WhatsApp Enables Two-Step Verification To Protect Users Against Impersonation Attacks

WhatsApp joined the list of companies enabling two-step verification (or two-factor authentication) for their users. This feature will help make sure users can’t be impersonated by someone unless their attacker also knows an additional six-digit code.

Enabling WhatsApp Two-Step Verification

Enabling two-step verification requires you to open WhatsApp on Windows, Android, or iOS and then go to Settings > Account > Two-step verification > Enable. If you can’t see the feature there yet, you may have to wait a few more days to receive the latest update containing it.

Once you enable the feature, you’ll also be given the option to enter your email address as a backup solution, in case you forget your six-digit passcode. If that happens, you can ask WhatsApp to disable the two-step verification feature. You’ll then receive a confirmation link at the connected email address.

Protecting Yourself Against Malicious Hackers

If you do use an email as a backup solution, then you should use one that you know is secure, and is protected by its own two-step verification solution. Emails tend to be much more vulnerable to stealing than your six-digit passcode--which you can write on a piece of paper--can be. Only use the email option if you know it’s actually going to preserve, not weaken, your WhatsApp’s security.

You also need to be careful about clicking on links from WhatsApp emails that say they will disable your two-step verification, unless you requested this yourself. If you receive such an email, but you didn’t ask WhatsApp to disable two-step verification, then someone may be trying to get you to disable it.

If you have two-step verification enabled, you forget your passcode, and you didn’t provide an email to disable two-step verification, you will not be able to reverify on WhatsApp for seven days after the last time you used your passcode. After the seven-day period, you will be able to reverify, but all previous messages will be deleted.

If your number is reverified on WhatsApp after 30 days of using WhatsApp without a passcode, the account will be deleted, and a new one will be created from scratch after a successful reverification.

WhatsApp will periodically ask for the six-digit passcode to make sure people remember them. This feature can’t be disabled without disabling two-step verification completely.

Working Around Wireless Network’s Security Vulnerabilities

Wireless phone networks aren’t the most secure things in the world. In fact, they are quite vulnerable to direct stealing of phone numbers, call and message interception, and social engineering. Therefore, enabling two-step verification seems like a good move to protect WhatsApp users’ accounts from theft and impersonation.

If you are already protecting your account against impersonation with two-step verification, bu you would also like to be protected against your friends being impersonated, then you will need to enable the security notifications in Settings > Account > Security. This feature will notify you when your friends reinstall WhatsApp or are being impersonated. This security feature can be further enhanced by verifying each others’ “security codes,” which can be found on the View Contact > Encryption screens.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.