwords and an authentication app is more secure and universal than authentication via SMS messages. Two-factor authentication with TOTP passwords also opens up the possibility of using hardware-based TOTP generators such as the REINER SCT Authenticator. These devices store the secret TOTP keys in their own hardware, work without an Internet connection and therefore offer maximum security in everyday working life. Detailed information on converting user accounts to 2FA and TOTP can be found in the help sections of the various social media platforms. When setting up 2FA, the server of the social media service generates a TOTP (Shared Secret) key to calculate the second log-in factor. This secret key can usually be transferred to the TOTP generator or the authentication app via a QR code. In addition, most services also provide recovery codes for emergencies, which can be used to temporarily deactivate two-factor authentication if the authenticator is lost.

What companies should consider with 2FA log-ins and TOTP

Two-factor authentication is much more secure than logging in with a simple combination of username and password. But what happens if the TOTP generator or the smartphone with the authentication app is lost? In this case, the recovery codes and a backup of all keys and passwords will help. It is best to store this data in a password manager such as KeePass when setting up the 2FA log-in. Our blog post “How KeePass works as a backup for a TOTP authenticator” describes which 2FA log-in data users should back up. In addition, after switching to secure two-factor authentication, new approvals may be required for networked websites, apps and social media tools. For example, if you switch your Google account to 2FA, you may also have to make the appropriate settings in your email program or website applications for sending contact forms. There are also platform-specific features to consider. At LinkedIn, for example, all LinkedIn Recruiter and Talent Hub users must also activate two-step authentication in their LinkedIn.com account after switching to 2FA. In addition, after switching to secure two-factor authentication, new approvals may be required for networked websites, apps and social media tools. For example, if you switch your Google account to 2FA, you may also have to make the appropriate settings in your email program or website applications for sending contact forms. There are also platform-specific features to consider. At LinkedIn, for example, all LinkedIn Recruiter and Talent Hub users must also activate two-step authentication in their LinkedIn.com account after switching to 2FA. Once the switch to two-factor authentication with TOTP one-time passwords has been completed in all social media channels, companies should also secure their social media tools with 2FA logins. For example, the social media management platform Hootsuite also supports login with two-step verification. And IFTTT, which many companies use to link web applications and social media services, also supports two-factor authentication with TOTP one-time passwords.