Isn't this flow what more ore less what you would expect? Could someone suggest what would be the appropriate alternative here?
- The inconvenience to the deactivated account is minor: one SMS verification code and the account is back, queued messages get received, etc.
- Persons who lost their phones probably don't have a good fast way of proving their identity, as their identity is tied to their phone number in WhatsApp's model.
- Needing to quickly lock out spammers, thiefs or hackers is probably far more frequent than abuse of this feature.
- If abuse of this feature becomes a recurring problem, I'd expect WhatsApp to react and adjust the flow to place more burden on its user.
The auto-delete part is slightly more worrying, but if you don't use WhatsApp during 30 days, your account and group membership probably isn't very precious. Backups are automated and separate. You can still easily re-create an account with the same number then.
The story might be "Apps should stop using SMS and phones numbers as the source of identity", and while I generally agree, most comments don't seem to be about this and WhatsApp is maybe _the_ one app whose success was based on this very idea.
As YetAnotherNick said, logout might be the better word to describe the impact here (plus, a fairly aggressive inactivity deletion period).
I agree with you in principle, but I still don’t understand how else to mitigate this: WhatsApp must get a lot of cases of stolen unprotected phones. The victim can ask their operator to lock the SIM card, but their WhatsApp account would still be out in the open.
With the continuous improvements in mobile OS security defaults, I’d expect this scenario to become less and less of a problem, but it must still be accounted for.
The process still goes through support ticketing, so I’d expect a spike to be noticed and stopped.
Whoops, my comment isn't very clear, sorry. I meant: "but their account would still be active and in the hands of the thief, if there is no way to quickly deactivate it, e.g. before receiving a new SIM card from their operator that would enable you to prove your identity to WhatsApp."
Do you mean how long is account recovery by the SIM/number owner possible, or how long can the phone thief continue using the WhatsApp account if the owner doesn't recover?
Maybe I misunderstood the comment you and parent comment were making. I interpreted it as "they can recover it via SIM, so the lockout method isn't needed".
My point to that is that it is true, but the lockout would prevent a thief from using it until the new SIM is received. Versus a thief having access until the new SIM is received.
I use telegram instead of Whatsapp, but I would hate for anyone to have any time at all on my account. I'd prefer to immediately lock the whole thing down and figure it out once I have everything sorted.
Since when logout comes with a "we'll delete your account if you don't log back in in 30 days"?
This is just an atrocious flow. A better approach would be a "temporary emergency block", and then give the user a week to sort it out, otherwise the account is automatically reinstated.
While 30 days sounds extreme, I’ve got plenty of warnings in the past 25 years from sites which wanted, and did delete my account because I didn’t visit their site in a specified timeframe, like half a year, or a year.
I got one from Discord a few days ago. I didn't check if it was real or phishing, and I didn't check my password manager. I can't remember why I would have created a discord account so I'll let it go. Maybe I was self squatting.
>Imagine an automated form of this where you can just mass deactivate antagonistic accounts
I wish I had this power for other social media sites, such as Twitter and Nextdoor. I'd just mass-deactivate ALL accounts. The world would be better off.
> The auto-delete part is slightly more worrying, but if you don't use WhatsApp during 30 days, your account and group membership probably isn't very precious.
I've had plenty of times where I'm offline for a few weeks. Would cut it very close to having my entire account deleted.
This is trivial to mitigate with per-account rate limiting.
On top of that, if a specific account is targeted at the rate-limit, a flag could be put in place to let support disable the automation for that account.
I'm not sure how relevant that threat model is (OS level security would probably be enabled for people susceptible to be targeted in such a way. Support could advise to do it before toggling the flag, etc.), but anyway the hypothetical flag would only be about making sure the automation doesn't happen and the ticket goes to support. Support can then manually handle the rare edge case and place more burden on the person attempting to deactivate the account.
With your suggested approach, the attacker is free to use the account to impersonate the victim until they get a new SIM card, which could easily take days or weeks.
This seems like a degredation compared to the current abuse potential which is mostly limited to logging you out.
>This seems like a degredation compared to the current abuse potential which is mostly limited to logging you out.
I think it depends on who you ask. IIRC there was a stat that showed a substantial % of people only use WhatsApp rarely and they might not notice the deactivation and/or miss the 30 days deadline, getting their accounts deleted.
I can't tell if you're being serious or sarcastic. It genuinely looks like the former but I have to assume it's sarcasm because I can't believe anyone would seriously post this..?
- The inconvenience to the deactivated account is minor: one SMS verification code and the account is back, queued messages get received, etc.
- Persons who lost their phones probably don't have a good fast way of proving their identity, as their identity is tied to their phone number in WhatsApp's model.
- Needing to quickly lock out spammers, thiefs or hackers is probably far more frequent than abuse of this feature.
- If abuse of this feature becomes a recurring problem, I'd expect WhatsApp to react and adjust the flow to place more burden on its user.
The auto-delete part is slightly more worrying, but if you don't use WhatsApp during 30 days, your account and group membership probably isn't very precious. Backups are automated and separate. You can still easily re-create an account with the same number then.
The story might be "Apps should stop using SMS and phones numbers as the source of identity", and while I generally agree, most comments don't seem to be about this and WhatsApp is maybe _the_ one app whose success was based on this very idea.