Two-step verification on WhatsApp adds a personal PIN that is required whenever you register your phone number on a new device. Even if someone hijacks your phone number through a SIM swap, they cannot take over your WhatsApp without knowing your PIN. Microsoft research confirms that adding a second factor blocks over 99.9% of automated account attacks. Here is how to set it up in about 2 minutes.

WhatsApp is used by over 2 billion people worldwide as of 2026. It carries some of your most private conversations — family chats, financial discussions, personal photos, and work messages. If someone takes over your WhatsApp account, they can read your recent messages, impersonate you to your contacts, and even scam your friends and family by asking for money while pretending to be you.

Why does WhatsApp two-step verification matter?

WhatsApp accounts are tied to your phone number. When you set up WhatsApp on a new phone, the app sends an SMS code to your number to verify it is really you. The problem is that SMS codes can be stolen.

The most common attack is called SIM swapping. Here is how it works:

  1. An attacker calls your phone carrier and pretends to be you
  2. They convince the carrier to transfer your phone number to a new SIM card
  3. They now receive all your SMS messages, including the WhatsApp verification code
  4. They register your number on their phone and take over your WhatsApp

Without two-step verification, that is all it takes. With two-step verification enabled, the attacker also needs your personal 6-digit PIN — which only you know. They do not have it, so they are blocked.

As of 2026, SIM swapping attacks remain a real and growing threat. The FBI reported thousands of SIM swap complaints in recent years, with victims losing millions of dollars.

Not sure if your personal information has been compromised? Check if your email was exposed in a data breach — leaked personal details make SIM swap attacks easier for attackers.

How do you turn on two-step verification on WhatsApp step by step?

WhatsApp’s two-step verification is straightforward to enable. Here is the exact process.

On iPhone:

  1. Open WhatsApp and tap “Settings” in the bottom right corner.
  2. Tap “Account.”
  3. Tap “Two-step verification.”
  4. Tap “Enable.”
  5. Enter a 6-digit PIN of your choice. Pick something you will remember but that others cannot guess. Do not use your birthday, 123456, or any obvious number.
  6. Confirm the PIN by entering it again.
  7. Add an email address for recovery (strongly recommended — more on this below).
  8. Confirm the email address.

On Android:

  1. Open WhatsApp and tap the three dots in the top right corner.
  2. Tap “Settings.”
  3. Tap “Account.”
  4. Tap “Two-step verification.”
  5. Tap “Enable.”
  6. Enter a 6-digit PIN of your choice.
  7. Confirm the PIN.
  8. Add a recovery email address.
  9. Confirm the email.

That is it. Your WhatsApp account now has an extra layer of protection. The next time anyone tries to register your phone number on a new device, they will need both the SMS code and your PIN.

How do you choose a strong PIN for WhatsApp?

Your 6-digit PIN is the core of WhatsApp’s two-step verification. A weak PIN defeats the purpose. Here is how to pick a good one:

Do not use:

  • Your birthday or birth year (198X, 0101, etc.)
  • Sequential numbers (123456, 654321)
  • Repeated digits (111111, 000000)
  • Your phone number digits
  • Any number that someone who knows you could guess

Do use:

  • A random combination that is meaningful only to you
  • A number based on a personal memory that is not publicly known — like the house number of a childhood friend or a number from a book you read years ago
  • Something you can recall but that has no connection to your public information

Write the PIN down and keep it in a safe place at home until you have it memorised. WhatsApp will periodically ask you to re-enter it so you do not forget.

Why should you add a recovery email to WhatsApp?

When you set up two-step verification, WhatsApp asks for an optional email address. This step is optional, but you should absolutely do it. Here is why:

If you forget your PIN, WhatsApp can send a reset link to your email. Without a recovery email, you will be locked out for 7 days before you can reset the PIN — and any messages you receive during that waiting period may be lost.

How to add or change your recovery email:

  1. Open WhatsApp and go to Settings, then Account, then Two-step verification.
  2. Tap “Change email address” (or “Add email address” if you skipped it during setup).
  3. Enter your email address and confirm it.

Use an email address that you have secured with its own 2FA. If an attacker controls your recovery email, they could potentially reset your WhatsApp PIN. For help securing your email, see our guide: How to enable 2FA on Gmail

What happens after you enable WhatsApp two-step verification?

Once two-step verification is active, two things change:

When registering on a new device. If you or anyone else tries to set up WhatsApp with your phone number on a different device, they will need to enter your 6-digit PIN after the SMS verification code. Without the PIN, the setup cannot proceed.

Periodic PIN reminders. WhatsApp will occasionally ask you to enter your PIN while using the app. This is to help you remember it. You cannot turn off these reminders, and that is a good thing — it keeps the PIN fresh in your memory.

What else should you do to protect your WhatsApp account?

Two-step verification is the most important step, but here are additional precautions:

  • Never share verification codes — if someone texts or calls asking for a code WhatsApp sent you, it is a scam. WhatsApp will never ask you for codes
  • Lock your phone — use a fingerprint, face unlock, or a strong passcode on your phone itself. If someone has physical access to your unlocked phone, they can read your WhatsApp directly
  • Enable chat lock — WhatsApp lets you lock individual chats behind biometric authentication for extra privacy
  • Check linked devices — go to Settings, then Linked Devices. Remove any devices you do not recognise
  • Check for breachessee if your email has been part of any data breach. Leaked personal details can make you a target for social engineering and SIM swap attacks

For a full overview of how two-factor authentication works and why it is so effective, read: What is two-factor authentication and how do you set it up?

Learn about what happens when your data gets stolen: What happens to stolen data on the dark web

Browse our breach database to check which companies have been compromised.

Frequently asked questions

Is WhatsApp two-step verification the same as 2FA?

Yes. WhatsApp calls it “two-step verification,” but it works on the same principle as two-factor authentication. It adds a second layer of security — a PIN you created — on top of the SMS code WhatsApp sends when you register your phone number on a new device.

What happens if I forget my WhatsApp PIN?

If you added a recovery email when you set up two-step verification, WhatsApp can send you a reset link. If you did not add an email, you will have to wait 7 days before you can reset the PIN, and any pending messages during that time may be lost.

Does WhatsApp 2FA protect my messages from being read?

Not directly. WhatsApp messages are already protected by end-to-end encryption, which means only you and the person you are chatting with can read them. Two-step verification protects against someone registering your phone number on a different device and taking over your account.

Can someone bypass WhatsApp two-step verification?

Without your PIN and access to your phone number, an attacker cannot take over your WhatsApp account. If they somehow get your SMS verification code through a SIM swap, they still need your PIN. This is exactly why two-step verification matters — it stops SIM swap attacks from being enough on their own.