WhatsApp adds passkey protection for encrypted backups

WhatsApp adds passkey protection for encrypted backups

Gregory Zuckerman
By Gregory Zuckerman
Technology
5 Min Read

WhatsApp has added passkey protection for its end-to-end encrypted chat backups, providing users with a more straightforward, more secure way to retrieve chats instead of rummaging for long passwords or 64-character recovery keys.

As it approaches 3 billion users, WhatsApp is honing in on one of the most widely used messaging services in the world and benefiting from an industry-wide push for phishing-resistant verification.

Table of Contents
A green safe with an open door revealing a cloud icon with a refresh arrow, symbolizing cloud backup. Two padlocks hang from the safe door, one with a fingerprint icon and the other with a face scan icon. A pop-up window titled Back up with a passkey with a Create passkey button is shown next to the safe. The WhatsApp logo is in the bottom left corner.

Until now, restoring a secure WhatsApp backup relied on something you know—a memorized password or a long encryption key created when Meta introduced end-to-end encrypted backups in 2021. Passkeys shift that to something you are or have. WhatsApp says you can use device-level credentials such as a fingerprint, face, or screen-lock code from a previously authorized device to unlock the backup. This changes the user model.

The approach significantly reduces the number of users who cannot access backups after forgetting a password and improves privacy over current account-recovery techniques. There is no password to steal, and access is restricted to a user’s device and biometric or local code lock—not to SMS codes that could be exposed to SIM-swapping attacks.

How WhatsApp passkeys work and boost backup security

Passkeys are built on the FIDO2 and WebAuthn standards produced by the FIDO Alliance and the W3C. They generate a cryptographic key pair per account: a securely stored private key on your device and a public key held by the service.

When you recover a backup, your device proves ownership of the private key using something you have (for example, a local biometric) or something you know (such as a screen lock), without revealing the secret.

On recent phones, those private keys live in hardware-backed secure elements or trusted execution environments. That containment offers robust protection even in the presence of malware. NIST has rated this type of authentication as “phishing-resistant.” FIDO2 fits this category because it cannot be replayed on lookalike sites or hijacked by man-in-the-middle attacks the way many web-based login credentials can be.

In WhatsApp’s case, the passkey controls your access to the encryption shielding your backup, which is stored with third-party providers like Google Drive and iCloud, and neither Meta nor the provider can read the backup; decryption is carried out solely on your device. Ransomware cannot encrypt backups during copying without your permission either.

The WhatsApp logo, a white phone icon inside a speech bubble, centered on a solid green background, resized to a 16:9 aspect ratio.

Practical caveats for cross-device passkey synchronization

There are a few practical caveats. If you lose all devices associated with your account and do not have passkey synchronization for your platform enabled, recovery might still be difficult.

On iOS and Android, passkeys can sync across Apple and Google ecosystems using end-to-end encryption, but you may want to consider your options if you plan to switch ecosystems before relying on passkeys alone.

Steps to enable passkeys for secure WhatsApp backup recovery

WhatsApp says global availability will be phased in over the coming weeks and months. To see if it’s available and enable it, follow these steps:

  1. Open Settings > Chats > Chat backup.
  2. Choose Back up using end-to-end encryption.
  3. If your account is eligible, set up passkeys for backup retrieval.

For the optimal experience, ensure your device biometrics and screen locks are turned on, update your operating system, and confirm that your platform’s passkey sync—iCloud Keychain on iOS or Google Password Manager on Android—is activated if you want to restore your passkeys across devices within the same ecosystem.

Context within the broader privacy and security landscape

End-to-end encrypted backups close a long-standing messaging privacy loophole. Previously, chats that weren’t end-to-end encrypted were a risk that could be used against defense in depth.

Competitors have taken different approaches. Signal avoids cloud backups on iOS altogether and uses locally encrypted backups on Android; Apple has extended its optional end-to-end iCloud backups to an additionally secured, high-assurance mode it calls Advanced Data Protection. WhatsApp’s passkey support aligns with a broader industry move to secure high-stakes information at scale based on strong encryption.

A practical security upgrade with minimal user friction

As encryption becomes increasingly regulated and companies remove passwords from consumer accounts, WhatsApp’s update appears to be a practical one: it enhances security for billions of people without reducing usability. For most users—including when restoring a backup—it is akin to unlocking their phone. It is fast, familiar, and significantly more challenging for attackers to circumvent.

Exit mobile version