For many of us, WhatsApp has been key in keeping in contact with friends and family during the pandemic. Unfortunately, the app raised privacy alarms in January when it asked users to consent to sharing their data with Facebook, causing many users to question its safety and abandon the app for rival messaging services.
While WhatsApp originally asked users to agree to the new policy by February 8, the app recently extended that timeline to bring the policy into effect on May 15. This has given the app more time to convince users that their data is in good hands despite Facebook’s more than questionable track record.
Following the negative outcry, WhatsApp revealed that it would be increasing the security of its desktop and web apps.
Going forward, desktop users with compatible phones will be asked to confirm their identity with their face or fingerprint before scanning the QR code as usual to link a WhatsApp account on the web.
According to the app, this will limit the possibility that someone else in your home or workplace could link devices to your WhatsApp account without your knowledge. WhatsApp has also reassured users that the face and fingerprint authentication process takes place on the device and that the app cannot access the biometric data stored on its users’ phones itself.
So, how safe is WhatsApp? We reached out to three security gurus from Kaspersky, F-Secure and McAfee to find out whether WhatsApp is doing enough to keep our data safe. Here’s what we learned.
“The aim of Whatsapp’s latest privacy tool is to secure access to the desktop and web versions of the messaging platform”, said Kaspersky’s Principal Security Researcher David Emm.
“Now, in order to log in, people must unlock their phone and scan the QR code, thereby providing a second factor of authentication. Since WhatsApp requires you to use Touch or Face ID to do this, it will prevent unauthorised actors from accessing WhatsApp Desktop or WhatsApp Web, even if they have obtained access to your mobile. This in turn makes the platform more secure as in theory only the device owner will be able to log in on the web. However, it’s worth noting that if somebody else has access your phone, they can still access WhatsApp on the device itself, since there is no two-factor authentication (2FA) process for the app.
“It’s great to see 2FA processes beginning to be used in communication platforms to keep personal details and conversations secure, but far more is needed for consumers to be able to trust that their data is fully secure”.
F-Secure’s Tactical Defence Principal Researcher Jarno Niemela pointed out other issues with face and fingerprint unlock. Namely, that the safety of these features depend heavily on the device they run on and the location of the user.
“Given that WhatsApp can only use the biometric capabilities provided by a phone operating system, the technical security level depends on the user’s phone”, explained Niemela.
“For example, in iPhones, the facial recognition uses Apple FaceID, which is as secure as facial recognition can be. But even with the highest quality devices, the use of biometric is a matter of operational security, so whether it is safe enough to use depends on who you are and who is targeting you.
“There are also cultural differences at play here, users that are based in a country where officials can be trusted and there is no danger of coercion, can use biometric rather safely, whereas someone in an authoritarian country may find biometric identification is a liability.
“For fingerprint biometrics, consumers need to be aware that they leave fingerprints everywhere, so using a finger that seldomly leaves prints such as the little finger might be a good idea.
“Biometrics should be used for ease of use however it is important to understand that once your biometric data is compromised it cannot be changed so using additional security controls would be ideal”.
McAfee’s Chief Scientist and Fellow Raj Samani stressed the importance of WhatsApp users taking advantage of the security features available to them, especially at a time when messaging services have become so vital.
“With the current pandemic still effecting us all globally, staying connected online has become a vital part of our everyday lives”, said Samani. “But, security risks are still very much present. McAfee’s latest research revealed that 71% of Brits recently purchased at least one connected device in 2020, while one in five bought at least three connected devices. Yet, over half did not adopt or purchase security solutions in 2020.
“This is why it is important to make sure consumers are taking the necessary security precautions when interacting online. For example, enabling multi-factor authentication on a device bolsters your security features as it uses multiple pieces of information to identify the user.
“The new biometric log-in features being rolled out across WhatsApp Web and Desktop – fingerprint, face ID, or iris ID – enables WhatsApp to not only help users improve their overall account security, but also makes accessing their messages online easier and safer too. However, this new feature only works if the user has enabled biometric authentications on their device. If a consumer uses a service that offers MFA (multi-factor authentication) like WhatsApp, we would advise them to ensure they use it. Ultimately, the more security features consumers make use of, the safer their accounts will be”.
In the midst of these privacy concerns, rival messaging apps have been taking advantage of WhatsApp’s lapse in user trust by making it easier than ever to migrate to their services. Signal has seen a surge in new users joining its platform in January, while Telegram has made it possible to transfer existing WhatsApp chats over to its encrypted service.
If you’re concerned about protecting your data online, it might be worth investing in a VPN. You can check out our favourite VPNs for speed, security and privacy in our guide.