WhatsApp latest security feature may be a nuisance for password manager users
WhatsApp users may set up the application to create automatic backups of their data; this is useful for several purposes, including moving from one device to another without losing all messages and other data in the process.
The messaging service supports end-to-end encrypted backups since 2021, which protect backups with a custom password that the user selects. This resolves the issue that WhatsApp backups are not encrypted during transport from the device to the cloud storage.
Soon, WhatsApp will ask users to type the password for their backups regularly. It is a security precaution to make sure that users have not forgot their passwords. To continue, WhatsApp users need to type the backup password and hit the continue button.
In the case that they forgot the password, they may select "turn off encrypted backups" instead. Later, they may restore encrypted backup functionality by setting a new password in WhatsApp.
Wabetainfo discovered the new feature. It is available in the latest versions of WhatsApp for Android and iOS, and will roll out to more users in the coming weeks.
The password reminder reduces the risk of losing complete access to backups and the ability to restore backups. Users who forget the password can't restore backups anymore.
WhatsApp users may configure encrypted backups under Settings > Chats > Chat Backup > End-to-end encrypted backup. Note that WhatsApp backups consume space on the cloud storage service.
Potential issue for password manager users
The password reminders will be displayed regularly to users, which may pose a problem for users who use password managers.
If the WhatsApp password is stored in a manager, that manager needs to be opened to access the password to complete the WhatsApp prompt. WhatsApp users who use a password manager on other devices only are affected by this even more.
WhatsApp could resolve this by making the prompts optional. A switch in the Settings could allow users to turn off the prompts. If WhatsApp adds a scary looking disclaimer to the prompt, it might even keep users who do not use a password manager from turning the feature off.
WhatsApp is already using a similar prompt to make sure that two-factor authentication is working correctly. It is unclear what is going to happen to previous backups if the user can't remember the password anymore.
Now you: do you use WhatsApp's backup feature?
Whatsapp and security/privacy? All the cool nerds use Signal, Briar, Threema and Conversations.