WhatsApp Introduces Passkey-Encrypted Chat Backups
WhatsApp has announced the rollout of passkey-encrypted chat backups for both iOS and Android devices, allowing users to secure their stored message history using biometric authentication methods such as fingerprint, face recognition, or device screen-lock codes. This new feature leverages passwordless authentication standards like FIDO2/WebAuthn, replacing traditional backup passwords with cryptographic keys stored securely on the user's device. The update aims to simplify the backup security model and reduce risks associated with weak or forgotten passwords, as the device's biometric or lock code now serves as the primary gatekeeper for backup access.
The introduction of passkey-encrypted backups reflects a broader industry shift toward passwordless authentication, with passkeys gaining traction among users seeking enhanced security and convenience. WhatsApp users can enable this feature by navigating to Settings > Chats > Chat backup > End-to-end encrypted backup, and the rollout is expected to reach all users over the coming months. This move builds on WhatsApp's previous implementation of end-to-end encrypted chat backups and further strengthens the privacy and security of user data stored on cloud services like iCloud and Google Drive.
Sources
Related Stories
WhatsApp Develops Optional Account Password as an Additional Login Factor
Meta’s WhatsApp is developing an **optional account password** feature for Android that adds a new authentication step on top of the existing registration flow, according to references found in *WhatsApp Beta for Android* `2.26.7.8` distributed via the Google Play Beta Program. The feature would let users set an alphanumeric password **6–20 characters** long, requiring at least **one letter and one number**, with in-app guidance on password strength; users would be able to **change or remove** the password at any time. The password is intended to reduce **account takeover** risk in scenarios such as **SIM swapping**, intercepted verification codes, or compromised devices. During login, WhatsApp would prompt for the password **after** the 6-digit SMS verification code; if **two-step verification (PIN-based 2FA)** is also enabled, the user would enter the 2FA code and then the account password. The work builds on WhatsApp’s existing optional protections, including two-step verification and account recovery via a registered email address.
3 weeks ago
WhatsApp Introduces Strict Account Settings for Lockdown-Style Spyware Defense
WhatsApp announced a new optional security mode, **“Strict Account Settings,”** designed to reduce exposure to *highly sophisticated attacks*—particularly **mercenary spyware**—by limiting risky functionality when enabled. The feature is expected to roll out in the coming weeks and includes restrictions such as blocking attachments and media from people not in a user’s contact list; it can be enabled via `Settings > Privacy > Advanced`. WhatsApp positioned the change as an additional layer beyond default **end-to-end encryption**, aimed at higher-risk users such as journalists and public-facing figures, and noted its ongoing legal fight with **NSO Group** over the 2019 Pegasus campaign that targeted roughly 1,400 WhatsApp users. The approach mirrors Apple’s **Lockdown Mode**, which similarly reduces attack surface for a small subset of users who may be personally targeted by advanced threats by disabling or constraining features across core services. Apple documents that Lockdown Mode blocks most message attachment types, limits complex web technologies, restricts incoming FaceTime calls to recent contacts, blocks certain Apple service invitations, and removes some photo-sharing metadata—trading usability for stronger protection against targeted exploitation. Together, the updates reflect a broader industry pattern of offering *opt-in, high-friction hardening modes* to mitigate spyware and other highly targeted intrusion techniques.
1 months agoPasswordless Authentication and Passkey Adoption for Fraud Prevention
Microsoft has begun rolling out support for syncing passkeys across Windows devices and its Edge browser, addressing a key barrier to widespread adoption of passwordless authentication. This phased rollout starts with Edge on Windows 10 and 11, with plans to expand to iOS, Android, and MacOS, aiming to make passkey management seamless for users and organizations. The move is expected to accelerate the shift away from traditional passwords, leveraging the FIDO Alliance's non-phishable passkey standard to enhance security and usability across platforms. Industry experts highlight that passwordless authentication is not just a technological upgrade but a critical component in modern fraud prevention strategies. As organizations transition to passkeys and device-based authentication, they face challenges such as cross-device access and user education. Integrating behavioral analytics with passwordless systems is seen as essential for detecting sophisticated fraud attempts, including those involving AI-driven identity spoofing and deepfakes, ensuring both external and internal threats are mitigated effectively.
4 months ago