Double authentication on VKontakte - sex or imitation? VKontakte: quick password recovery is not available. Why? What to do
Why is quick password recovery not available to me?
How to log into the VKontakte website if you have forgotten your password and login protection is enabled (login confirmation)? You are trying to restore access, but you receive an error message:
Quick password recovery is not available. Your page has mobile phone login confirmation enabled.
Or this:
Unfortunately, you cannot recover your password using the specified phone number.
Or another option:
Error. This function is not possible for this page.
This means that once before you yourself enabled login confirmation by mobile phone, when to enter the page you need to enter not only a password, but also a code sent to your phone:
When is entry protection set? (two-factor authentication), this increases security and protects against hacking, but you forgot your password. What to do? It is now impossible to receive a recovery code on your phone because login confirmation- this is when you know the password and have access to the phone. Both together. This is the only way to ensure security, which you yourself voluntarily turned on. It is no longer possible to restore a page with only a phone number if you do not know the password. The VK website warned you about everything, but you didn’t read when you turned on the protection. Maybe that's why you feel like you weren't warned.
Attention! Here are absolutely all the ways you have in 2019. It's no use looking for anything else or asking in the comments. Only you can restore access yourself. Read to the end and do as written. Blue links take you to other pages that will help you.
How can I now recover my password and access to the page?
1. Recover by email
If you have additional login confirmation enabled, then instead of quick password recovery via SMS, password recovery via e-mail (e-mail) is used. Is your page linked to email? If yes, then you can request a link to reset your password. (instructions will open in a new window). It may turn out that the page is linked to the mail, but you cannot enter the mail (you don’t have access or you simply don’t remember it) - in this case, it is better to try to first restore access to the mail, otherwise you will have only one way, it is more complex and requires much more more time - recovery through support service.
2. Restore via support
When login confirmation is enabled, but you forgot your password and the page is NOT linked to an email (or you don’t have access to your email, or you don’t remember the address), the only way to restore the page is technical support request. This link will open an access restoration form that must be filled out. It's better to do this from a computer rather than from a phone. See detailed instructions here:
If it doesn’t work, do it through the full version on your computer.
You will have to prove that the page is yours. If your real photos are not there or your real name and surname are not indicated, then it is almost impossible (or very difficult) to restore the page. After all, you were warned about everything when you turned on the login protection. You can see why an application might be rejected. Of course, there is an opportunity to contact VK support and try to prove in some way that the page is yours. If they see that you are a normal person and that the page is really yours, they may meet you halfway. If even then nothing works out, register a new page in VK. This is a lesson for the future.
Why can’t I recover my password via SMS if login confirmation is enabled?
Because you yourself enabled TWO-Factor (TWO-Step) authentication, and now you want to reset your password with only ONE factor (phone). But it doesn't work that way. Should have read the warning. We described all the ways to reset a password in this situation above, there are only two of them.
I have backup codes, why can’t I recover my password using them?
Because the backup codes that you wrote out or printed are needed when there is no access to the phone— that is, when you cannot receive an SMS to log in. And you don't have password, you forgot him. In this case, the backup code will not help.
There is no way to restore it anymore!
There are no other ways to restore access. There is no use looking for them. That is, there is no other way to restore it at all. You just read all the possible ways. , if you don't understand.
Is it possible to disable login confirmation?
Of course you can. But to do this you must first go to the page. And if you can’t do this yet, then you can’t disable login confirmation either. Restore access as written above.
I'll show you how to secure your VKontakte account. Go to the VKontakte settings, then go to the security tab and enable two-step authentication on VKontakte. So that no one can hack your VKontakte page.
If you have not yet enabled two-step authentication on VKontakte, you will be prompted to enable Login Confirmation. Provides reliable protection against hacking: to enter the page, you must enter a one-time code received via SMS or other connected method.
Click Connect.
Login confirmation provides an additional level of protection for your VKontakte page. You can protect your page using your mobile phone.
Attention: when login confirmation is enabled, the password recovery service by phone number becomes unavailable. Therefore, we strongly recommend that you attach a current e-mail to the page, indicate your true first and last name, and upload your real photos as the main ones before continuing with the setup.
Verification will not tire you: to gain access to your account from a new browser or device, you only need to enter the verification code once.
Even if an attacker finds out your username, password and the verification code used, he will not be able to access your page from his computer.
Click Proceed to setup.
To confirm the action, you need to re-enter the password for your page. You can also in the future so that you have a unique page address.
Enter your VKontakte password and click confirm.
Action confirmations. To confirm, we will send a free SMS with a code to your mobile phone.
Click get code.
After a couple of seconds, an activation code will be sent to your number to which your Vkotnakte page is registered.
We enter the number that we received in the SMS message and click send code.
The login confirmation check has been successfully activated. Don't forget to print out your backup codes. They will allow you to confirm login when you don't have access to your phone, such as when traveling.
Click complete setup.
At this time, an email will be sent to your email notifying you that the login confirmation function is enabled.
Application passwords.
Unfortunately, some applications do not yet work with verification codes. For example, mobile clients iPhone, iPad and Windows Phone.
For such applications, you need to create special passwords. This password is entered only once for each application; you do not need to remember it.
Click Close at the top right.
Top left in internet browser Click Refresh to refresh the page.
Now Click Show activity history.
Activity history shows information about which devices you accessed the site from and at what time. If you suspect that someone has accessed your profile, you can stop this activity at any time.
This displays all the recent activity of your VKontakte page and all the devices through which you (or not you) logged into your VKontakte account.
Click on the bottom left of End all sessions. to log out from all devices except the Internet browser in which we are now.
All sessions except the current one have ended.
Click Close.
If you use the Vkotakte mobile application on an iPhone, iPad or Windows Phone, then you will need to log into it again. And if you want, you can do it at all or .
Enter your email or phone number to which the VKontakte page is registered and the password for the page And click Go.
At this time, a notification will appear on your Internet browser page stating that an attempt has been made to log into your account from such and such IP.
You are logged in from the mobile application.
The VKontakte mobile application will redirect you to your mobile Internet browser and open the security check page.
To confirm that you really are the owner of the page, please enter the confirmation code from the SMS sent to +7 and here is your number.
Enter the confirmation code sent to us via SMS and click send code.
To log into the application, use a special password to log in.
There is no need to remember this password. Copy it and enter it instead of your main password when logging into the application. You only need to enter it once.
Copy this one-time password to enter VKontakte.
Click Return to application.
Enter the one-time password into the VKontakte mobile application and click Go.
By logging out of VKontakte and entering your username and password for the page, you will be asked to confirm that you really are the owner of the page. An SMS message will be sent to your number with a code that you will need to enter.
Other lessons on the site on the topic VKontakte:
I’ll make a reservation that before starting work on the article, I outlined all my observations on HackerOne. None of the described bugs were recognized by VKontakte. But when, before publishing the article, I decided to take confirming screenshots, it turned out that one of the bugs had been fixed. The fact that they listened to my words cannot but rejoice. It’s just a pity that the guys didn’t even say “thank you.”
So, mistake number 1. Static secret key.
To connect an OTP generation application to his account, the user enters a password, after which a page opens with the secret key necessary to issue a software token. So far so good.
But if for some reason the user did not activate the software token immediately (for example, he was distracted by an important call, or simply changed his mind and returned to the main page), then when after some time he decides to receive the token, he will again be offered the same secret key.
What makes the situation worse is that within half an hour after entering your password, even if you went to the main page or logged out of your account and then logged in again, the password is not requested again before the QR code with the secret is displayed.
Why is this dangerous?
The VKontakte token, like any other TOTP token, works on a fairly simple principle: it generates one-time passwords according to an algorithm based on two parameters - time and a secret key. As you yourself understand, the only thing needed to compromise the second factor of authentication is to know the SECRET KEY.
Such a vulnerability leaves two loopholes for an attacker:
- If the user walks away from the computer, the attacker will have enough time to compromise his private key.
- Having taken possession of a user's password, an attacker can easily spy on his secret key in advance.
Solving the issue is simply simple. The secret key must change every time the page is updated, as happens, for example, on Facebook.
Mistake #2. The new token after reissue uses the same secret key.
At the time of publication of this article, this flaw had been corrected.
The situation described above is aggravated by the fact that when the token is re-issued, VKontakte will not offer you a new secret key. In fact, 1 secret key is tied to your page and you will no longer be able to change it.
Why is this dangerous?
If you find out that your private key has been compromised (for example, during the first issue of a token, as described in the first point), you no longer need VKontakte double authentication. Feel free to disable the second factor and choose a stronger password. It is not possible to reissue a token with a new secret.
If you have lost the phone on which the token was installed, you can do the same. Anyone who gets their hands on your smartphone will be able to safely use it to log into your account. All that remains is to find out the password. In this case, the whole essence of two-factor authentication is lost. It is clear that if a user notices that his account is discredited, he can contact support, but this will waste precious time that he may not have.
Mistake #3: Disabling the second factor without prompting for a one-time password.
Everything here is clear from the title. When the second factor is disabled, entering the password is enough, OTP is not requested.
Why is this dangerous?
If you only need to enter a password to disable double authentication on VKontakte, the very essence of two-factor authentication is lost. And the essence of two-factor authentication is that the disadvantages of one factor are offset by the advantages of another. In vk.com this is the knowledge factor (password) and the possession factor (phone). This was invented to ensure that compromising one of the factors would not be enough to gain access to the account. If an attacker has your password, he will not need a one-time password to hack your account, and vice versa, if he has taken possession of your phone, then he will need to additionally know the password.
Here it turns out that it is enough to find out the user’s password to simply disable the second authentication factor. Essentially, this turns VKontakte’s two-factor authentication into single-factor authentication.
VKontakte offers its users a very convenient function “Remove confirmation from current browser”. I am sure that the feature is popular and users are turning off confirmation, at least at home and at work. Moreover, most users have their passwords stored in their browsers, where they can be easily viewed and copied.
Let's imagine this situation: your colleague decided to play a joke on you. While you were not at work, he went to your computer, looked at the saved passwords in the browser, logged into VK and disabled 2FA. Now he will be able to log into your account until you notice changes, which may not happen soon. You haven’t entered a one-time password before on the devices you use most often, which means nothing will change for you. And your prankster colleague will get full access to your account, and no one knows what this could lead to.
If the bug with the token re-issuance had not been fixed, when the secret key did not change when the token was re-issued, the situation could have become even more interesting! Your colleague, already knowing the password, could disable 2FA, then re-enable two-factor authentication, see the secret key, issue himself a token identical to yours, and could read your messages as long as your account is alive.
Conclusions
When you connect two-step authentication to your VKontakte account, a reminder appears that reads “Even if an attacker finds out your username, password and the verification code used, he will not be able to access your page from his computer.”
Unfortunately, it turned out that this is not entirely true. Under certain circumstances, an outsider will be able to recognize someone else’s VKontakte token or even completely disable the second factor by knowing your password. I'm waiting for your opinions.
We have already talked about hacking a VKontakte page (see). Attackers can find out your login and guess your password (see). And then they will be able to visit your page.
To prevent this from happening, VKontakte introduced an additional security measure - double authorization (two-factor). The meaning of this function is that after entering , you also need to indicate the secret code received via SMS or other means. Thus, the likelihood of hacking is reduced significantly. Even if attackers know your credentials, they won't have the code to log into the page.
Now I'll show you how to activate double authorization on VKontakte and set up an application for generating codes.
How to enable two-factor authentication on VKontakte?
Go to your page and go to the “Settings” section.
Open the “Security” tab. Here in the section "Login confirmation", click the “Connect” button.
A form will open - click the button in it "Start setting up".
You will be asked to re-enter the password for the page (see). Do this and click the "Confirm" button.
Receive the code on your phone and enter it in the form. Then click the "Submit Code" button.
Setting up an application for generating codes
The next step is setting up the application to generate codes. You are offered to install an application that will allow you to generate login codes, even without connecting to a cellular network.
Use Google Authenticator for iPhone and Android smartphones. AND Authenticator— for phones in Windows Phone. Install the appropriate application on your gadget.
This is what a window with a QR code and a secret code in VK looks like.
Now launch the installed application and scan the specified code.
Now paste the received code from the application, and click the "Confirm" button.
The code generation application has been successfully configured!
You will be taken to the Security tab. Now you can do the following operations here.
- Change phone number (see);
- Show a list of backup codes;
- Set up an application for generating codes;
- Configure application passwords;
- Disable two-step authentication on VKontakte.
Video lesson: two-factor authentication on VKontakte
Conclusion
Greetings! In this detailed step-by-step instructions, with photographs, we will show you how to further protect your page from unauthorized access on the VKontakte social network.
By enabling login confirmation via SMS, in addition to the login and password that you use to access your VKontakte page, you will also need to enter a one-time code that will be sent to the phone linked to your profile.
In other words, even if someone else finds out your username and password, he will still not be able to log into your VKontakte page because Additionally, you will need a code that will be sent to your phone in the form of an SMS message.
This protection technology, which is referred to as “two-factor authentication,” not only protects against hacking, but also against page theft. Cases have become more frequent when fraudsters using fake documents received duplicate SIM cards, which were subsequently used for hacking and stealing pages.
Restoring access in this case takes some time, which is quite enough to commit illegal actions: sending spam and viruses, and if the user is also the head of a large community, then this kind of action can cause serious damage to the reputation and even blocking a group or public .
Taking into account all these circumstances, with “two-factor authentication” activated, the ability to recover the password to the VKontakte page via SMS becomes impossible, and if such a need arises, password recovery via the E-Mail linked to the page is used. By the way, you can read about how to link an E-Mail to your page in this article.
It should be noted that even with two-factor authentication enabled, it is possible to create a list of trusted devices, from which additional SMS confirmation will not be required when logging in.
To do this, during the authorization process, you must tick the Remember browser checkbox.
While on the VKontakte website, click on the menu in the upper right corner. In the list that appears, select Settings.
On the page that appears, click on Security. In this block, among other things, login confirmation via SMS is enabled and configured. The service is provided completely free of charge.
To enable this feature, click the Connect button.
This will display a window telling you the benefits of verifying your login using your mobile phone. Read through them and click the Proceed to Setup button.
During the setup process, you will be asked for your current password, and then a confirmation SMS will be sent to the phone linked to your profile.
Once completed, the Security page will display settings that allow you to generate one-time backup codes in case something happens to your mobile phone.
The Remove confirmation option is responsible for resetting the list of trusted devices for which additional SMS confirmation is not required.
At this point, setting up login confirmation via SMS can be considered complete.
If someone uses your username and password when “two-factor authentication” is activated, a pop-up message about this will be displayed on your page.
If you have any questions, you can ask them in the comments.
it-actual.ru
VKontakte security. VKontakte two-step authentication
I'll show you how to secure your VKontakte account. Go to the VKontakte settings, then go to the security tab and enable two-step authentication on VKontakte. So that no one can hack your VKontakte page.
If you have not yet enabled two-step authentication on VKontakte, you will be prompted to enable Login Confirmation. Provides reliable protection against hacking: to enter the page, you must enter a one-time code received via SMS or other connected method.
Click Connect.
Login confirmation provides an additional level of protection for your VKontakte page. You can protect your page using your mobile phone. Attention: when login confirmation is enabled, the password recovery service by phone number becomes unavailable. Therefore, we strongly recommend that you attach a current e-mail to the page, indicate your true first and last name, and upload your real photos as the main ones before continuing with the setup.
Verification will not tire you: to gain access to your account from a new browser or device, you only need to enter the verification code once.
Even if an attacker finds out your username, password and the verification code used, he will not be able to access your page from his computer.
Click Proceed to setup.
To confirm the action, you need to re-enter the password for your page. You can also change your VKontakte address in the future so that you have a unique page address.
Enter your VKontakte password and click confirm.
Action confirmations. To confirm, we will send a free SMS with a code to your mobile phone.
Click get code.
After a couple of seconds, an activation code will be sent to your number to which your Vkotnakte page is registered.
We enter the number that we received in the SMS message and click send code.
The login confirmation check has been successfully activated. Don't forget to print out your backup codes. They will allow you to confirm login when you don't have access to your phone, such as when traveling.
Click complete setup.
At this time, an email will be sent to your email notifying you that the login confirmation function is enabled.
Application passwords.
Unfortunately, some applications do not yet work with verification codes. For example, mobile clients iPhone, iPad and Windows Phone.
For such applications, you need to create special passwords. This password is entered only once for each application; you do not need to remember it.
Click Close at the top right.
On the top left of your internet browser, click Refresh to refresh the page.
Now click Show activity history.
Activity history shows information about which devices you accessed the site from and at what time. If you suspect that someone has accessed your profile, you can stop this activity at any time.
This displays all the recent activity of your VKontakte page and all the devices through which you (or not you) logged into your VKontakte account.
Click on the bottom left of End all sessions to log out of all devices except the Internet browser we are currently in.
All sessions except the current one have ended.
Click Close.
If you use the Vkotakte mobile application on an iPhone, iPad or Windows Phone, then you will need to log into it again. And if you want, you can completely block VKontakte on your computer or block VKontakte on your iPhone.
Enter your email or phone number to which the VKontakte page is registered and the password for the page and click Go.
At this time, a notification will appear on your Internet browser page stating that an attempt has been made to log into your account from such and such IP.
You are logged in from the mobile application.
The VKontakte mobile application will redirect you to your mobile Internet browser and open the security check page.
To confirm that you really are the owner of the page, please enter the confirmation code from the SMS sent to +7 and here is your number.
Enter the confirmation code sent to us via SMS and click send code.
To log into the application, use a special password to log in.
There is no need to remember this password. Copy it and enter it instead of your main password when logging into the application. You only need to enter it once.
Copy this one-time password to log in to VKontakte.
Click Return to application.
Enter the one-time password into the VKontakte mobile application and click Go.
By logging out of VKontakte and entering your username and password for the page, you will be asked to confirm that you really are the owner of the page. An SMS message will be sent to your number with a code that you will need to enter.
Other lessons on the site on the topic VKontakte:
- How to change VKontakte address
- Security VKontakte
smotrisoft.ru
VKontakte: quick password recovery is not available. Why? What to do?
How to log into the VKontakte website if you have forgotten your password and login protection is enabled (login confirmation)? You are trying to restore access, but you receive an error message:
Quick password recovery is not available. Your page has mobile phone login confirmation enabled.
Or this:
Unfortunately, you cannot recover your password using the specified phone number.
This means that once before you yourself enabled login confirmation by mobile phone, when to enter the page you need to enter not only a password, but also a code sent to your phone.
Of course, this increases security and protects against hacking, but now you've forgotten your password. What to do? Now there is no way to receive a recovery code on your phone, because login confirmation is when you both know the password and have access to the phone. Both together. This is the only way to ensure security, which you yourself voluntarily turned on. It is no longer possible to restore a page with only a phone number if you do not know the password. The VK website warned you about everything, but you didn’t read when you turned on the protection. Maybe that's why you feel like you weren't warned.
1. Recover by email
If you have additional login confirmation enabled, then instead of quick password recovery via SMS, password recovery via e-mail (e-mail) is used. Is your page linked to email? If yes, then you can request a link to reset your password (instructions will open in a new window). It may turn out that the page is linked to the mail, but you cannot enter the mail (you don’t have access or you simply don’t remember it) - in this case, it is better to try to first restore access to the mail, otherwise you will have only one way, it is more complex and requires much more more time. Read on:
2. Restore via support
When login confirmation is enabled, but you forgot your password and the page is NOT linked to an email (or you don’t have access to your email, or you don’t remember the address), the only way to recover the page is to submit a technical support request. This link will open an access restoration form that must be filled out. It's better to do this from a computer rather than from a phone. See detailed instructions here:
You will have to prove that the page is yours. If your real photos are not there or your real name and surname are not indicated, then it is almost impossible (or very difficult) to restore the page. After all, you were warned about everything when you turned on the login protection. You can see why the application might be rejected. Of course, there is an opportunity to contact VK support and try to prove in some way that the page is yours. If they see that you are a normal person and that the page is really yours, they may meet you halfway. If even then nothing works, register a new page in VK. This is a lesson for the future.
There is no way to restore it anymore!
There are no other ways to restore access. There is no use looking for them. That is, there is no other way to restore it at all. You just read all the possible ways. Read them again if you don't understand.
Is it possible to disable login confirmation?
Of course you can. But to do this you must first go to the page. And if you can’t do this yet, then you can’t disable login confirmation either. Restore access as written above.
See also on topic
vhod.cc
VKontakte PIN code - second login confirmation
The largest social network VKontakte has introduced two-step authorization on the site. Now, if the user wishes, in addition to entering a login password, he can protect his account by entering a PIN code. The VKontakte PIN code will provide better protection of your data from hacking. How to activate and correctly configure the “Login Confirmation” function of VK. You can also find out how to use this function correctly by reading our article.
What is a PIN code for VKontakte?
So, let's get you up to speed. The developers have been seriously concerned about the problem of protecting the personal data of their VK users for a long time. At first, hacking the page was a piece of cake, but over time, security methods became more and more complex. And now in the battle of hackers against Contact there has been a serious advantage in favor of the latter.
After linking the account to a mobile phone number, the developers managed to significantly reduce the wave of page tampering. Soon the same developers optimized everything that had been developed over the years - by entering a PIN code for VK. Now everyone who has a VKontakte account can set up the PIN code function. Thus, the user receives double protection for his account.
To authorize, in addition to filling out the login and password fields, you will need to enter a special code that will be sent to you via a free SMS message. Naturally, this SMS will be linked to the number of your mobile operator. If you don’t want to bother with SMS messages, then you can use a special application for your smartphone - a code generator for VKontakte. It is also strongly recommended to copy yourself a list of backup codes that you can use if you don’t have your phone at hand. You should immediately reassure some “lazy” users - the PIN code comes only upon your request and only after you activate this function.
How to enable PIN code login confirmation?
In order to enable “Login Confirmation” in Contact, you need to go to the “My Settings” menu on your page. In the “General” tab, find the “Your Page Security” group of settings. Opposite the “Login Confirmation” item, you must click on the “Connect” button.
Now, when you log into your VK account, you will be prompted to “Enter the code.” Which, in fact, is what you should do.
Message: “An attempt was made to log into your account from an IP address”
The pin code will only be valid once. One entry - one PIN code. Even if “evil people” manage to get your PIN code and login with your VKontakte password, they will not be able to use them. And you will receive in the form of a pop-up window the message “An attempt was made to log into your account from an IP which will contain the IP address of the computer from which they tried to illegally log into your account.
In this case, you should not panic, because... The contact has already prevented an attempt to hack your page. And you will be able to identify and punish a person caught in trouble by the IP address of his computer.
“Remember browser” VKontakte or how to disable entering a PIN code
If you do not want to use the PIN input function because, for example, you are at home and log in from your PC. Then you should use the “Remember Browser” function; to activate it, you just need to check the box that pops up. The function will allow you to remember the location and your native browser from which you log in and you will no longer need to enter a PIN code for this browser on your PC. At any time, you can reset all settings either on the current device or on all verified devices.
IMPORTANT! You cannot simply disable this function of confirming entry with a PIN code. When you first log in from your browser on a computer, laptop, smartphone or telephone, you should enter your PIN code once and be sure to check the “Remember browser” box. After this, you will not need to enter your PIN code every time you log into VK from these devices.
If your SIM card is lost or fails, and the PIN code confirmation function is activated, you can use the recovery form via email. The introduction of two-step authorization will protect your personal data, and your account will always be protected by the VK security service.
The practice of double entry is already successfully used in many large social networks, such as Twitter, Facebook, Google. Many online banks also use a confirmation PIN. And finally, VK.com has also strengthened the protection of our personal data.
