Protect your WhatsApp and Signal — it takes two minutes
A simple guide to turning on two-step verification for WhatsApp and Signal — and why you should never share a security code with anyone who asks.
Before you read on — please share this
Think about who in your life might not know about this. A parent, a friend, someone in your neighbourhood group chat. Share this article with them now — two minutes of their time could save them a lot of grief.
I want to tell you about something that happened to someone close to me. They received a WhatsApp message from a friend — someone they'd known for years — asking them to forward a six-digit code that had just arrived by text. "Sorry, I sent it to your number by mistake. Could you send it back?" It sounded perfectly reasonable. So they did.
Within minutes, they were locked out of their own WhatsApp account. All their conversations, all their groups, gone. And the person who took it over immediately started sending the same message to everyone in their contact list, using their name, their photo, their trust.
It can happen to anyone. It doesn't matter how careful or how clever you are — these messages are designed to catch you in a busy moment when you're just being helpful. That's what makes them so effective.
I've had this conversation so many times now — over dinner, on the phone, sometimes helping someone recover an account that's already been taken. So I decided to write it all down, the way I'd explain it if we were sitting together with a coffee. Because the good news is: protecting yourself is genuinely easy. Two minutes, and you're done.
The golden rule
This is the single most important thing in this entire article, and I'd love for you to remember it:
Never share a verification code with anyone. Ever.
Not with a friend who asks for it. Not with someone claiming to be from WhatsApp or Signal. Not with your bank, not with your phone company. Nobody legitimate will ever ask you for a code that arrived on your phone. If someone does, that's how you know something is wrong — no matter how convincing the message looks or who it appears to come from.
The code is yours. It's like the key to your front door. You wouldn't hand that to someone just because they sent you a friendly message, and this is no different.
A small step that makes a big difference
Both WhatsApp and Signal have a built-in safety feature that most people don't know about. It's called two-step verification — and once you turn it on, even if someone somehow gets hold of that code, they still can't take over your account. They'd also need a personal PIN that only you know.
Think of it this way: your phone number is like your address — people know where you live. The verification code is like the lock on your door. But two-step verification adds a deadbolt. Even if someone picks the lock, the deadbolt stops them.
The best part? Setting it up is genuinely quick. No technical knowledge needed. If you can send a WhatsApp message, you can do this.
How to turn it on in WhatsApp
Open WhatsApp on your phone. Tap Settings (the gear icon, usually bottom right on iPhone or top right on Android). Then tap Account, then Two-step verification, then Turn on.
WhatsApp will ask you to choose a six-digit PIN. Pick something you'll remember — but not something obvious like 123456 or your birthday. You can also add your email address as a safety net, in case you ever forget the PIN. I'd recommend doing that.
That's all there is to it. WhatsApp will ask you for this PIN from time to time, just so it stays fresh in your memory.
Enable two-step verification
- 1
Open Settings
Tap the gear icon (bottom-right on iPhone, top-right on Android)
- 2
Tap Account
- 3
Tap Two-step verification
- 4
Tap Turn on
- 5
Choose a 6-digit PIN
Pick something memorable — not 123456 or your birthday
- 6
Add your email address
Optional but recommended — lets you reset the PIN if you forget it
- 7
Confirm and you're done
WhatsApp will ask for this PIN occasionally to keep it fresh
How to turn it on in Signal
If you use Signal, open the app and go to Settings, then Account, then turn on Registration Lock. Signal uses a PIN you may have already created when you first set up the app — if not, it will help you create one now.
Once registration lock is on, your Signal account is tied to that PIN. Nobody can move it to another phone without it.
Signal
Enable registration lock
- 1
Open Settings
Tap your profile icon or the menu in the top corner
- 2
Tap Account
- 3
Toggle on Registration Lock
You'll be asked to confirm your Signal PIN
- 4
Done
Your account is now tied to your PIN — nobody can move it without it
If someone asks you for a code
Now you know the rule — but what should you actually do in the moment? If you get a message from anyone asking you to share a code, here's what I'd suggest:
Don't reply to the message. Don't forward the code. Instead, pick up the phone and call that person directly — not through WhatsApp, but a regular phone call, or speak to them face to face. Ask them: "Did you just send me a message asking for a code?"
Almost always, the answer will be no. What's happened is that their account has already been taken over, and the person behind it is now working through their contact list, one by one, using their name and their photo to trick the people who trust them most.
If it's already happened to you
Maybe you're reading this and thinking: "That's exactly what happened to me." If so — first of all, don't feel embarrassed. This scam works precisely because it targets good, trusting people who are just trying to be helpful. It's not a reflection of how smart you are. It's a reflection of how clever the scam is.
Here's how to get your account back.
WhatsApp: Open the app (or reinstall it if needed) and go through the normal setup process with your phone number. WhatsApp will send you a new verification code by SMS. Once you enter it, your account will be restored to your phone and the person who took it will be automatically logged out. If they've set up two-step verification on your stolen account, you may need to wait up to seven days before you can get back in — but they won't be able to use the account during that time either. Once you're back in, turn on two-step verification straight away so this can't happen again.
Signal: If you had registration lock turned on before the theft, you're already protected — they won't have been able to take over your account in the first place. If you didn't, reinstall Signal, register with your phone number, and the app will guide you through reclaiming it. Once you're back in, turn on registration lock immediately.
In both cases: Let your contacts know as soon as possible that your account was compromised. A quick message in your main group chats or a post on social media — something like "My WhatsApp was hacked. If you received any strange messages from me asking for a code, please ignore them and don't share any codes." The sooner people know, the less likely the scammer can use your name to trick someone else.
And if the scammer has been sending messages to your contacts pretending to be you, don't be afraid to follow up personally with the people closest to you. A quick phone call goes a long way — both to warn them and to reassure yourself that no real damage was done.
Official guides and further reading
For detailed, up-to-date instructions with screenshots, see the official documentation:
- How to manage two-step verification settings — WhatsApp Help Center
- About two-step verification — WhatsApp Help Center
- Signal PIN — Signal Support
- How to Enable Registration Lock in Signal — MakeUseOf
- How to Turn on Registration Lock in Signal — How-To Geek
Now take those two minutes
Put down this article, open WhatsApp, open Signal, and turn on the verification. It really is that quick, and future-you will be glad you did.
We look out for each other. That's what friends do.
Comments are not configured yet.