WhatsApp is adding new security features to prevent unauthorized access and fraud. These include Account Protect, Device Verification, and Automatic Security Codes.
🛡️ If you need to switch to a new device, we want to make sure it’s really you. If we detect a suspicious login, we may send a notification to your old device alerting you.
That way, we can ensure it’s you and not someone trying to take control of your account.
— WhatsApp (@WhatsApp) April 13, 2023
Account Protect: For added security, when switching to a new device on WhatsApp, may ask you to verify on your old device to ensure it’s really you, alerting you to unauthorized attempts to move your account.
Device Verification: To protect against mobile device malware that can exploit your phone without permission and send unwanted messages via WhatsApp, have added authentication checks that require no action from you, allowing uninterrupted usage even if your device is compromised.
Automatic Security Codes: Our security-conscious users can verify recipients through our security code feature manually. To make this process more accessible, WhatsApp is introducing a security feature based on “Key Transparency” that automatically verifies secure connections when you click on the encryption tab, ensuring your personal conversations are secured.
WhatsApp also recommends using two-step verification and enabling end-to-end encrypted backups for enhanced security.
Key Transparency
WhatsApp has introduced a new cryptographic security feature called key transparency, which automatically verifies secured connections without requiring any additional user actions. This feature enhances the guarantee of end-to-end encryption transparently that is available to all users.
WhatsApp has also released an open-source library called Auditable Key Directory (AKD) that allows anyone to verify audit proofs of the directory’s correctness, supporting the key transparency deployment.
Key transparency system consists of two components:
- The server (WhatsApp) keeps an append-only AKD of public keys linked to user accounts, with a publicly accessible audit record for confirming any changes in the directory.
- Users can automatically verify conversation security through the WhatsApp directory, making the verification process quick and automatic for security-conscious users.
This new service provided by WhatsApp relies on public auditing to verify the end-to-end encryption status of personal conversations. However, users who prefer not to use WhatsApp servers for verification can still utilize the traditional security code verification process in addition to the new automated process.
The “Verify Security Code” page in WhatsApp works by using public/private key pairs. Every contact has a QR code and a 60-digit number that can be checked outside of WhatsApp to ensure a secure, end-to-end encrypted chat.
This eliminates the need for communication outside of WhatsApp for verification, which can be challenging in 1:1 communications, small groups, or large groups with frequent changes in devices or participants.
Availability
WhatsApp will be introducing additional security features in the coming months. With the implementation of the key transparency feature, users who rely on the verify security code function will experience the convenience of automatic verification as this feature becomes available on Android soon, said the company.