This guide includes screenshots of WhatsApp on iOS/iPhone, but the steps are similar even if you are using WhatsApp on Android, or using WhatsApp Business. After setting up WhatsApp on your phone, you can sync your messages to other devices using the WhatsApp desktop or web application. Regularly check your linked devices in WhatsApp’s settings menu, and unlink those you don’t use or recognise. Instructions on setting up linked devices, and activating other security features are available on WhatsApp’s support website. For more information on how to secure your phone, tablet and/or laptop, see the ACSC’s Quick Wins for your Portable Devices guide. Turn on multi-factor authentication (MFA) for WhatsApp What is MFA? MFA is a way to improve the security of your most important accounts. It requires you to produce a combination of two or more of the following authentication types before granting access to an account: • something you know (e.g. a PIN, password or passphrase); • something you have (e.g. a smartcard, physical token, authenticator app, SMS or email); and • something you are (e.g. a fingerprint, facial recognition or iris scan). Two-factor authentication (2FA) is the most common type of MFA, requiring two different authentication types. Why is it important to turn MFA on? MFA makes it harder for cybercriminals to gain initial access to your account by adding more layers of authentication, requiring extra time, effort and resources to break. Think of adding MFA to your account like adding a locked security screen to your home. It provides you with an extra layer of protection from criminals trying to break in. How do I turn MFA on? How to turn on MFA depends on the software or service you are using. However, the steps are somewhat similar for most applications. Icons and language may differ slightly depending on the software or device you are using. MFA for WhatsApp is called two-step verification. Two-step verification requires you to enter a six digit PIN before gaining access to your account. Once MFA is setup, WhatsApp will periodically ask you to enter your PIN. 1. In WhatsApp or WhatsApp Business, select the Settings icon in the bottom right hand corner. If you use an Android device, you may have to access Settings by tapping three vertical dots in the upper right hand corner of your screen. 2. Select Account. 3. Select Two-Step Verification. 4. Select Enable. 5. Enter a six-digit PIN. You will then be asked to confirm your PIN. When complete, select Next. 6. Enter your Email address and then select Next. Then confirm your email address and select Done. This step is optional but will allow you to reset your PIN if you forget it. 7. After enabling two-step verification you will be returned to this page. The setup is now complete. You can return to this page in the future if you need to change your PIN or recovery email address. Using security codes to verify WhatsApp contacts Security codes are used to verify the identity of a contact and the security of one-to-one messages and calls. They verify messages and calls are secure and that no one is intercepting or altering your communications. This is done by scanning the QR code on your contact’s device or verifying the 60 digit safety number exactly matches on both devices. Security codes usually, but not always, change when a contact reinstalls the app, changes phone numbers or changes device. Users should verify with the contact as to why the safety number has changed. Users should also be on the lookout for frequent or unexpected changes as this is a sign something may be wrong. The following guide has been broken up into two sections. The first section shows how to enable notifications for when a security code changes. The second section shows how to verify the security code of your contact to ensure you are messaging the correct person. The contact will remain verified until the security code changes. How to enable notifications for when a security code changes 1. In Whatsapp or Whatsapp Business, select the Settings icon in the bottom right hand corner. If you use an Android device, you may have to access Settings by tapping three vertical dots in the upper right hand corner of your screen. 2. Select Account. 3. Select Security. 4. Turn on Show Security Notifications. How to verify WhatsApp security codes 1. To verify the security code of 2 a contact, select Chats and select the one-to-one conversation you wish to verify. 2. Select the name/number of the contact. 3. Select Encryption. 4. To check the security code, either scan the QR code on the other person’s device or verify the 60 digit number matches on their device. You can send the number to them using the share button. Only share the security code using trusted methods of communication, where you have verified that the other person is who they say they are (such as a phone call where you recognise the person’s voice). Be wary of communication methods that could be intercepted or compromised, such as email. Consider splitting parts of the code across multiple communication methods to stay secure and don’t use a WhatsApp message to the contact you are verifying as a method of verification. Once all steps are completed, you will have verified the contact and will be notified if their security code changes. For more mobile security tips read ACSC’s Quick Wins for your Portable Devices.