Following the news about  Wired UK’s on the addition of 2FA to WhatsApp, Shane Stevens, Director of Omni-Channel Identity and Trust Solutions, VASCO Data Security commented below.

Shane Stevens, Director of Omni-Channel Identity and Trust Solutions at VASCO Data Security:

Shane Stevens“This is interesting and is becoming common practice in the marketplace, once an app has been targeted by fraudsters several times.  It is a step in the right direction and one that more app developers should be doing, but they have unfortunately been trying to mirror others who were not successful in implementing 2FA.  The “optional” feature activation is a major compromise in security here. Google took a similar approach and thought they were going move the dial on this as well, but have not gotten nearly the user acceptance they thought they would get.

“The controls that the WhatsApp team are implementing around this are good at best, but they don’t drive the harmony that’s essential between security and user experience.  There is a lot more that they can and should be doing beyond their beta today.  Another out-of-band email pin, extending the access process and deleting user information will probably not drive users to activate this critically important feature. Ultimately, this move may look good to the investors and media, but really doesn’t get the job done when you have one of the most utilized apps in the world.   On the other hand, adding a protective layer (such as mobile app protection) and doing a hardening of the device would drive much better security, while also making the app so much easier to use. These moves would help defend against stolen data while also creating new revenue opportunities.

It still mind-boggling that such hugely popular social applications resist taking leadership in driving best in class protection, because that extra step can truly drive a user’s trust – and new opportunity – from day one.”

Information Security Buzz