So, it’s finally here. WhatsApp has suddenly revealed the details behind its biggest update in five years. This is the one we’ve all been waiting for—an absolute game-changer for the messaging giant’s 2 billion users around the world.
This year has been something of a rollercoaster for WhatsApp. It entered 2o21 fighting back against data harvesting criticisms levelled in light of Apple’s privacy labels, and then it was hit even harder with a user backlash against plans to change its terms of service and, seemingly, share more data with Facebook.
But that was then, and this is now. WhatsApp has spent the last few months restoring user trust and confidence in the platform. And, it has done this well. A series of privacy campaigns focused on its end-to-end encryption, emphasizing that neither WhatsApp nor Facebook can access user content.
More importantly, though, WhatsApp has been feverishly plugging functionality gaps. We saw disappearing messages and then a useful “view once” media update. We have seen a raft of tweaks around links and media handling. All good but all as nothing compared to what’s finally been revealed—multi-device access.
While iMessage and Signal users can easily switch from phones to tablets to desktops, this has never been possible with WhatsApp. Yes, there’s a clunky Web/PC/Mac app which is just a screen scape of a user’s phone, but that’s clearly not the same.
Facebook Messenger and Telegram also offer multi-device options, of course; but neither end-to-end encrypt by default, and so they have issues of their own. No, the trick that iMessage and Signal have achieved is to link devices without compromising security. It’s no mean feat—and both do it seamlessly.
But neither is perfect. Signal is very much security first, and that means no syncing between linked devices—each is essentially an independent endpoint attached to a user’s account, only operating while linked. And while iMessage does sync across all a user’s trusted devices, as soon as you message someone outside Apple’s ecosystem, the blue iMessage bubbles turn green and there’s no security anywhere to be seen.
Cue WhatsApp. When they called to tell me about this new update, the team were genuinely excited. “For years,” their formal announcement, released today, says, “people have been asking us to create a true multi-device experience that allows people to use WhatsApp on other devices without requiring a smartphone connection.”
That multi-device access is coming to WhatsApp is no secret. We’ve been talking about it for years, and the platform’s boss Will Cathcart and his boss Mark Zuckerberg confirmed it was coming during an impromptu online interview last month.
But now it’s finally here. It will start pretty much right away with a “limited public beta,” but then the live rollout will see users around the world gradually invited to opt into the new feature. “To achieve this,” WhatsApp says, “we had to rethink [our] architecture and design new systems to enable a standalone multi-device experience while preserving privacy and end-to-end encryption.”
What it means is resolving the twin challenges of issuing multiple encryption keys for each user, and then allowing each of a user’s endpoints to trust one another, to share metadata and account settings that are not sent during normal messaging.
Absent end-to-end encryption, this is easily done. But when you need to ensure that no messages can be intercepted between sender and recipient, you need to add that same level of security to the spider’s web of traffic routing between senders’ and recipients’ multiple devices. And when that extends to groups, the architecture gets very complex.
“Prior to our introducing multi-device,” WhatsApp explains, “everyone on WhatsApp was identified by a single identity key from which all encrypted communication keys were derived. With multi-device, each device now has its own identity key.”
Remember, that complexity isn’t connecting devices and syncing messages, it’s ensuring that the security of those connections cannot be compromised. By way of example, WhatsApp points out that it has overcome “the challenge of preventing a malicious or compromised server from eavesdropping on someone’s communications by surreptitiously adding devices to someone’s account.”
A user’s security code will now “represent the combination of all of someone’s device identities,” which means that anyone messaging that user can verify that every device receiving the message is authorized to do so.
Users will continue to link new devices with the same QR code system that’s currently used. The biometric authentication WhatsApp recently deployed remains in place and users can check the list of linked devices, disavowing devices if necessary. WhatsApp is also extending its multi-device architecture to include voice and video calls.
One other thing that won’t change with this multi-device update is that you can still only use WhatsApp on one phone, which will be the primary device attached to your account. What is new is that you’ll be able to link your account to four “non phone devices simultaneously.” Each of those devices will independently access your account, so even if all the others—including your phone—are switched off, it still works.
This is very different from the current system where your web, Portal, Mac or PC app connects directly to your powered-on phone, and just scrapes messages over a secure connection, enabling you to respond via that connection through your phone.
This clunky arrangement “comes with some significant reliability trade-offs,” WhatsApp admits. “Companion devices are slower and frequently get disconnected, [and] it also allows for only a single companion device at a time, meaning people can’t be on a call in Portal while checking their messages on their PC, for example.”
And so, while in an ideal world there would be no primary device, with all endpoints operating on an equal footing, this is still a game-changer for WhatsApp. “The new multi-device architecture no longer requires a smartphone to be the source of truth while still keeping user data seamlessly and securely synchronized and private.”
Each time you link a new device, WhatsApp will prime the device with a “bundle of messages from recent chats,” meaning the chats still likely ongoing will be available. It’s not clear how extensive this will be, and once this goes live it is likely to prompt requests for ever more of a chat history to be synced at the start. This is one area where iMessage excels—essentially syncing full message history to all endpoints.
There are two additional WhatsApp updates needed to ensure that its multi-device architecture hits all the right notes.
First, end-to-end encrypting its iCloud/Google Cloud backups, used to transfer WhatsApp accounts to new phones or to recover accounts when phones are lost or stolen. Users can overcome this issue by using direct device transfers or non-cloud backups, but neither of those options help if a device has been lost. This is another area where iMessage excels. You can sync a new device by simply adding it to your account.
And second, some form of trusted device verification. Most of you will have read about WhatsApp account hacks, where users are tricked into sharing SMS verification codes that are then used to steal their accounts. Attackers then receive new messages until the account is restored to its rightful owner, which can take weeks.
Apple and Google default to device verification, whereby an already logged-in device verifies a new device. WhatsApp will likely struggle to replicate this, given that the phone still operates as a primary endpoint that needs to be verified. But, fortunately, there’s a simple fix—just make sure you set up two-factor authentication in your app.
Where iMessage fails, of course, is over its lack of cross-platform support. While Apple debated launching an Android client some years ago, that didn’t happen and there doesn’t seem any chance of one anytime soon. Ultimately, that’s the clincher here. You can have the best end-to-end encryption in the world, but if it only works across one-third of the world’s users then it fails.
WhatsApp built its own user base by offering a cross-platform, cross-network alternative to SMS, now it needs to innovate and evolve to maintain it. And this is clearly a major step forward. It’s no exaggeration to say this is WhatsApp’s biggest update since end-to-end encryption five-years ago. And it’s heading your way soon. Enjoy.