Guide

How to Enable Two-Step Verification on WhatsApp

2026-02-01 ยท 5 min read ยท Steven Adams ยท Last reviewed: March 2026

WhatsApp's two-step verification works differently from standard TOTP-based 2FA. Instead of a time-based code from an authenticator app, WhatsApp uses a 6-digit PIN that you create yourself. This PIN is required whenever you register your phone number on a new device, providing a critical line of defence against SIM-swap attacks โ€” where an attacker transfers your phone number to a SIM they control and then re-registers your WhatsApp account.

In This Guide

  1. How to Enable Two-Step Verification on WhatsApp
  2. How WhatsApp Two-Step Verification Works
  3. WhatsApp vs Standard TOTP 2FA
  4. Forgot Your WhatsApp PIN?

How to Enable Two-Step Verification on WhatsApp

  1. Open WhatsApp on your phone.
  2. Tap the three-dot menu (Android) or Settings tab (iPhone).
  3. Go to Account โ†’ Two-step verification.
  4. Tap Enable.
  5. Create a 6-digit PIN. Choose something you can remember but that is not obvious. Do not use your phone lock code or a PIN you use elsewhere.
  6. Confirm the PIN by entering it again.
  7. Optionally, enter your email address as a backup recovery method. This is highly recommended โ€” if you forget your PIN, WhatsApp can email you a reset link.
  8. Confirm the email address if you entered one.
  9. Tap Done.
Add your email address during setup. Without a recovery email, forgetting your WhatsApp PIN means waiting 7 days for WhatsApp to allow a PIN reset, during which you cannot use WhatsApp. The email option makes recovery much faster.

How WhatsApp Two-Step Verification Works

After enabling two-step verification, WhatsApp will periodically ask you to enter your PIN while using the app โ€” this is to help you remember it. More importantly, when you re-register your WhatsApp account on any device (for example, after getting a new phone or if your number gets SIM-swapped), WhatsApp requires the PIN before allowing access. An attacker who takes control of your phone number will be blocked from accessing your WhatsApp messages without the PIN.

WhatsApp vs Standard TOTP 2FA

It is important to understand what WhatsApp's two-step verification does and does not do. Unlike services that use TOTP or SMS codes at every login, WhatsApp's PIN is specifically tied to device registration. Your day-to-day use of WhatsApp on your current phone is not interrupted by 2FA prompts. The protection kicks in when someone tries to register your number on a new device โ€” which is exactly the scenario a SIM swap creates.

Changing Your WhatsApp PIN

To change your PIN, go to Settings โ†’ Account โ†’ Two-step verification โ†’ Change PIN. You will need to enter your current PIN first. Change your PIN if you think it may have been compromised or if you set it to something too easy to guess.

Forgot Your WhatsApp PIN?

If you forget your PIN and have a recovery email set up, tap Forgot PIN? on the verification screen and WhatsApp will send a reset link to your registered email. Without a recovery email, you have two options: wait 7 days from the last time you registered the number (WhatsApp will then allow you to proceed without the PIN), or wait 30 days, after which WhatsApp will disable two-step verification entirely on the account. During this waiting period, you cannot use WhatsApp on a new device.

WhatsApp Two-Step Verification on WhatsApp Web

WhatsApp Web (web.whatsapp.com) links to your phone's WhatsApp session rather than re-registering your number independently. This means your two-step verification PIN is not required when linking a new WhatsApp Web session โ€” only when re-registering your phone number. WhatsApp Web sessions can be managed and logged out from Settings โ†’ Linked devices.

Related Articles

Guide

How to Set Up 2FA on Telegram

Read โ†’
Security

What is SIM Swapping?

Read โ†’
Guide

How to Set Up 2FA on Instagram

Read โ†’

Why WhatsApp 2FA Is Called Two-Step Verification

WhatsApp calls its second factor "Two-Step Verification" rather than 2FA, and it works differently from most other platforms. Instead of using an authenticator app or SMS code at login, WhatsApp requires you to set a 6-digit PIN that you create yourself. This PIN is requested periodically when you register your phone number with WhatsApp โ€” such as when setting up on a new device or after reinstalling the app. This protects against SIM-swap attacks where someone could otherwise take your number and register it on their device to receive all your messages.

WhatsApp Account Takeover: How 2FA Stops It

The most common WhatsApp account takeover works like this: an attacker calls you pretending to be a friend, says they accidentally sent a 6-digit code to your number, and asks you to read it back. That code is actually WhatsApp's registration code for your number. Two-step verification stops this attack because even with the registration code, the attacker cannot complete setup without your PIN. This scam has compromised millions of WhatsApp accounts globally, making two-step verification essential.

What Happens If You Forget Your WhatsApp PIN?

When you set up two-step verification, WhatsApp optionally asks for a recovery email address. If you forget your PIN, WhatsApp can send a reset link to this email. Without a recovery email, you must wait 7 days from your last WhatsApp use before the PIN can be reset โ€” and during those 7 days, you cannot use WhatsApp at all. This is deliberately strict to prevent attackers from quickly resetting your PIN after performing a SIM swap.

Frequently Asked Questions

Does WhatsApp two-step verification work on WhatsApp Web? The PIN is only requested during device registration, not during normal WhatsApp Web sessions. Your phone must be online and connected for WhatsApp Web to function.

Can I use an authenticator app with WhatsApp? No โ€” WhatsApp does not support TOTP authenticator apps. Its two-step verification uses only the 6-digit PIN system, plus optional email recovery.

Will I be asked for my PIN every time I open WhatsApp? No โ€” the PIN is only requested when registering your phone number on a device. WhatsApp also periodically asks you to enter it as a reminder so you do not forget it.