WhatsApp is adding an extra security feature to help keep its more than a billion users safe from hacks. The company is rolling out two-step verification to its users worldwide.
When it’s available you will find it in the messaging service’s app under Settings > Account > Two-step verification > Enable.
WhatsApp’s approach to two-step verification differs from what other online services such as Facebook or Google do. Instead of using an app that generates one-time passcodes, WhatsApp requires you to create your own memorable six-digit passcode. To help you remember your code, WhatsApp will prompt you to enter it from time to time.
During the process to enable two-step verification, WhatsApp will also ask you for an optional email address. It will be used for the purpose of disabling two-step verification. Upon request, a message will be sent to that email address, and, once you click a link, the two-step verification feature will be turned off. During two-step verification setup this email address will not be verified, so make sure you type it in correctly.
The Facebook-owned company also warned that if you get an email to disable two-step verification, but you didn’t ask for one, do not click on any links in that email.
If you ever forget your code, WhatsApp will not allow you to reverify twice within seven days, just in case someone’s trying to take over your account. After that period, you can reverify without a passcode, but any pending messages will be deleted. If you haven’t used WhatsApp for 30 days and then try to reverify without your passcode, your account will be deleted and a new one will be created for you.
When you’re deciding on a passcode for WhatsApp, you want to make it as hard to guess as possible. Six digits from your phone number, for example, would be a terrible choice, as would your birth date or that of anyone in your immediate family. If you use a password manager, it’d be a good idea to store this passcode there in case you forget it.
WhatsApp’s two-step verification system is different from other services in that it relies on two static pieces of information. The first is your phone number and the second is the single passcode that you create. That essentially means you’re just adding a password to your account, and passwords can be guessed if they aren’t original enough. It’s not clear why WhatsApp decided on using static passcodes over one-time codes generated by an app. One-time codes are based on a shared secret stored on both your phone and the corresponding service’s servers. It may be that the company didn’t want to deal with the server overhead such as development time and effort for that kind of two-step verification. That is just speculation, however.