WhatsApp Authentication Codes: Now Visible Only on Your Primary Device

  • Updated
Meta has announced a new security update for WhatsApp authentication messages, go live on October 7, 2024. This update is designed to enhance security for businesses by ensuring that one-time passcodes (OTPs) are only visible on the user’s primary WhatsApp device. Linked devices will no longer display these codes directly, providing an added layer of protection for users. For more detail see here.
 
This FAQ covers key information about the update and how it impacts businesses using WhatsApp Cloud API for authentication.
 
Q: Do businesses need to implement any code changes to support this update?
A: No, businesses are not required to make any code changes. The feature will be applied automatically for all authentication messages sent through the WhatsApp Cloud API.
 
Q: Is this feature available for both Cloud API and On-Premises API users?  
A: Currently, this security feature is only available for businesses using the Cloud API. It is not yet available for On-Premises API users.
 
Q: How can users identify their primary WhatsApp device?  
A: The primary device is the phone that the user used to register their WhatsApp account. Users can link up to four additional devices, but authentication codes will only be visible on the primary device. Learn more about linked devices here.
 
Q: What message will linked devices display if an OTP is sent?  
A: Linked devices will display the following message:  
"You received a one-time passcode. For added security, you can only see it on your primary device for WhatsApp. Learn more." 
If the OTP cannot be delivered to the primary device, no message will be delivered to linked devices.
 
Q: Will businesses be charged if an authentication message is not delivered to a user's primary device?
A: No. If the message cannot be delivered within the specified validity period (for example, if the user is offline), the message will be dropped by the WhatsApp server, and the business will not be charged.
 
Q: How can businesses track the delivery status of authentication messages?  
A: Businesses can use the messages webhook to track delivery status. Successfully delivered messages will have a "delivered" or "read" status. If no status is received after the message validity period expires, the message can be considered failed.
 
Q: Can businesses opt out of this security update?  
A: No. As of October 7, 2024, all authentication messages sent on WhatsApp will include this security feature, and opting out is not possible.

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.