WhatsApp Introduces Passkeys To Improve Logins

With more than 2 billion users, WhatsApp is ranked the most used mobile messenger app in the world. The leading messaging service now joins other major tech platform providers such as Uber or Amazon by introducing passkey technology.

Historically, WhatsApp has been at the forefront of secure digital communication, being one of the first messaging services to implement end-to- end (E2E) encryption. This early adoption of robust encryption measures demonstrated their dedication to safeguarding user conversations. The introduction of passkeys builds on and highlights WhatsApp's commitment to user privacy and security without compromising the user experience.

Passkeys are not available at initial sign up for an account (yet). However, users can easily set them up in the account settings, where WhatsApp guides users with clear instructions. WhatsApp emphasizes that passkeys can be stored in a password manager (like Google Password Manager or 1Password) in contrast to the default option SMS OTPs , which solves a major pain point in the user experience. It is also noteworthy that WhatsApp has put a lot of effort in the Android sync management, which sets them apart from other platform providers (more on this in the next section).

Passkey Settings in WhatsApp

Passkey Creation in WhatsApp

WhatsApp's decision to adopt passkeys is probably based on the following strategic reasons:

As a mobile messenger app, most of WhatsApps users access the service via mobile devices. Our recent passkey-readiness analyses have shown that more than 80% of all mobile devices are ready to use passkeys, which provides a very good basis for a first wave of seamless integration of WhatsApp passkeys. The introduction of passkeys with a mobile-first approach is therefore the next logical strategic step for WhatsApp. Further, users regularly engage with WhatsApp's desktop version. However, the current process involves scanning a QR code and waiting for a synchronization, which many find cumbersome and glitch-prone. Introducing passkeys, especially those synced through a cloud provider (e.g. Apple iCloud Keychain or Google Password Manager), could eliminate the need for manual QR scans, offering a seamless login experience.

For Meta (formerly Facebook), the parent company of WhatsApp, this decision is logical. Reflect on the last time you used your WhatsApp password or if you even set one up. Chances are, it hasn't been frequently. Given this, the transition to passkeys appears to be a low-risk initiative.
Currently, users do not have to authenticate manually every time they use WhatsApp, as this would significantly limit the user experience. However, if a user changes the device, or the phone number, they are prompted to verify the phone number via SMS. By introducing passkeys, WhatsApp can potentially reduce the high costs associated with SMS authentication, replacing them with more secure and convenient passkeys. To give you an example: According to miniOrange, transaction prices usually range from 0.01 to 0.20 USD per SMS. If only 5% of the 2 billion of users need to verify their account per year via an SMS, this would result in 1-20 million USD of costs.
The users are supposed to remember the original verification code (remember its not at time-based code that changes frequently but a rather static one). However, as they hardly ever use it, most of them forget the code and must have a new one sent to them, which not only increases the costs even further, but significantly reduces the user experience.

Synchronization between Androids works seamlessly with password managers such as Google Password Manager or Samsung Pass. Further, WhatsApp is leading the way in managing the synchronization of Android passkeys by allowing users to actively choose where their passkeys are stored a feature that has just recently become possible with Android 14.

While the move into passkeys is great in general, WhatsApp has still room for improvement:

Currently only Android and iOS devices support passkeys. In the future, passkeys hopefully will be rolled out to all ecosystems, so also to users who make use of passkeys on Windows.

Prioritizing updates on critical features like introducing Conditional UI (Passkey Autofill), and further refining device management can considerably enhance user experience.

Currently, when setting up 2-step verification (2SV) for WhatsApp, users create a code that they have to remember. This is very inconvenient (poor user experience!), which is why many people decide against the more secure authentication method. If passkeys were introduced as a 2FA method and users were to set them up smoothly when creating an account, for example, this would increase security enormously without compromising the user experience.

WhatsApp's implementation of passkeys marks a significant step forward in enhancing user security and convenience. By addressing key user pain points and leveraging its mobile-first approach, WhatsApp sets a new standard for secure and user-friendly digital communication. As the platform continues to innovate, the potential expansion of passkey technology across all ecosystems and its integration into two-factor authentication promises even greater improvements in both security and user experience. Further, the integration could very well be a precursor to a broader rollout across Meta's platforms, potentially setting the stage for Instagram and Facebook).

Subscribe to our passkeys Substack or join our passkeys community on Slack for updates on WhatsApp passkeys and further insights into the evolving landscape of the new authentication method.