WhatsApp Develops Optional Account Password as an Additional Login Factor
Meta’s WhatsApp is developing an optional account password feature for Android that adds a new authentication step on top of the existing registration flow, according to references found in WhatsApp Beta for Android 2.26.7.8 distributed via the Google Play Beta Program. The feature would let users set an alphanumeric password 6–20 characters long, requiring at least one letter and one number, with in-app guidance on password strength; users would be able to change or remove the password at any time.
The password is intended to reduce account takeover risk in scenarios such as SIM swapping, intercepted verification codes, or compromised devices. During login, WhatsApp would prompt for the password after the 6-digit SMS verification code; if two-step verification (PIN-based 2FA) is also enabled, the user would enter the 2FA code and then the account password. The work builds on WhatsApp’s existing optional protections, including two-step verification and account recovery via a registered email address.
Related Entities
Organizations
Sources
Related Stories
WhatsApp Introduces Passkey-Encrypted Chat Backups
WhatsApp has announced the rollout of passkey-encrypted chat backups for both iOS and Android devices, allowing users to secure their stored message history using biometric authentication methods such as fingerprint, face recognition, or device screen-lock codes. This new feature leverages passwordless authentication standards like FIDO2/WebAuthn, replacing traditional backup passwords with cryptographic keys stored securely on the user's device. The update aims to simplify the backup security model and reduce risks associated with weak or forgotten passwords, as the device's biometric or lock code now serves as the primary gatekeeper for backup access. The introduction of passkey-encrypted backups reflects a broader industry shift toward passwordless authentication, with passkeys gaining traction among users seeking enhanced security and convenience. WhatsApp users can enable this feature by navigating to Settings > Chats > Chat backup > End-to-end encrypted backup, and the rollout is expected to reach all users over the coming months. This move builds on WhatsApp's previous implementation of end-to-end encrypted chat backups and further strengthens the privacy and security of user data stored on cloud services like iCloud and Google Drive.
4 months ago
WhatsApp Introduces Strict Account Settings for Lockdown-Style Spyware Defense
WhatsApp announced a new optional security mode, **“Strict Account Settings,”** designed to reduce exposure to *highly sophisticated attacks*—particularly **mercenary spyware**—by limiting risky functionality when enabled. The feature is expected to roll out in the coming weeks and includes restrictions such as blocking attachments and media from people not in a user’s contact list; it can be enabled via `Settings > Privacy > Advanced`. WhatsApp positioned the change as an additional layer beyond default **end-to-end encryption**, aimed at higher-risk users such as journalists and public-facing figures, and noted its ongoing legal fight with **NSO Group** over the 2019 Pegasus campaign that targeted roughly 1,400 WhatsApp users. The approach mirrors Apple’s **Lockdown Mode**, which similarly reduces attack surface for a small subset of users who may be personally targeted by advanced threats by disabling or constraining features across core services. Apple documents that Lockdown Mode blocks most message attachment types, limits complex web technologies, restricts incoming FaceTime calls to recent contacts, blocks certain Apple service invitations, and removes some photo-sharing metadata—trading usability for stronger protection against targeted exploitation. Together, the updates reflect a broader industry pattern of offering *opt-in, high-friction hardening modes* to mitigate spyware and other highly targeted intrusion techniques.
1 months ago
Google Expands Android Theft Protection With Stronger Authentication and Identity Check
Google announced updated **Android Theft Protection** capabilities aimed at reducing account takeover and financial fraud risks following device theft, with availability starting on devices running **Android 16+**. The updates strengthen authentication safeguards by making **screen lock guessing** harder (longer lockout periods after repeated failed PIN/pattern/password attempts) and by improving controls around lock behavior after excessive failed authentications, including a dedicated settings toggle for *Failed Authentication Lock*. Google also expanded **Identity Check**—which requires biometric authentication for sensitive actions when the device is outside trusted places—to cover a broader set of actions and apps that use the **Android Biometric Prompt**, including third-party banking apps and **Google Password Manager**. In parallel, Android’s *Remote Lock* capabilities were highlighted as part of the theft-response toolset, giving users more control to lock a lost or stolen device and limit further misuse.
1 months ago