For years, WhatsApp has been the world’s most popular messaging platform and, by extension, one of the most attractive targets for hackers, state-sponsored surveillance operations, and garden-variety scammers. Now, Meta’s flagship messaging service is preparing to deploy a significant new layer of account protection that could fundamentally change the calculus for anyone attempting to hijack user accounts. The upgrade centers on a feature called Advanced Identity Keys, and it represents one of the most meaningful security enhancements WhatsApp has introduced since it rolled out end-to-end encryption in 2016.
The announcement, first reported by MSN, signals that WhatsApp is moving beyond its current verification model — which relies heavily on SMS-based one-time passwords — toward a cryptographic identity system that ties account ownership to device-level keys rather than phone numbers alone. The implications for the platform’s more than two billion users are substantial, particularly in regions where SIM-swap attacks and phone number recycling have made account takeovers disturbingly routine.
What Advanced Identity Keys Actually Do — And Why They Matter
At its core, the Advanced Identity Keys system introduces a cryptographic key pair that is generated and stored on a user’s device. When someone attempts to register a WhatsApp account on a new device, the system will require verification not just through a phone number and SMS code, but through possession of the identity key associated with that account. This means that even if an attacker manages to intercept an SMS verification code — through SIM swapping, SS7 network exploitation, or social engineering a mobile carrier — they still cannot take over the account without access to the original device’s cryptographic key.
This is a direct response to one of the most persistent vulnerabilities in mobile messaging security. SIM-swap attacks, in which a hacker convinces a wireless carrier to transfer a victim’s phone number to a new SIM card, have been responsible for high-profile account takeovers affecting journalists, activists, corporate executives, and ordinary users alike. The FBI’s Internet Crime Complaint Center reported that SIM-swapping complaints resulted in more than $68 million in losses in 2021 alone, and the problem has only grown since. By decoupling account identity from phone number ownership, WhatsApp is addressing the root cause rather than merely adding another layer of SMS-based verification.
A Direct Challenge to SIM-Swap Fraud and State-Sponsored Surveillance
The timing of WhatsApp’s move is notable. In recent months, there has been growing public awareness of the tools and techniques used by both criminal hackers and government agencies to compromise messaging accounts. The ongoing fallout from the Pegasus spyware scandal — in which NSO Group’s surveillance software was found on the phones of journalists, politicians, and human rights workers around the world — has kept the issue of messaging security in the headlines. WhatsApp itself was the plaintiff in a landmark lawsuit against NSO Group, and a U.S. federal jury in December 2024 found that NSO had violated federal anti-hacking laws by targeting WhatsApp users.
Advanced Identity Keys won’t stop a zero-click exploit like Pegasus from compromising a device entirely, but they do raise the bar significantly for the most common forms of account takeover. For the vast majority of WhatsApp users, the threat isn’t a nation-state deploying million-dollar spyware — it’s a scammer who has talked a mobile carrier’s customer service representative into porting a phone number, or a hacker who has purchased leaked credentials on a dark web marketplace. Against those threats, device-bound cryptographic keys represent a meaningful upgrade.
How WhatsApp’s Approach Compares to Competitors
WhatsApp is not the first messaging platform to move toward device-bound identity verification. Apple’s iMessage has long used a system in which encryption keys are tied to Apple ID accounts and specific devices, though the company has faced criticism for the opacity of its key management infrastructure. Signal, the encrypted messaging app favored by security professionals and privacy advocates, uses a registration lock feature that requires a PIN to re-register an account, and its protocol — which WhatsApp itself adopted for end-to-end encryption — has been widely regarded as the gold standard for secure messaging.
What distinguishes WhatsApp’s implementation is scale. Signal has an estimated 40 to 50 million users worldwide. iMessage is limited to Apple’s hardware ecosystem. WhatsApp, by contrast, operates across both iOS and Android and serves more than two billion users in virtually every country on earth. Deploying a cryptographic identity system at that scale — without breaking the experience for users who frequently change devices, lose phones, or share devices with family members in developing markets — is an engineering and design challenge of enormous complexity. The fact that WhatsApp appears to be rolling this out as a default feature rather than an opt-in setting suggests that Meta’s security team has invested significant resources in making the system work for its most technically unsophisticated users.
The Technical Architecture Behind the Upgrade
While WhatsApp has not published a full technical white paper on Advanced Identity Keys at the time of this writing, security researchers who have examined early implementations suggest that the system likely builds on the existing Signal Protocol infrastructure that underpins WhatsApp’s end-to-end encryption. In that protocol, each device generates a unique identity key pair — a public key and a private key — when the app is first installed. The public key is shared with WhatsApp’s servers and with contacts, while the private key never leaves the device.
The new system appears to extend this model by making the identity key a required factor in the account registration process. Previously, the identity key was used primarily for encrypting messages and verifying contacts’ identities through safety number comparisons. Under the new system, the key also serves as proof of account ownership. This means that when a user sets up WhatsApp on a new phone, they will need to transfer their identity key from the old device — likely through an encrypted backup, a QR code transfer, or a device-to-device migration — in addition to verifying their phone number. If the key cannot be produced, the account cannot be claimed, regardless of whether the attacker has access to the phone number.
What Happens When Users Lose Their Phones
The obvious question this raises is what happens when a legitimate user loses their device and, with it, their identity key. WhatsApp has historically allowed users to recover their accounts simply by re-verifying their phone number on a new device, a process that takes minutes. If Advanced Identity Keys make that impossible, the company risks locking millions of users out of their own accounts every year.
According to details reported by MSN, WhatsApp is expected to offer recovery mechanisms that balance security with usability. These may include encrypted cloud backups of identity keys — stored in Google Drive or iCloud with user-controlled encryption passwords — as well as the option to designate trusted contacts who can help verify a user’s identity during the recovery process. The company has already implemented a similar trusted-contacts recovery system for its end-to-end encrypted chat backups, which launched in 2021, so the infrastructure for this kind of social recovery is already in place.
The Broader Industry Trend Toward Passwordless and Phishing-Resistant Authentication
WhatsApp’s move also fits within a broader industry shift away from knowledge-based authentication — passwords, PINs, and SMS codes — toward possession-based and biometric authentication methods. The FIDO Alliance’s passkey standard, which has been adopted by Apple, Google, and Microsoft, uses device-bound cryptographic keys to replace passwords for website and app logins. Google reported in 2024 that passkeys had been used more than one billion times across its services, and the technology is rapidly becoming the default authentication method for major platforms.
By implementing a similar cryptographic identity model for account registration, WhatsApp is effectively bringing passkey-like security to the messaging layer. This is significant because messaging accounts are increasingly used as identity anchors — for two-factor authentication, business communications, financial transactions, and government services — particularly in markets like India, Brazil, and Indonesia where WhatsApp functions as essential digital infrastructure. Securing those accounts against takeover is not just a privacy issue; it is an economic and governance issue.
What Users Should Do Now
For WhatsApp’s two billion users, the immediate action items are straightforward. First, ensure that two-step verification — the existing PIN-based protection that WhatsApp already offers — is enabled on your account. This feature, which has been available since 2017, adds a six-digit PIN that is required when re-registering your phone number with WhatsApp. It is not as strong as a device-bound cryptographic key, but it provides meaningful protection against casual account takeover attempts and will likely work in concert with Advanced Identity Keys once the new system is fully deployed.
Second, keep your WhatsApp app updated. Security features like Advanced Identity Keys are typically rolled out in stages, and running the latest version of the app ensures that you receive the upgrade as soon as it becomes available in your region. Third, be wary of any unsolicited messages or calls asking you to share verification codes, even if they appear to come from WhatsApp or from contacts you know. Social engineering remains the most common vector for account compromise, and no amount of cryptographic protection can defend against a user who voluntarily hands over their credentials.
The deployment of Advanced Identity Keys marks a significant step forward for WhatsApp and for the broader messaging industry. It will not eliminate every threat — sophisticated state-sponsored attackers will continue to find ways to compromise high-value targets — but it will make the most common and damaging forms of account takeover substantially harder to execute. For a platform that serves as the primary communication channel for billions of people, that is a change with real consequences.