WhatsApp improves message security with two-step verification

[Wingman]

WhatsApp is implementing a new two-step verification process to boost security for users.

The optional security feature significantly increases the hurdles that a third-party would have to get over to break into a user’s account.

The feature, which has been in testing since November, is rolling out in stages. To turn on two-step verification, users need to log in to WhatsApp, navigate to Settings, then Account and enable Two-step verification.

 

[Winter Soldier]

A few days ago I tried this new feature but I've found something wrong.

This additional security layer should provide greater security and the inability to use the vulnerabilities of the SS7 protocol (to steal a WhatsApp account)

WhatsApp 2FA is implemented via pin/password and, according to my experience, 2FA protection via pin/password, is only required in a particular action, in this case, the authorisation to enable a new device. The code chosen by the user doesn't have to be requested periodically, otherwise significantly increases the risk that this code might be exposed, and then compromise!
WhatsApp has instead decided to periodically requires the user to enter the 2FA code when it would be appropriate to require it only to the activation of a new device.