How to Enable Two-Step Verification on WhatsApp

WhatsApp's two-step verification works differently from standard TOTP-based 2FA. Instead of a time-based code from an authenticator app, WhatsApp uses a 6-digit PIN that you create yourself. This PIN is required whenever you register your phone number on a new device, providing a critical line of defence against SIM-swap attacks — where an attacker transfers your phone number to a SIM they control and then re-registers your WhatsApp account.

How to Enable Two-Step Verification on WhatsApp

1. Open WhatsApp on your phone.
2. Tap the three-dot menu (Android) or Settings tab (iPhone).
3. Go to Account → Two-step verification.
4. Tap Enable.
5. Create a 6-digit PIN. Choose something you can remember but that is not obvious. Do not use your phone lock code or a PIN you use elsewhere.
6. Confirm the PIN by entering it again.
7. Optionally, enter your email address as a backup recovery method. This is highly recommended — if you forget your PIN, WhatsApp can email you a reset link.
8. Confirm the email address if you entered one.
9. Tap Done.

How WhatsApp Two-Step Verification Works

After enabling two-step verification, WhatsApp will periodically ask you to enter your PIN while using the app — this is to help you remember it. More importantly, when you re-register your WhatsApp account on any device (for example, after getting a new phone or if your number gets SIM-swapped), WhatsApp requires the PIN before allowing access. An attacker who takes control of your phone number will be blocked from accessing your WhatsApp messages without the PIN.

WhatsApp vs Standard TOTP 2FA

It is important to understand what WhatsApp's two-step verification does and does not do. Unlike services that use TOTP or SMS codes at every login, WhatsApp's PIN is specifically tied to device registration. Your day-to-day use of WhatsApp on your current phone is not interrupted by 2FA prompts. The protection kicks in when someone tries to register your number on a new device — which is exactly the scenario a SIM swap creates.

Changing Your WhatsApp PIN

To change your PIN, go to Settings → Account → Two-step verification → Change PIN. You will need to enter your current PIN first. Change your PIN if you think it may have been compromised or if you set it to something too easy to guess.

Forgot Your WhatsApp PIN?

If you forget your PIN and have a recovery email set up, tap Forgot PIN? on the verification screen and WhatsApp will send a reset link to your registered email. Without a recovery email, you have two options: wait 7 days from the last time you registered the number (WhatsApp will then allow you to proceed without the PIN), or wait 30 days, after which WhatsApp will disable two-step verification entirely on the account. During this waiting period, you cannot use WhatsApp on a new device.

WhatsApp Two-Step Verification on WhatsApp Web

WhatsApp Web (web.whatsapp.com) links to your phone's WhatsApp session rather than re-registering your number independently. This means your two-step verification PIN is not required when linking a new WhatsApp Web session — only when re-registering your phone number. WhatsApp Web sessions can be managed and logged out from Settings → Linked devices.