Now Tumblr gets two-factor authentication, boosts security for users against account hijacks

Tumblr has today announced a new feature, which I would urge all users to consider enabling.

Tumblr two-factor authentication

You know how you need two keys to launch a nuclear missile? Two-factor authentication works like that. One key is your password, the other key is your cellular phone, and you need both to access your Tumblr Dashboard.

If you enable the feature, then you’ll not only need your username and password to log into Tumblr. You’ll also need a one-time authentication code that will be accessible via your mobile phone. In short, the bad guys won’t just need your username and password, they’ll also need that code (or physical access to your phone).

Sign up to our free newsletter.
Security news, advice, and tips.

In a world where it’s not at all unusual for users to be careless with their password security, two-factor authentication (often shortened to “2FA”) makes a lot of sense.

Of course, 2FA doesn’t mean you should be any more diligent about checking you’re not entering your password on a phishing site, or ensuring that you are using different passwords for different accounts, but it is an additional level of protection which makes life much harder for criminals trying to gain access to your account.

It’s good to see Tumblr introducing this feature. Let’s hope that more and more sites adopt similar security in future.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky and Mastodon, or drop him an email.

2 comments on “Now Tumblr gets two-factor authentication, boosts security for users against account hijacks”

  1. Miranda

    I can see two issues with this 2fa solution already. One is that it's an in-band solution, which is vulnerable to man in the middle attacks. Anytime you have to type any extra code back into the browser you are using it is in-band. The only way around MITM is an out of band solution that pushes the extra step to an outside device like your phone. The second problem with this solution is the usability. This sounds just like Google Authenticator and many people, including myself, state that they turn it off because it's annoying to use. Tumblr should adopt a different version of 2fa in order for it to be successful to its users. I found an awesome 2fa solution through my LastPass account called Toopher. It's the only 2fa solution I have found that seems to do it right. Toopher has an automation feature that uses the location awareness of your smartphone to authenticate, which allows the user process to be uninterrupted. I wish that Tumblr would have enabled Toopher with their site instead of trying to build up yet another annoying 2fa solution.

    1. Stevem · in reply to Miranda

      From what I can see it could be argued that it is out of band. The UNP is entered via the browser, the OTP is delivered via the mobile network. However like a lot of these 2fa solutions the weakness comes in the fact that you are just returning something that has been sent to you as an SMS or Tweet. If you have key logged or social engineered the UNP you just need access to the person's mobile phone, which is relatively easy in an office environment. The only solution that makes the user do something else is Swivel's PINsafe which makes you extract the OTP from the code that is sent using a fixed PIN. It takes a couple of seconds and means that even if the hacker has the UNP and the phone it is no use to them. It is also immune to MITM since the OTP changes every time. BTW: 2fa using a mobile phone has been around for over 10 years so nothing new here

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.