Prof. from Marmara University Guest on AS TV’s Günün Saati

WhatsApp is shifting its authentication infrastructure toward a system that minimizes reliance on traditional phone numbers, signaling a significant evolution in how users establish their digital identities on the platform. While the service remains tied to mobile numbers for account creation, Meta—the parent company of WhatsApp—has been actively deploying features like passkeys and email verification to reduce the necessity of sharing phone numbers for specific interactions, such as logging in or communicating with businesses.

This transition follows a broader industry trend toward “passwordless” authentication. By integrating FIDO-certified passkeys, which utilize biometric data or device-specific screen locks, WhatsApp is moving away from the vulnerabilities associated with SMS-based two-factor authentication. According to the official WhatsApp blog, the implementation of passkeys allows users to regain access to their accounts without needing to rely on legacy SMS delivery, which has historically been susceptible to SIM-swapping attacks.

The Shift Toward Identity Privacy

The primary driver behind these changes is the increasing demand for user privacy. Traditionally, WhatsApp required a phone number as a unique identifier, exposing that number to contacts and businesses upon interaction. Recent updates allow for more granular control over how that information is shared. Specifically, the introduction of “Usernames” is currently in testing, which would allow users to communicate without revealing their phone numbers to strangers or business accounts.

As reported by WABetaInfo, a platform that tracks developments in WhatsApp’s beta software, these features are intended to provide an additional layer of security. By masking the phone number, the platform aims to mitigate harassment and unsolicited contact, effectively moving the user experience toward an identity-based system rather than a SIM-card-based one.


Technological Foundations of the New Authentication

The move away from phone numbers is underpinned by advancements in end-to-end encryption and device-based validation. When a user sets up a passkey, a private key is stored securely on the user’s device, while the public key is registered with WhatsApp’s servers. This ensures that the authentication process is verified locally, rather than relying on a telecommunications carrier to transmit a verification code via SMS.

Technological Foundations of the New Authentication

This development is consistent with the FIDO Alliance standards, which promote secure, phishing-resistant authentication. By adopting these protocols, WhatsApp is aligning itself with major tech entities like Google and Apple, who have already standardized passkeys across their respective operating systems. This reduces the friction of logging into new devices while simultaneously hardening the account against remote hijacking attempts.

What This Means for Global Users

For the average user, these changes do not mean that phone numbers will disappear from the platform entirely. Instead, the phone number is increasingly relegated to a backend identifier rather than a social one. The ability to use email addresses for account recovery and the potential for username-based discovery significantly changes the platform’s utility for international users, who may be traveling or using temporary local SIM cards.

Passkeys vs Two-Factor Authentication (2FA): What’s the Difference?

According to the WhatsApp Help Center, users can currently link their email addresses to their accounts for the specific purpose of receiving a six-digit verification code. This serves as an alternative to SMS, providing a reliable recovery method in regions where cellular coverage is inconsistent or where SMS delivery is prone to delays.

Key Developments in Account Security

  • Passkey Integration: Users can now use biometric authentication (FaceID, fingerprint) to log in, bypassing SMS codes.
  • Email Verification: An optional feature that provides a secondary method for account recovery.
  • Username Testing: Ongoing development aimed at allowing users to hide their phone numbers from business contacts and strangers.
  • Security Hardening: Reduced reliance on SMS, which helps prevent unauthorized access via SIM-swapping.

As the platform continues to iterate, users should monitor their settings menu for new privacy options. Meta typically rolls out these features in stages, meaning availability may vary by region and device type. For the most current information regarding security settings, users should consult the official WhatsApp FAQ page, which serves as the authoritative source for feature releases and privacy policy changes.

Key Developments in Account Security

Future updates are expected to expand on these features, particularly regarding how user profiles are discovered. As these systems move out of the beta testing phase, they will likely become the standard for account management across all versions of the application. Please share your thoughts on these security updates in the comments section below, and stay tuned for further developments as Meta continues to refine its global communication infrastructure.

Leave a Comment