What kind of technology is this?
In the usual version, to log into your account you just need to enter the login + password combination. And taking into account the fact that the login is an email or phone number, which people like to indicate on their page in the public domain, the attacker only has to guess the password.
And the problems don't end here. Despite the recommendations for creating a password combination, people don’t bother too much and set them as short and simple as possible.
As a result, hundreds of pages are hacked every day.
Two-factor authentication adds another mandatory item, without which you will not be able to log in. After entering your password correctly, you will receive a unique code on your phone, which you also need to enter into the form. The codes are constantly changing in random order, making them extremely difficult to find.
This allows you to reduce the likelihood of hacking to almost zero. Even if an attacker manages to find out your password and login, he will still need a unique code to log in. Without it nothing will happen.
Mistake #3: Disabling the second factor without prompting for a one-time password.
Everything here is clear from the title. When the second factor is disabled, entering the password is enough, OTP is not requested.
Why is this dangerous?
If you only need to enter a password to disable double authentication on VKontakte, the very essence of two-factor authentication is lost. And the essence of two-factor authentication is that the disadvantages of one factor are offset by the advantages of another. In vk.com this is the knowledge factor (password) and the possession factor (phone). This was invented to ensure that compromising one of the factors would not be enough to gain access to the account. If an attacker has your password, he will not need a one-time password to hack your account, and vice versa, if he has taken possession of your phone, he will additionally need to know the password.
Here it turns out that it is enough to find out the user’s password to simply disable the second authentication factor. Essentially, this turns VKontakte’s two-factor authentication into single-factor authentication.
VKontakte offers its users a very convenient function “Remove confirmation from current browser”. I am sure that the feature is popular and users are turning off confirmation, at least at home and at work. Moreover, most users have their passwords stored in their browsers, where they can be easily viewed and copied.
Let's imagine this situation: your colleague decided to play a joke on you. While you were not at work, he went to your computer, looked at the saved passwords in the browser, logged into VK and disabled 2FA. Now he will be able to log into your account until you notice changes, which may not happen soon. You haven’t entered a one-time password before on the devices you use most often, which means nothing will change for you. And your prankster colleague will get full access to your account, and no one knows what this could lead to.
If the bug with the token re-issuance had not been fixed, when the secret key did not change when the token was re-issued, the situation could have become even more interesting! Your colleague, already knowing the password, could disable 2FA, then re-enable two-factor authentication, see the secret key, issue himself a token identical to yours, and could read your messages as long as your account is alive.
How to enable two-factor authentication on VKontakte?
Login to your page. Open the menu in the upper right corner of the screen and select "Settings". In the next step, open the Security tab.
Here we need the “Login Confirmation” block. You should click on the “Connect” button.
Let's start connecting dual authentication
note
. After activating this function, restoring the page by phone number will not be available. It is recommended to link your work email and indicate your real full name. Otherwise, in case of problems, the profile will not be restored.
Click on the “Proceed with setup” button. Re-enter your password. After this, we need to receive the code on the phone, enter it into the form and send the data. To complete the operation, click on the “Finish setup” button.
We can stop here. Now unique codes will be sent to you via SMS.
But I recommend additionally connecting applications to generate codes. VK automatically prompts us to do this.
Download and configure the application for generating Google Authenticator codes
There are a number of applications of this type. We'll walk through the process using Google Authenticator as an example.
Download link.
For Android
.
https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2
For iPhone
.
https://itunes.apple.com/us/app/google-authenticator/id388497605
Download the desired version and install the application as usual.
After launching, you need to click on the “Get Started” button, and then skip the offer to set up a Google account. Next, click “Scan barcode” and allow the application access to the camera. We bring it to the computer screen, where on the settings page we are shown a barcode. After successful reading, our account is ready for use.
Now all that remains is to complete the setup. Take the code from the Google Authenticator app and enter it into the form. Then click on the “Confirm” button. We will receive a notification that the procedure was successful.
Finishing the dual authentication setup
note
. Sometimes when reading a barcode, the confirmation code does not work. When in the application, select the option to enter a secret key, and do this procedure manually.
So, mistake number 1. Static secret key.
To connect an OTP generation application to his account, the user enters a password, after which a page opens with the secret key necessary to issue a software token. So far so good.
But if for some reason the user did not activate the software token immediately (for example, he was distracted by an important call, or simply changed his mind and returned to the main page), then when after some time he decides to receive the token, he will again be offered the same secret key.
What makes the situation worse is that within half an hour after entering your password, even if you went to the main page or logged out of your account and then logged in again, the password is not requested again before the QR code with the secret is displayed.
Why is this dangerous?
The VKontakte token, like any other TOTP token, works on a fairly simple principle: it generates one-time passwords according to an algorithm based on two parameters - time and a secret key. As you yourself understand, the only thing needed to compromise the second factor of authentication is to know the SECRET KEY.
Such a vulnerability leaves two loopholes for an attacker:
- If the user walks away from the computer, the attacker will have enough time to compromise his private key.
- Having taken possession of a user's password, an attacker can easily spy on his secret key in advance.
Solving the issue is simply simple. The secret key must change every time the page is updated, as happens, for example, on Facebook.
Other settings
Now in the “Login Confirmation” block, we see several available options.
- Ability to change phone number.
- View the list of backup codes. Click on the "Show List" button and print them. They can help when you don't have access to your phone or have problems generating codes.
- Re-configuring the application to generate codes.
- Setting application passwords.
Available dual sign-in options
How to disable login confirmation via SMS or code generation?
Just go back to the “Settings - Security” section, and here click on the “Disable login confirmation” button.
Disable two-factor authentication
VKontakte: quick password recovery is not available. Why? What to do?
How to log into the VKontakte website if you have forgotten your password and login protection is enabled (login confirmation)? You are trying to restore access, but you receive an error message:
Quick password recovery is not available. Your page has mobile phone login confirmation enabled.
Or this:
Unfortunately, you cannot recover your password using the specified phone number.
This means that once before you yourself enabled login confirmation by mobile phone, when to enter the page you need to enter not only a password, but also a code sent to your phone.
Of course, this increases security and protects against hacking, but now you've forgotten your password. What to do? Now there is no way to receive a recovery code on your phone, because login confirmation is when you both know the password and have access to the phone. Both together. This is the only way to ensure security, which you yourself voluntarily turned on. It is no longer possible to restore a page with only a phone number if you do not know the password. The VK website warned you about everything, but you didn’t read when you turned on the protection. Maybe that's why you feel like you weren't warned.
Recover by email
If you have additional login confirmation enabled, then instead of quick password recovery via SMS, password recovery via e-mail (e-mail) is used. Is your page linked to email? If yes, then you can request a link to reset your password (instructions will open in a new window). It may turn out that the page is linked to the mail, but you cannot enter the mail (you don’t have access or you simply don’t remember it) - in this case, it is better to try to first restore access to the mail, otherwise you will have only one way, it is more complex and requires much more more time. Read on:
Restore via support
When login confirmation is enabled, but you forgot your password and the page is NOT linked to an email (or you don’t have access to your email, or you don’t remember the address), the only way to recover the page is to submit a technical support request. This link will open an access restoration form that must be filled out. It's better to do this from a computer rather than from a phone. See detailed instructions here:
You will have to prove that the page is yours. If your real photos are not there or your real name and surname are not indicated, then it is almost impossible (or very difficult) to restore the page. After all, you were warned about everything when you turned on the login protection. You can see why the application might be rejected. Of course, there is an opportunity to contact VK support and try to prove in some way that the page is yours. If they see that you are a normal person and that the page is really yours, they may meet you halfway. If even then nothing works, register a new page in VK. This is a lesson for the future.
There is no way to restore it anymore!
There are no other ways to restore access. There is no use looking for them. That is, there is no other way to restore it at all. You just read all the possible ways. Read them again if you don't understand.
Is it possible to disable login confirmation?
Of course you can. But to do this you must first go to the page. And if you can’t do this yet, then you can’t disable login confirmation either. Restore access as written above.
See also on topic
vhod.cc
Problem with Google Authenticator when codes do not match
Sometimes the following situation arises. You have set up two-factor authentication on VKontakte and connected Google Authenticator to generate codes. Everything went without problems.
But when you try to log in, you constantly receive the error message “Codes are not suitable.” What to do in such a situation?
Please adhere to the following guidelines.
- Always print out backup codes!
They will help you log into your profile if problems arise. - Synchronize the time on your computer and phone.
- Do the same in the application itself. "Menu - Settings - Time correction for codes." Here, click "Sync".
- If the application stubbornly refuses to work, we change it.
- Install and use FreeOTP. Download link below.
https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp#
The setup process is similar. We launch it, read the QR code, and start receiving the generated codes.
How to register in VK without a phone
VKontakte registration follows a specific template, with the main step being the link to the user’s mobile phone number. It is not possible to skip it, since otherwise it will not be possible to create a page.
But the system can be deceived, and there are at least two ways to do this:
- using a virtual number;
- indication of a current Facebook page.
Each of the listed registration options provides a specific algorithm of actions, following which you can count on quickly creating an account and access to all options of the Vkontakte social network.
1.1. Registration in VK using a virtual number
You can complete the registration procedure on social networks using a virtual number for receiving SMS. To do this, it is best to use the recognized international service Pinger (the official website address is https://wp.pinger.com).
Step-by-step registration in the service is as follows:
1. Go to the site, select “TEXTFREE” in the upper right corner of the options screen.
3. We go through a simple registration procedure for the service by first pressing the virtual “Sign Up” button. In the window that appears, indicate your login, password, age, gender, email address, and the displayed alphabetic abbreviation (“captcha”).
4. If all previous steps have been completed correctly, click on the arrow in the lower right corner of the screen, after which a window will appear with several phone numbers. Choose the number you like.
5. After clicking the arrow, a window will appear in which received messages will be displayed.
You can always view the selected virtual phone number in the “Options” tab. When registering in VK using the method under consideration, you should enter the USA in the country selection field (the international code of this country begins with “+1”). Next, enter the virtual mobile number and receive a registration confirmation code. You may need your Pinger account later if you lose your password, so you shouldn’t lose access to the service.
At the moment, creating an account using a virtual number service is considered one of the fastest and most effective methods of registering on social networks. Its main advantage compared to other options is anonymity, because a virtual phone number cannot be tracked or proven that it is used by a specific person. However, the main disadvantage of this method is the impossibility of restoring access to the page if access to Pinger is lost.
IMPORTANT! Many Internet users have difficulty completing the registration procedure in foreign virtual telephony services. This is due to the fact that many providers block such resources in order to prevent illegal activities on the World Wide Web. In order to avoid blocking, there are several options, the main one of which is changing the computer’s IP address to a foreign one. In addition, you can use anonymizers, for example, the Tor browser or the ZenMate plugin.
If you're having trouble using Pinger, there are a ton of services online that provide virtual phone numbers (e.g. Twilio, TextNow, CountryCod.org, etc.). A number of similar paid services with a simplified registration procedure are also actively developing. All this allows us to say that virtual telephony has solved the problem for many users of how to register in VK without a (real) number.
1.2. Registration in VK via Facebook
The social network “Vkontakte” is one of the most advertised Russian sites, which is in demand far beyond the borders of the Russian Federation. The desire of the owners of this resource to cooperate with other world-famous social networks, in particular with Facebook, is quite justified. As a result, page owners in the mentioned service have the opportunity to simplify Vkontakte registration. For those who do not want to “share” their data, this is a unique chance to register on VK without a phone and deceive the system.
The algorithm of actions here is quite simple and the first thing you should do is use an anonymizer. It’s best to go to the “Chameleon” service, since the start page already has links to all popular social networks or dating sites in Russia. This resource allows you to access pages on Odnoklassniki, VKontakte, and Mamba, even if they are blocked by the site administration.
Many people will naturally ask why they need to use anonymizers. The VKontakte social network automatically recognizes from which country you came to the registration page. This is roughly what the registration procedure looks like for residents of Russia and most post-Soviet countries:
And this is what the same page looks like, but if you access it outside the Russian Federation:
In the lower right corner of the screen there is a discreet Login with Facebook
. Click on it, after which a window for entering your email address and password will instantly appear:
After filling out the fields, you will be redirected to your own VKontakte page, which you can subsequently edit at your discretion. To implement the presented method, you need a page on Facebook, but the procedure for creating an account there does not require entering a mobile phone number (only an email address). Facebook registration is one of the most understandable, as a result of which it will not cause any particular difficulties even for an untrained computer user.
According to the latest rumors, the foreign analogue of Vkontakte is going to tighten the rules for using the resource, so the described method may soon become obsolete. But for now, Facebook remains an accessible way to register on VK via email without a phone number. Its advantages are quite obvious - anonymity and simplicity. It also takes a minimum of time to create a page, especially if you already have an account on Facebook. The method has only one drawback: it is the impossibility of restoring data lost by the user (password to log into the account).
1.3. Registration in VK via email
Many users are concerned about the question of how to register in VK via email
. Previously, one email account was enough to create an account, but since 2012, the management of the social network introduced a mandatory rule for linking to a mobile phone. Now, before specifying an email address, a window pops up asking you to enter a mobile number, to which a message with a personal code will be sent within 1-2 minutes.
Previously, many users indicated an 11-digit landline number instead of a mobile phone, launched the “Let the robot call” function, and then created a page using the code suggested by the computer. The main advantage of this method was the ability to register on Vkontakte for free and an unlimited number of times. In practice, it turned out that an endless number of pages were registered on the same landline number from which spam, offensive messages or threats were sent. Due to user complaints, the administration of the social network was forced to abandon the option of creating an account through landline phones, leaving the ability to receive the code only on mobile networks.
No matter what anyone claims, today it is impossible to register in VK via mail without a mobile phone number
. At the same time, full access to the email account must be provided, since with its help there is an additional opportunity to recover a lost password or receive up-to-date news about innovations on the social network. Email may also be needed if a page is hacked. By sending a corresponding request to the technical support service, a letter will promptly be sent to your inbox with instructions on how to restore access.
To summarize, it should be noted that the topic of how to register on VKontakte for free, without a real mobile phone number and entering personal information, is rapidly gaining momentum. Increasingly, hundreds of programs are appearing on the Internet to hack or bypass established registration rules. Most of them are spam or malicious viruses that do no good in solving the problem. The VK administration is making great efforts to reduce the number of fake accounts and protect its users. As a result, only the two listed methods of creating pages without specifying a personal phone number are considered effective.
If you know other options on how to register in VK without a number, write in the comments!