This guide includes screenshots of Signal on Android, but the steps are similar even if you are using Signal on iOS/iPhone. After setting up Signal on your phone, you can sync your messages to Windows, Linux, MacOS and iPadOS devices using the Signal application. Regularly check your linked devices in Signal’s settings menu, and unlink those you don’t use or recognise. Instructions on setting up linked devices, and activating other security features are available on Signal’s support website. For more information on how to secure your phone, tablet and/or laptop, see the ACSC’s Quick Wins for your Portable Devices guide. Turn on multi-factor authentication (MFA) for Signal What is MFA? MFA is a way to improve the security of your most important accounts. It requires you to produce a combination of two or more of the following authentication types before granting access to an account: • something you know (e.g. a PIN, password or passphrase); • something you have (e.g. a smartcard, physical token, authenticator app, SMS or email); and • something you are (e.g. a fingerprint, facial recognition or iris scan). Two-factor authentication (2FA) is the most common type of MFA, requiring two different authentication types. Why is it important to turn MFA on? MFA makes it harder for cybercriminals to gain initial access to your account by adding more layers of authentication, requiring extra time, effort and resources to break. Think of adding MFA to your account like adding a locked security screen to your home. It provides you with an extra layer of protection from criminals trying to break in. How do I turn MFA on? How to turn on MFA depends on the software or service you are using. However, the steps are somewhat similar for most applications. Icons and language may differ slightly depending on the software or device you are using. MFA for Signal is called Registration Lock. Registration Lock will require you to enter your Signal PIN before gaining access to your account on new devices. To increase the security of your Signal PIN, consider using a unique passphrase, as Signal allows PINs to use alphanumeric characters. You can create a passphrase using four or more random words. To help you remember your PIN, Signal will periodically ask you to enter it in an optional prompt on the bottom of your screen. 1. Select your Profile picture in the top left corner of the screen. 2. Select Account. 3. Select the switch for Registration Lock. 4. Select Turn On. 5. Once you have enabled Registration Lock you should see that the switch is activated blue. Using safety numbers to verify Signal contacts Safety numbers are used to verify the identity of a contact and the security of one-to-one messages and calls. They verify messages and calls are secure and that no one is intercepting or altering your communications. This is done by scanning the QR code on your contact’s device or verifying the 60 digit safety number exactly matches on both devices. Safety numbers usually, but not always, change when a contact reinstalls the app, changes phone numbers or changes device. Users are advised when a safety number changes and should verify with the contact as to why the safety number has changed. Users should also be on the lookout for frequent or unexpected changes as this is a sign something may be wrong. The following guide will show you how to verify the safety number of your contact to ensure you are messaging the correct person. The contact will remain verified until the safety number changes. 1. Open Signal and select the one-to-one conversation you wish to verify. 2. Select the profile picture. 3. Select View Safety Number. 4. To check the safety number either scan the QR code on the other person’s device or verify the 60 digit number matches on their device. This can be done by sending the number to them via the share button. Only share the security code using trusted methods of communication, where you have verified that the other person is who they say they are (such as a phone call where you recognise the person’s voice). Be wary of communication methods that could be intercepted or compromised, such as email. Consider splitting parts of the code across multiple communication methods to stay secure and don’t use a Signal message to the contact you are verifying as a method of verification. 5. If you shared and checked the safety number, select Mark as Verified. 6. You can then check it is verified under the contact. 7. If you need to clear the verification simply return to the View Safety Number screen and select Clear Verification. For more mobile security tips read ACSC’s Quick Wins for your Portable Devices.