WhatsApp already supports two-step authentication (2FA) by making password acceptance conditional on entering an additional code received or generated on a trusted device. But while it largely solves the shortcomings of traditional passwords, the 2FA system is not completely foolproof, and there are ways in which a well-motivated hacker can obtain the secondary authentication code.
The ways a hacker could get your 2FA code are by no means few. SMS messages can be intercepted on the way as soon as they are displayed on your phone, as can the one-time use code generated by apps like Google Authenticator. All it takes is for the chosen target to be tricked into installing a compromised app for the attacker to be able to see everything that’s happening on their phone screen. In trying to address this problem, Meta is considering introducing an additional step in the authentication process. So in addition to the password and 2FA code, WhatsApp users will also have to confirm on the already authenticated device to move the account to another device. The process involves displaying a Yes/No dialog where the user is alerted that they are about to be moved to another WhatsApp device and can intervene to block this if they are not the one who initiated it.
Even if this extra step doesn’t exactly offer complete protection either, it at least complicates things for a potential attacker, who no longer has to see what is displayed on the screen. Intercepting the phone or tablet’s touch interface to apply commands for the user requires entirely different permissions and is much more difficult to implement, especially with modern versions of Android and iOS.
Although even WhatsApp administrators admit that displaying that dialog is more intrusive and might even scare off uninitiated users, protecting communications and the entire archive of messages/attachments is worth the trouble.
At the moment, the new security feature is in the testing stage with a small group of users, and it remains to be seen whether or not it will end up being rolled out to all users of the messaging platform.