When WhatsApp shows a notification that your security code with someone has changed, it means that the encryption keys used to secure your communication with that contact have been recreated. This usually happens when your contact reinstalls WhatsApp or gets a new device.
Why does WhatsApp use security codes?
WhatsApp uses end-to-end encryption to secure all messages, calls, photos, videos and documents shared on the platform. This means only the sender and recipient can read the contents – not even WhatsApp can decrypt them.
To enable end-to-end encryption, WhatsApp generates unique encryption keys to securely exchange information between each pair of users. These keys are then used to encrypt and decrypt all communication between those two users. The keys are regularly changed for added security.
To verify that the keys used to encrypt communication between two users are valid, WhatsApp displays a 6 digit security code when you first start chatting with someone. As long as the two codes match between users, it guarantees that the encryption keys are authentic.
Why do security codes change?
There are a few reasons why your security code with a contact may change:
- Your contact reinstalled WhatsApp – When WhatsApp is reinstalled, new encryption keys are generated which changes the security code.
- Your contact changed devices – Getting a new phone number or device also triggers new encryption keys and a change in security code.
- Your contact re-verified your number – Manually verifying your number again resets the security code.
- An update to WhatsApp changed security protocols – On rare occasions, updates to improve encryption will reset codes.
In most cases, a changed security code simply means your contact started using WhatsApp again on a new device and had their encryption keys reset. This is normal behavior and not a cause for concern.
Should I be worried when security codes change?
In most cases, a changed security code is not anything to worry about. As long as you can successfully match the new 6 digit code with your contact, it simply means they are using WhatsApp on a new device.
However, there are some rare scenarios where you should be alert when your security code changes:
- If your contact claims they did not reinstall WhatsApp or change devices recently, it could mean someone else is trying to intercept your messages. You should try to confirm with your contact out-of-band and verify they voluntarily reset the code.
- If you are unable to successfully match the new 6 digit code with your contact, it likely means someone unauthorized has tried to access one of your accounts. You should immediately stop messaging and confirm with your contact through another method.
- If your entire WhatsApp account was recently restored from a backup, it can reset all your security codes as new keys are generated. Legitimate users will be able to match the new codes but be alert for any suspicious activity.
If you have any concerns about an unexpected code change, the safest option is to stop communicating sensitive information until you can confirm your contact’s identity.
How can I verify a changed security code?
Whenever your security code changes with a contact, WhatsApp will prompt you to verify the new code. Here are the steps to successfully match a new security code:
- Open the chat with the contact whose security code changed.
- Tap on their name at the top of the chat window.
- Scroll down and tap “Verify security code”.
- A 6 digit number will be displayed. Confirm with your contact that they see the exact same number on their end.
- If the numbers match, tap “Verify” to confirm the new security code.
- If they don’t match, something fishy may be going on. Stop messaging the contact until you can confirm their identity.
Verifying a new security code ensures the encryption keys used for the chat are legitimate and your messages remain secured.
What if I didn’t verify a changed security code?
If you notice your security code has changed with a contact but did not go through the process of verifying it, you should do so immediately:
- Open the chat and tap on the contact’s name.
- Scroll down and tap “Verify security code.”
- Follow the steps to match the 6 digit number.
Without verifying a new security code, the encryption keys used to secure the chat may be invalid. This means there is a risk your messages are not end-to-end encrypted anymore.
However, WhatsApp will still show an unlocked padlock icon indicating some encryption is active. So unverified codes still provide some protection but full end-to-end encryption is only guaranteed after verification.
Can I change my security code with someone?
You cannot manually change your security code with an existing contact. Codes are automatically changed only when encryption keys are reset on either end of the chat.
However, you and your contact can trigger a reset and new code by:
- Uninstalling and reinstalling WhatsApp
- Deleting chat history with each other
- Changing devices
- Verifying your number again under profile settings
This will force new encryption keys to be generated and a new 6 digit code will need to be verified. Doing this periodically can increase privacy but is not mandatory.
Does changing my number change security codes?
Yes, changing your phone number will reset all your security codes with all contacts. Your encryption keys are tied to your specific mobile number.
After changing your number, you will have to reverify security codes with each chat before end-to-end encryption is fully restored. Your messages will remain encrypted in transit, but won’t have complete end-to-end protection until codes are verified.
Can I transfer my security codes to a new phone?
Unfortunately, existing security codes cannot be transferred when you migrate to a new phone. The codes are tied to the specific device keypairs generated on each phone.
However, to maintain seamless end-to-end encryption when changing devices, WhatsApp provides two options:
- Move your account to your new phone – This uses your encryption keys to restore your account on the new phone. All your existing security codes are maintained.
- Export chat history – You can export chats as an encrypted backup and import it on your new phone. This will let you verify new security codes easily.
Using one of these official transfer methods ensures your chats remain protected throughout the migration process.
Should I periodically re-verify security codes?
There is no need to periodically re-verify your security codes with all contacts. WhatsApp’s end-to-end encryption remains strong even if codes are not revalidated.
However, re-verifying codes essentially creates new encryption keys for that chat. Doing this occasionally adds an extra layer of privacy:
- It resets the key fingerprint making communications harder to track over time.
- It provides forward secrecy by limiting impact if keys are ever compromised.
- It forces keys to be exchanged again to confirm both users’ identities.
Balance improved privacy against the inconvenience of re-verifying all your chats. For most users, the default security is sufficient unless you have specific high risk threat models.
Should I be concerned about unchanged security codes?
An unchanged security code over a long period of time is not itself a cause for concern. WhatsApp’s encryption keys are designed to persist securely even across app updates and new messages.
However, an unchanged code could mean your communication with that contact is still using old, potentially compromised encryption keys. Resetting the code generates new keys which can improve security.
Again, for most users the default encryption is adequate. But periodically re-verifying codes provides an extra safeguard for high risk users looking for maximum privacy.
Can I transfer my WhatsApp account to a new number?
Unfortunately, you cannot directly transfer your existing WhatsApp account and message history to a brand new phone number.
WhatsApp ties each account to the specific mobile number registered on it. So to migrate accounts across different numbers, you need to rely on built-in chat history migration or manual backups:
- Local backup – Backup chats to a local file, change numbers, then restore backup on new number’s WhatsApp.
- Google Drive backup – Enable Google Drive backup, change numbers, then restore backup from Drive.
- Transfer device – Temporarily transfer your account to a new phone, then insert the new SIM.
While inconvenient, this approach does allow you to migrate between numbers while keeping encrypted chat history intact. The only alternative is to start fresh with a new account.
What are the risks of not verifying new security codes?
If you do not verify new security codes after a change, there are a few potential risks:
- Encryption may be invalid – Messages may not have true end-to-end encryption.
- Man-in-the-middle attack – A hacker could intercept your communications.
- Identity spoofing – You could be chatting with an impersonator.
- Privacy compromised – Prior conversations could be decrypted if keys are obtained.
However, WhatsApp still shows the “encrypted” indicator even without verification. So there is still some protection in place.
But for maximum security, it is highly recommended to verify new codes when prompted. Failing to do so negates some of the privacy benefits of WhatsApp’s end-to-end encryption.
Should I be concerned if I’m unable to verify new security codes?
If WhatsApp indicates your security code has changed but you are unable to successfully verify the new code, it is cause for concern.
Some potential reasons you may be unable to match the 6 digit code:
- The contact’s account is hacked or compromised.
- An unauthorized third party is intercepting your chat.
- Law enforcement has legally accessed one account.
- WhatsApp’s servers have been breached.
An unverifiable code likely means your chat is no longer end-to-end encrypted. You should immediately stop sending sensitive information and confirm your contact’s identity out-of-band.
Should I verify security codes after restoring from backup?
Yes, it is important to verify security codes after restoring your WhatsApp account from a backup, either local or Google Drive.
The restoration process generates new encryption keys, invalidating your existing codes. Without re-verifying, your chats do not have complete end-to-end encryption.
The WhatsApp FAQ states backups are encrypted so chat history remains private. But for maximum security, you should still re-validate all your security codes after restoration.
Conclusion
WhatsApp’s security code change notification is an important mechanism to maintain end-to-end encryption. It allows users to verify encryption keys and detect unauthorized access.
While code changes are most often routine, you should remain vigilant about verifying them to ensure privacy. Failing to do so reduces the full security guaranteed by WhatsApp.
However, a changed code alone is not cause for panic. As long as you can successfully match and verify the new 6 digits, your chat remains secured. But any unverifiable codes could indicate foul play.
Remember to periodically re-verify codes with your most sensitive contacts for added security. Stay safe out there!