whatsapp-two-step-verificationAfter applying two-factor authentication (2FA) to my Microsoft account, WhatsApp was next on my list. In case you don’t know, WhatsApp is a popular messaging app used on mobile phones. It’s owned by Facebook (bad, some might say) but at least all the messages are encrypted end to end (good, unlike Facebook’s own Messenger), so they can’t be intercepted.

Unlike most other apps or web sites, you don’t have a WhatsApp password. Neither do you have a username, really. It’s all about your phone number. To get started, you just register the phone number with WhatsApp and that’s it. WhatsApp messages go over the Internet, like Messenger chats or Skype, so they don’t use any call or text allowance.

I hesitated before even finding out about 2FA for WhatsApp; after all, what’s the risk? I guess if someone was able to hijack my phone number they could start sending WhatsApp messages as me. Seems unlikely, but since there is a 2FA option I decided to take it.

Strictly speaking this isn’t two-factor authentication, at least to my mind. 2FA means there are two “secret” things needed to get into an account, one being a password and the second being a code of some sort. WhatsApp’s 2FA enables you to define a 6-digit PIN that must be entered before your phone number can be “re-registered” with WhatsApp. It’s good to add that protection, but really this is a bit like requiring a password – it’s more one-factor authentication because there’s nothing secret about the mobile number.

Anyhoo, having set my PIN and entered an email address (to be used in the event of the PIN being lost or not working), I’ve done it. It didn’t oblige me to enter the new PIN there and then in order to carry on using WhatsApp (as I thought it might) – it just said it’ll be required in order to re-register the number with WhatsApp (which is what a criminal would do, I suppose, if they hijacked my number on a different phone).

Wot, no backup?

So job done, 2FA-wise (or, in this case, 1FA-wise). While I was in the WhatsApp settings I also thought about backup of all the chats. There’s no backup set at the moment, so if my phone died and I had to start again I think I would lose all those messages. I could set it to backup to Google Drive, but, as it warns, there’s no encryption on those backups. (I’d be relying on the security on my Google account to protect them.) On balance I’ve decided not to bother as there’s nothing particularly precious or business-critical in my WhatsApp chats and it’s one less thing to bother about. If I have a phone disaster and lose it all, I’ll live with that.

Next on my 2FA hit list: Facebook.