WhatsApp is developing a new security feature that will let users create a password for their accounts. This password will add another layer of protection on top of existing measures like two-step verification and device authentication. Currently, this feature is still in development and not yet available widely, but it shows WhatsApp’s commitment to improving account security as online threats change.
The new “WhatsApp Password” feature will ask users to enter a password after they enter their account verification code during login or re-authentication. This aims to prevent unauthorised access, even if someone gets hold of the six-digit verification code, often used in scams like SIM swapping.
According to reports, WhatsApp’s upcoming password feature will work alongside two-step verification, strengthening protection by requiring:
- The six-digit SMS or verification code that confirms a user’s ownership of the phone number, and
- A user-chosen alphanumeric password that must be entered before access is granted.
This password must be between 6 and 20 characters long and include both letters and numbers. WhatsApp will help users choose strong passwords by showing indicators of password strength. Users will also be able to change or remove their passwords anytime.
This new feature will be optional, meaning users can decide whether to enable it, similar to the current two-step verification system. However, it offers an important benefit: it keeps accounts safer even if verification codes are compromised.
Currently, WhatsApp provides some security features, including:
- End-to-end encryption for messages, calls, and media, meaning WhatsApp itself cannot read users’ private conversations.
- An optional two-step verification PIN that users must enter along with the SMS verification code when they log in.
- Features like Strict Account Settings, which limit interactions with unknown contacts to reduce the risk of cyberattacks.
Despite these protections, WhatsApp accounts are still attractive targets for attackers, as over 2 to 3 billion people use the app for personal and business communication. Cybersecurity experts have identified various methods attackers use to compromise accounts, such as SIM-swap fraud and device-pairing exploits, which can bypass standard verification if only SMS codes are used.
By requiring a password that an attacker can’t access with a stolen verification code, WhatsApp is moving toward a security approach similar to multi-factor authentication (MFA) used by email and banking services. This is a significant change from its current method, which mainly relies on SMS codes and optional PINs.
WhatsApp has been improving its security over the last few years. For example, in 2025, it made encrypting chat backups easier by introducing encryption that uses passkeys. This protects backups stored in iCloud or Google Drive with biometric methods like fingerprints or facial recognition. It has also implemented Strict Account Settings for high-risk users, such as journalists, to offer more protection. The company supports passkeys, which are cryptographic keys that allow for passwordless logins.
Adding a dedicated account password would strengthen the balance between device-level security and account-level protection, like security methods used by many banking and business systems.
If WhatsApp launches the password feature globally, users will have more options to protect their accounts beyond SMS codes and PINs. This will help reduce the risk of account takeovers, granting users more control over access, especially in areas where SIM-swap attacks are common. Users can choose whether to opt in or out based on their convenience and security needs.
For now, the feature is still being developed, and WhatsApp hasn’t announced a timeline for its release or testing. However, its presence in internal builds indicates that Meta is focusing on improving security beyond basic encryption.
