It’s insanely popular with the security community, but secure messaging app Signal has not yet reached the dizzy heights of its closest competitor WhatsApp’s 2 billion users. I use Signal all the time, but sadly very few of my friends and family are prepared to ditch WhatsApp—despite the fact it’s owned by Facebook and is less secure and private.
But I’m an eternal optimist, and I’m hoping that Signal might be about to encourage more people—at least those who are security and privacy-minded—to join its ranks. That’s because Signal has just introduced PINS as a form of identifying yourself instead of a phone number. This will pave the way for it to move away from using your phone number as your digital ID.
Get started on your cybersecurity degree at American Military University.
As Signal acknowledges in a blog announcing the move, many users have been asking for addressing that isn’t based on phone numbers, and the ability to chat with contacts that aren’t saved in an address book. But if you don’t use your phone number as your digital ID, your data can also be lost if your phone breaks or is stolen.
Signal PINs are based on Secure Value Recovery, which Signal previewed in December. This allows supporting data such as your profile, settings and who you’ve blocked to be securely recovered if you lose or switch devices, Signal said.
“PINs will also help facilitate new features like addressing that isn’t based exclusively on phone numbers, since the system address book will no longer be a viable way to maintain your network of contacts,” Signal added, hinting at how PINs will pave the way for the even better feature to come.
When can I get the new Signal PIN feature?
The new Signal feature is already available to users, tech site ZDNet reports.
I opened my Signal app and was encouraged to “Create a PIN” via a box at the bottom of the screen. You then just type in your PIN number—at least four digits but preferably longer and a combination of letters and numbers—and you are ready to go.
If the box doesn’t come up for you, you can go into your Settings and find the option under Privacy and select “Signal PIN.”
At first, Signal will require your PIN regularly, then it will gradually ask for it less often over time (12 hours, 1 day, 3 days, 7 days, 14 days). This is so you don’t forget it—which could be a problem as Signal does not have access to the PIN.
WhatsApp offers the ability to use PINs as an extra form of security to stop your phone number identity from being stolen.
Why this Signal Move matters
In the battle to entice WhatsApp users, it’s certainly a good starting move by Signal, in many ways because it paves the way for more security and privacy in the future.
“The fact that the PIN code doesn’t leave your device and is used to encrypt personal data like profile information and contacts on the client is a significant security and privacy improvement,” says cybersecurity professional John Opdenakker. “It implies that even if this data did get stolen from Signal’s servers, it would be useless for attackers who don’t have your PIN code.”
In general, Opdenakker thinks it would be better if all messaging apps moved away from using phone numbers as a user ID. “The less personal data you need to provide to use a service, the better for your privacy.”
And WhatsApp could get a similar feature. Today (May 21), it was revealed that WhatsApp is adding the option for users to send a personal QR code which will load their contact details into another phone. As Zak Doffman reports, the QR code for back up currently includes your phone number but could be replaced in the future by a different unique identifier.
Security researcher Sean Wright agrees that the move away from phone numbers is “good from a privacy point of view.”
However, he points out that it is not entirely clear how it is going to work in practice. “I think we need more details about the Signal feature to see how much of an impact it will really make.”
“Using phone numbers as identifiers can come with problems and so this is the next step to improve its protection and attempt to move away from them altogether,” says ESET cybersecurity specialist Jake Moore.
However, Signal will store the data in the cloud so it’s not just on your phone (although the app does not store your actual messages in the cloud and this will not change with the PIN feature). “I would have thought users would have preferred the choice,” Moore says.
So the Signal PIN on its own isn’t the answer to everything and doesn’t beat WhatsApp’s usability just yet, but it does add extra security and further reveals what’s to come. Secure messaging without needing a phone number isn’t here yet, but hopefully it will be very soon.