WhatsApp Passkey Guide

Passkeys are the new standard of secure and user-friendly authentication. They replace traditional passwords with cryptographic keys, significantly enhancing both security and user experience. However, some questions of passkeys in regard to WhatsApp remain:

• Why should you consider using passkeys for WhatsApp instead of traditional passwords or two-factor authentication methods?
• What are the key benefits of passkeys, and how do they improve security for WhatsApp users?

In this guide, we’ll explore the advantages of using passkeys on WhatsApp and provide a step-by-step process for setting them up on both iOS and Android devices.

Passkeys are a modern, secure alternative to traditional passwords, using cryptographic keys instead of memorized passwords. This shift to passkeys aligns with WhatsApp’s ongoing commitment to user privacy and security, enhancing both protection and convenience for its over 2 billion users.

Why WhatsApp Introduced Passkeys

1. Improved Security and User Experience: Traditional methods like SMS-based verification and 2-step verification (2SV) codes can be cumbersome and insecure. Passkeys offer a streamlined login process using biometrics or device PINs, making it easier for users to access their accounts without repeatedly entering codes or scanning QR codes, particularly for those using WhatsApp on desktop versions.

2. Mobile-First Strategy: Since most WhatsApp users access the app on mobile devices, rolling out passkeys aligns with this mobile-first usage. Over 95% of mobile devices are already equipped to use passkeys, providing a solid foundation for smooth integration and better user experience.

3. Cost Efficiency: Moving away from SMS-based One-Time Passcodes (OTPs) helps WhatsApp cut down on costs associated with SMS verifications, which can run into millions of dollars annually. Passkeys offer a more secure and cost-effective alternative and have no transactional costs.

4. Advanced Sync Management: WhatsApp allows users to choose where their passkeys are stored, such as in Google Password Manager or Samsung Pass. This option gives users greater flexibility and control over their security settings, making it easier to manage passkeys and synchronize them when switching devices.”

By adopting passkeys, WhatsApp not only enhances security but also reduces costs and simplifies the user experience. This move positions WhatsApp as a leader in secure messaging, with potential for broader application across Meta’s platforms like Facebook and Instagram.

After announcing the introduction of passkeys for WhatsApp in October 2023 for Android and in April 2024 for iOS, the company provided limited details on how they can be used and the specific scenarios where they will be most beneficial. It appears that the full range of passkey features will be rolled out incrementally. However, users can expect to experience the following advantages of passkeys in the near term:

With passkeys, WhatsApp users can log in using Face ID, Touch ID, or a device PIN, eliminating the need for memorizing complex passwords. This makes it easier to access accounts securely, especially when traveling or on the move, without the hassle of SMS verification codes, as mentioned in WhatsApp’s official announcement on social media.

WhatsApp has historically relied on SMS-based One-Time Passcodes (OTPs) for account verification. However, these are vulnerable to SIM-swapping attacks and phishing. By introducing passkeys that authenticate locally on the user’s device, WhatsApp significantly reduces these risks, providing a more secure and reliable method of authentication.

WhatsApp is also leveraging passkeys to improve the multi-device experience. Instead of relying on QR code scans to sync across devices, passkeys enable seamless and secure login across platforms. This allows for a smoother transition when using WhatsApp on both mobile and desktop versions, without repeated manual verifications.

Passkeys provide an easy and secure way to log in to supported sites and applications without passwords by relying on Face ID or Touch ID to identify you. Your iOS device stores the passkey in the iCloud Keychain, therefore you must be running iOS 16 or later. For your Android device, you are required to at least have Android 9 (PIE).

Can I use passkeys with WhatsApp on my device?

Setting up passkeys on WhatsApp for iOS is straightforward. Follow these steps:

Step-by-Step Guide for iOS:

1. Update Your WhatsApp App: Ensure that your WhatsApp is updated to the latest version from the App Store.

2. Enable Passkeys: Open WhatsApp and navigate to Settings > Account > Passkeys > Continue

3. Set Up a Biometric Method: Choose your preferred biometric method (Face ID or Touch ID) or a device PIN.

Android users can also enjoy the convenience of passkeys for their WhatsApp authentication. Here’s how:

Step-by-Step Guide for Android:

1. Update Your WhatsApp App: Make sure your WhatsApp is updated to the latest version from the Google Play Store.

2. Enable Passkeys: Open WhatsApp and go to Settings > Account > Passkeys > Continue

3. Choose Biometric Authentication: Select a biometric authentication method (Fingerprint or Face Unlock) or set a device PIN.

Once passkeys are set up, logging in will be simple:

1. Re-install WhatsApp on your device.
2. Instead of having to use SMS-based One-Time Passcodes (OTPs) for account verification, use your configured biometric method (Face ID, Touch ID, Fingerprint) or PIN to authenticate your phone number.
3. If set up correctly, the device will authenticate automatically, providing a secure, passwordless login experience.

To manage your passkey in WhatsApp, simply go to Settings > Account > Passkeys, where you can delete the existing passkey or after deleting, create a new one.

A new feature currently in development for WhatsApp passkeys is the encryption of backups using passkeys. Until now, WhatsApp backups could be secured either with a password or a 64-bit key. With the upcoming updates, users will soon have the option to encrypt their backups with passkeys, adding an extra layer of security. This functionality is already available to some Android beta users in the WhatsApp beta 2.24.18.13 version, allowing early adopters to experience this enhanced security measure firsthand. The feature is expected to be rolled out for all WhatsApp users in the coming weeks.

If your biometric authentication fails (e.g., Face ID doesn’t recognize you), WhatsApp will fall back to your device PIN or password as a secondary method (fallback method).

Yes, passkeys can be used across multiple devices as long as they meet the setup requirements and are synced via iCloud Keychain (iOS) or Google Password Manager / Samsung Pass (Android) or Third-Party Password Managers (e.g. 1Password, Dashlane, Bitwarden).

Absolutely. Passkeys leverage public-key cryptography, making them significantly more secure than traditional passwords. They are also immune to phishing attacks since the authentication happens on the device, not on a server.

Passkeys represent a great step forward in making WhatsApp more secure and user-friendly. By transitioning from traditional passwords and SMS-based verifications to a more secure, biometric-backed authentication method, WhatsApp is addressing both user convenience and advanced security needs. As more features, like encrypted backups with passkeys, become available, WhatsApp users can look forward to even greater control over their privacy and security. Setting up passkeys is easy, and the benefits - enhanced security, reduced risk of phishing, and a smoother login experience - make it well worth the effort.