Earlier this week, Signal revealed that attackers had access to phone numbers belonging to 1,900 users. Signal is one of the most encrypted messaging apps available, which thankfully stopped the attackers from accessing anyone’s message history or profile information.
The attackers utilized Twilio, an SMS verification service, as the entry point of their attack. Current and former Twilio employees received phishing messages suggesting their passwords had expired — and some of them fell for it, thereby compromising employee accounts.
While two-factor authentication via SMS does offer some protection from hacks and other cyberattacks, it can’t protect users from every angle. Luckily for us, Signal has a built-in feature called Registration Lock that can push your protections to the extreme.
How to turn on Signal’s Registration Lock
Signal’s Registration Lock feature adds an extra step every time a new device tries to log in with your account info. An attacker could theoretically have access to your password and SMS verification code and still be unable to add your Signal account to their app.
Each time you (or someone else) tries to register your phone number in Signal, the app will ask for your Signal PIN. This is a code you created when setting up your Signal account. You can change your Signal PIN at any time in the “Accounts” settings menu.
Follow these steps to turn on Registration Lock.
- Click your profile photo in the upper left and open the Settings menu.
- Open the Account menu.
- Toggle the “Registration Lock” button.
Remember your PIN or get locked out
Before you enable Registration Lock, make sure you’re comfortable with the Signal PIN attached to your account. It should be a number — however long or short you’d like — that you can remember very well. Once Registration Lock has been turned on, you can be locked out of your Signal account for up to 7 days after entering the incorrect PIN.
Thanks to Signal’s top-notch end-to-end encryption protocols, an attacker who gained access to your account wouldn’t even be able to retrieve your chat history. They would, however, be able to send and receive new messages and calls as if they were your own. Registration Lock — a feature unique to Signal — should stop any attackers before they even get to that point.