WhatsApp Introduces Passkey-Encrypted Backups

WhatsApp is rolling out passkey-encrypted backups, thereby letting users protect and recover their chat history using their face, fingerprint, or device screen lock instead of remembering a long password or storing a 64-digit recovery key.

A Major Step in WhatsApp’s Encryption Journey

WhatsApp has announced a new feature that allows users to encrypt their chat backups with passkeys rather than relying on passwords or lengthy encryption codes. Passkeys are a form of passwordless authentication that combine something a user has (their phone) with something they are or know (such as biometrics or a screen lock code). According to WhatsApp, this will make end-to-end encrypted backups simpler and safer to use across iOS and Android devices.

Previously

For years, the app’s end-to-end encryption actually only covered live chats and calls. Messages were secure in transit but often less so once stored in cloud backups. Until 2021, backups to iCloud and Google Drive were not encrypted, which meant anyone who gained access to those cloud accounts could potentially read the stored chat history. That year, Meta introduced end-to-end encrypted backups, giving users the option to protect those files using a password or a randomly generated 64-character key. It was a major privacy milestone, but a cumbersome one: if a user lost the password or key, their backup became permanently inaccessible.

No Need to Memorise a Key

WhatsApp’s new passkey approach doesn’t change how backups are encrypted, but it does change how users unlock them. Instead of memorising a key, people can now rely on the same biometric or lock screen verification they already use to access their phone.

Why Passkeys, and Why Now?

In a blog post titled Encrypting Your WhatsApp Chat Backup Just Got Easier, the company explained the rationale behind the move. “Passkeys will allow you to use your fingerprint, face, or screen lock code to encrypt your chat backups instead of having to memorise a password or a cumbersome 64-digit encryption key,” WhatsApp said. “Now, with just a tap or a glance, the same security that protects your personal chats and calls on WhatsApp is applied to your chat backups so they are always safe, accessible and private.”

The move actually reflects a broader trend in cybersecurity and user experience. For example, while passwords remain the default for most online services, they are increasingly seen as both inconvenient and insecure. Passkeys, built on the FIDO and WebAuthn standards, have been adopted by Apple, Google, and Microsoft as part of the industry-wide transition towards passwordless authentication. WhatsApp’s latest feature extends this approach to backup protection, bringing it in line with these major ecosystems.

Usability is also a central motivation. For example, many users either forgot their encrypted backup password or never enabled the feature at all because of fears they might lose the key. With passkeys, the backup process is far more seamless. The device itself becomes the trusted gatekeeper, using local authentication that the user already understands.

This could also help WhatsApp’s reputation among privacy advocates. The service now has over three billion monthly active users worldwide, and any improvement in accessibility could drive wider adoption of its encryption features.

When?

The company said the rollout will take place “over the coming weeks and months”, meaning not all users will see the new option immediately.

How It Works in Practice

Once available, users can enable passkey-encrypted backups through the app’s settings: Settings → Chats → Chat backup → End-to-end encrypted backup. From there, they can choose to secure their backup using a passkey rather than a password or encryption key.

The difference becomes most apparent when restoring chats to a new device. For example, under the old system, the user needed to type their password or locate their encryption key before WhatsApp could decrypt and restore messages. With passkeys, they simply authenticate using biometrics or a screen lock from their old device, which confirms their identity and decrypts the backup automatically.

This means that a small business owner switching to a new phone can now restore years of client messages and attachments simply by scanning their fingerprint, instead of searching for a forgotten password. It is a small change in process but a significant improvement in ease of use and data recovery.

Why This Matters to UK Businesses

In the UK, WhatsApp is used by millions of professionals as an informal business communication tool. From contractors and consultants to property managers and customer service teams, many rely on WhatsApp to share documents, voice notes, and updates. This has often created a compliance and data protection challenge. Backups stored on cloud platforms without encryption could expose client data if an employee’s personal account were hacked.

By making encrypted backups easier to use, therefore, WhatsApp is now closing one of the remaining security gaps. Businesses that use WhatsApp informally can now encourage staff to enable backup encryption without worrying that forgotten passwords will lock them out of their data. For industries handling sensitive information, e.g., healthcare, construction, and legal services, this makes it simpler to protect communications while maintaining accessibility.

WhatsApp’s focus on usability could also help retain users in the face of competition. For example, rivals such as Signal have long made privacy their main selling point, while enterprise platforms like Microsoft Teams and Slack promote compliance features and centralised data management. Making encrypted backups effortless helps WhatsApp defend its position as both a consumer and small-business communication tool.

Context

The introduction of passkeys for backups also appears to align with Meta’s wider strategy to make encryption a default standard across its messaging platforms. In late 2023, Meta completed the rollout of end-to-end encryption for Messenger and Facebook chats, drawing both praise and criticism from privacy campaigners and regulators. WhatsApp’s latest enhancement, therefore, reinforces that commitment to strong encryption, while also signalling that Meta is aware of usability barriers that have historically held users back.

At the same time, this move may raise new questions for regulators, e.g., governments in the UK, EU, and elsewhere continue to debate how encrypted services fit with lawful access and online safety legislation. If backups are locked behind device-specific passkeys that even Meta cannot access, traditional data requests will yield little beyond metadata such as contact timestamps. That strengthens user privacy but complicates investigations where access to message history has previously depended on unencrypted backups in the cloud.

Potential Challenges and Criticisms

While the update marks another step forward in security and privacy, it is not without its caveats. For example, the security of passkey-encrypted backups depends on the strength of the device lock itself. A weak PIN or an easily accessible biometric can undermine the system. If someone can unlock a user’s phone, they may also be able to restore the encrypted backup. Users are therefore advised to maintain strong device security to benefit fully from the new system.

Recovery is another concern. Unlike a password, a biometric cannot be written down or stored safely elsewhere. That means if a user loses their device and has no other registered one to authorise the restore, they may permanently lose access to their encrypted backup. WhatsApp has confirmed that it will not store recovery copies of encryption keys, maintaining its position that “only you” can access your backup. This reinforces privacy but leaves no route for account recovery if the passkey cannot be used.

The staggered rollout also means adoption will be uneven. Not all users will have access immediately, and device compatibility could differ by region. For organisations using WhatsApp across multiple teams or countries, this might temporarily complicate backup policies or support processes.

There are also some technical limits to consider. For example, the new passkey feature does not address certain underlying encryption vulnerabilities identified by researchers earlier this year, such as weaknesses in WhatsApp’s “prekey” handshake mechanism that could theoretically expose some message metadata under specific conditions. Those findings relate to message exchange rather than backups, but they underline that security in complex systems is never static.

Finally, while this change enhances privacy for individuals, it introduces new complications for organisations that must retain communication records for legal or contractual reasons. Encrypted backups that only employees can decrypt may hinder internal auditing or eDiscovery processes unless alternative data management policies are in place.

WhatsApp’s decision to make passkey-encrypted backups available, therefore, reflects both a technological evolution and a strategic balancing act, i.e., strengthening privacy while trying to keep security practical for billions of users and acceptable to regulators. It reinforces Meta’s message that personal data should remain under user control, but it also leaves open questions about recovery, compliance, and how far convenience can coexist with absolute privacy.

What Does This Mean for Your Business?

WhatsApp’s passkey-encrypted backups close a long-standing gap in its privacy model by uniting strong security with genuine ease of use. The change ensures that users can now protect years of chat history without worrying about lost passwords or unmanageable encryption keys. It also signals Meta’s intent to keep WhatsApp at the forefront of privacy technology while aligning with the global shift toward passwordless authentication across major platforms.

For UK businesses, the update is both an advantage and a challenge. For example, it strengthens protection for sensitive conversations, reducing the risk of data exposure from insecure cloud backups. However, it also places more control in the hands of individual employees, limiting an organisation’s ability to monitor or recover business communications when needed. Firms that use WhatsApp informally for client contact or internal coordination will need to update their data management policies to account for encrypted, user-controlled backups.

Regulators and policymakers are likely to see this as another reminder that end-to-end encryption is now the default expectation rather than a specialist option. While it may complicate lawful access to stored message data, it reflects the direction most major tech companies are taking to meet user privacy demands. For everyday users, the result should be a simpler, more trustworthy backup system that makes security part of the normal experience rather than an optional extra.

The broader lesson here is that encryption can only achieve mass adoption when it becomes invisible to the user. WhatsApp’s move may bring that goal closer, reshaping how individuals, businesses, and governments think about control over digital information in a world where privacy and usability must now coexist.