WhatsApp announces features to prevent account takeover

WhatsApp will be rolling out three new security features in the coming months, to provide users with increased privacy and control over their messages and to help prevent unauthorized account access and takeover.

The new features

The first feature is called Account Protect and will help prevent unauthorized transfers of accounts from one device to another.

This feature will require users to verify on their old device any attempts to switch to a new device.

WhatsApp’s new check when moving account to another phone (Source: Meta)

The second feature is called Device Verification.

WhatsApp is known for its use of end-to-end encryption to protect user privacy. This technology uses cryptographic keys to ensure that only the sender and intended recipient of a message can read its contents, and not even WhatsApp itself can access them.

But unofficial, malware-laden WhatsApp apps can steal user’s authentication key, which means attackers can take over their account and access everything in it, as well as send and receive messages. In this case, end-to-end encryption is of no help.

“When someone receives a message their WhatsApp client wakes up and retrieves the offline message from WhatsApp server. This process cannot be impersonated by malware that steals the authentication key and attempts to send messages from outside the users` device,” WhatsApp explains.

With the introduction of three new security/authentication parameters, Device Verification provides an additional layer of security to ensure that the authentication key cannot be stolen.

Finally, WhatsApp has added Automatic Security Codes.

Previously, users could make sure they are communicating with the intended recipient and that the calls and messages are end-to-end encrypted by taking advantage of the security code verification feature, but they had to go through the process manually: they had to tap the encryption tab under a contact’s info and scan the QR code on the recipient’s device (when users are physically next to each other), or send them the 60-digit number through another platform.

The Automatic Security Codes feature is more convenient for users, since it automatically verifies if the connection is secure just by clicking on the encryption tab.

“We’re building on key transparency by developing a new Auditable Key Directory (AKD), which is based on an open-sourced library. The AKD will enable WhatsApp clients to automatically validate that a user’s encryption key is genuine and enables anyone to verify audit proofs of the directory’s correctness,” WhatsApp explained how the feature works behind the curtain.

While you’re waiting for the rollout

Those new features will be implemented by WhatsApp and won’t require any action from the user.

But there are two security features that users are advised to enable themselves:

• Two-step verification adds an extra layer of security against account takeover attempts by requiring users to enter a code in addition to their password to access their account
• End-to-end encrypted backups ensure that users’ messages and data are encrypted even when backed up to the cloud.