How to better protect your WhatsApp account with two-step verification (2SV)

If you’re a WhatsApp user you should enable this security feature.

How to enable 2-step verification (2SV) on your WhatsApp account

WhatsApp has released a new two-step verification (2SV) feature that allows its 1.2 billion users to verify themselves on a new device.

The maker of the end-to-end encrypted messaging app announced the new feature back in November 2016. At that time, it was available only to members of its beta program. Fortunately, it didn't take long for WhatsApp to open the security measure up to all of its users.

Regular readers now all about what two-step verification entails. It's an expansion of single-factor authentication (SFA) by which someone authenticates themselves using something they know, something they have, or something they are. 2SV adds another step to this authentication process.

Most 2SV implementations require users to enter two things they know: a password and a code obtained on their mobile device. In that sense, it is NOT two-factor authentication (2FA) in that it doesn't require a user to employ two different means of authentication.

Two step

For a more detailed explanation of the differences between 2SV and 2FA, please click here.

Fortunately for us, lots of web services now give users the option of enabling 2SV on their accounts. But they mostly don't implement this feature the same way as other services.

For instance, PayPal's feature mostly sends SMS codes to a user's device. By contrast, Facebook's Code Generator provides users with 6-digit 2SV codes that are valid for only 30 seconds.

Most recently, Facebook has also begun using Login Approvals where a user can simply click "Yes" or "No" to verify whether they were attempting to log into their accounts.

It's therefore perhaps no surprise that WhatsApp's new feature doesn't adhere to any of these other implementations.

When a user decides to activate 2SV, the encrypted messaging app prompts them to create a six-digit code that they can use to verify themselves when they move their account to another device. This feature means a user doesn't have to set up another WhatsApp account each time they get a new device. It also prevents attackers from moving a user's account to another phone without their consent.

Now what happens if a user forgets that code? Don't worry. WhatsApp has accounted for that:

"Upon enabling this feature, you can also optionally enter your email address. This email address will allow WhatsApp to send you a link via email to disable two-step verification in case you ever forget your six-digit passcode, and also to help safeguard your account. We do not verify this email address to confirm its accuracy. We highly recommend you provide an accurate email address so that you’re not locked out of your account if you forget your passcode."

Whatsapp 2fa step i 768x455

Simple enough, right?

Okay, let's set this feature up. Here's how you do it:

  1. Open WhatsApp on your device.
  2. Near the top right corner of the app's display window is an icon consisting of three dots arranged in a vertical line. Click on it.
  3. A drop-down menu will appear. Click on Settings. It should be near the bottom of the menu.
  4. The settings page will appear. Click Account > Two-step verification.
  5. Enter in a 6-digit code and then confirm it.
  6. Provide WhatsApp with a legitimate recovery email and confirm it.
  7. And you're done! You can navigate back to that page if you ever want to change your 2SV PIN, change your email, or disable the feature entirely.

Don't delay. If you're a WhatsApp user you should enable this feature to better secure your account.

Tags: , , , ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Listen now

Subscribe to the free GCHQ newsletter

, , , ,

2 Responses

  1. Bob

    February 10, 2017 at 6:31 pm #

    Fantastic :-D

    This has been implemented in the Telegram app for a few years now. It's a shame it has taken WhatsApp so long… better late than never.

    For people who don't know what benefits this will bring:

    if somebody intercepts your registration SMS (e.g. when you get a new phone), or if they obtain a SIM with your number (or re-program one), they can communicate with your contacts by impersonating you.

    By using 2SV the person also needs your password… this makes it significantly more difficult for these type of attacks.

    • Bob in reply to Bob.

      February 10, 2017 at 6:51 pm #

      It did occur to me David why WhatsApp have introduced such a feature and the only plausible reason I can think of (apart from philanthropy) is in response to the recent story on "broken" encryption reported in the press and on here. 2SV makes this sort of attack very difficult.

      Also the old trick of registering on a new device, overlooking somebodies verification code (normally visible even on the lock screen) and then entering it on the new device are effectively prevented by 2SV.

Leave a Reply