WhatsApp has released a new two-step verification (2SV) feature that allows its 1.2 billion users to verify themselves on a new device.
The maker of the end-to-end encrypted messaging app announced the new feature back in November 2016. At that time, it was available only to members of its beta program. Fortunately, it didn’t take long for WhatsApp to open the security measure up to all of its users.
Regular readers now all about what two-step verification entails. It’s an expansion of single-factor authentication (SFA) by which someone authenticates themselves using something they know, something they have, or something they are. 2SV adds another step to this authentication process.
Most 2SV implementations require users to enter two things they know: a password and a code obtained on their mobile device. In that sense, it is NOT two-factor authentication (2FA) in that it doesn’t require a user to employ two different means of authentication.
For a more detailed explanation of the differences between 2SV and 2FA, please click here.
Fortunately for us, lots of web services now give users the option of enabling 2SV on their accounts. But they mostly don’t implement this feature the same way as other services.
For instance, PayPal’s feature mostly sends SMS codes to a user’s device. By contrast, Facebook’s Code Generator provides users with 6-digit 2SV codes that are valid for only 30 seconds.
Most recently, Facebook has also begun using Login Approvals where a user can simply click “Yes” or “No” to verify whether they were attempting to log into their accounts.
It’s therefore perhaps no surprise that WhatsApp’s new feature doesn’t adhere to any of these other implementations.
When a user decides to activate 2SV, the encrypted messaging app prompts them to create a six-digit code that they can use to verify themselves when they move their account to another device. This feature means a user doesn’t have to set up another WhatsApp account each time they get a new device. It also prevents attackers from moving a user’s account to another phone without their consent.
Now what happens if a user forgets that code? Don’t worry. WhatsApp has accounted for that:
“Upon enabling this feature, you can also optionally enter your email address. This email address will allow WhatsApp to send you a link via email to disable two-step verification in case you ever forget your six-digit passcode, and also to help safeguard your account. We do not verify this email address to confirm its accuracy. We highly recommend you provide an accurate email address so that you’re not locked out of your account if you forget your passcode.”
Simple enough, right?
Okay, let’s set this feature up. Here’s how you do it:
- Open WhatsApp on your device.
- Near the top right corner of the app’s display window is an icon consisting of three dots arranged in a vertical line. Click on it.
- A drop-down menu will appear. Click on Settings. It should be near the bottom of the menu.
- The settings page will appear. Click Account > Two-step verification.
- Enter in a 6-digit code and then confirm it.
- Provide WhatsApp with a legitimate recovery email and confirm it.
- And you’re done! You can navigate back to that page if you ever want to change your 2SV PIN, change your email, or disable the feature entirely.
Don’t delay. If you’re a WhatsApp user you should enable this feature to better secure your account.
- Two-factor authentication (2FA) versus two-step verification (2SV)
- How to better protect your Facebook account from hackers
- How to better protect your Twitter account from hackers
- How to enable two-step verification (2SV) on your WhatsApp Account
- How to protect your Amazon account with two-step verification (2SV)
- How to better protect your Google account with two-step Verification (2SV)
- How to protect your Dropbox account with two-step verification (2SV)
- How to protect your Office 365 users with multi-factor authentication
- How to protect your Microsoft account with two-step verification (2SV)
- How to better protect your Tumblr account from hackers with 2SV
- How to protect your LinkedIn account from hackers with two-step verification (2SV)
- How to protect your PayPal account with two-step verification (2SV)
- How to protect your Yahoo account with two-step verification (2SV)
- How to protect your Apple ID account against hackers
- How to better protect your Google account with two-step verification and Google Authenticator
- How to protect your Hootsuite account from hackers
- How to better protect your Instagram account with two-step verification (2SV)
- Instagram finally supports third-party 2FA apps for greater account security
- How to protect your Nintendo account from hackers with two-step verification (2SV)
- How to better protect your Roblox account from hackers with two-step verification (2SV)
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
3 comments on “How to better protect your WhatsApp account with two-step verification (2SV)”
This has been implemented in the Telegram app for a few years now. It's a shame it has taken WhatsApp so long… better late than never.
For people who don't know what benefits this will bring:
if somebody intercepts your registration SMS (e.g. when you get a new phone), or if they obtain a SIM with your number (or re-program one), they can communicate with your contacts by impersonating you.
By using 2SV the person also needs your password… this makes it significantly more difficult for these type of attacks.
It did occur to me David why WhatsApp have introduced such a feature and the only plausible reason I can think of (apart from philanthropy) is in response to the recent story on "broken" encryption reported in the press and on here. 2SV makes this sort of attack very difficult.
Also the old trick of registering on a new device, overlooking somebodies verification code (normally visible even on the lock screen) and then entering it on the new device are effectively prevented by 2SV.
Unfortunately Whatsapp's implementation is too tedious to stick with. The code is requested every day "to help you remember it". It's in my pw manager, I don't want to remember it. The request invariably interrupts trying to read a message that comes in, delaying it by a minute or so while the code is retrieved and entered. In the end I removed it.