Secure messaging app Signal has added a new level of protection in the latest version. Signal registration lock won’t allow anyone to register your phone number on a new phone without a PIN …

Signal already requires a code sent via text message to register a phone number, but there are a variety of vulnerabilities in the SMS system which mean this isn’t a completely secure system. One common one is known as a SIM-swap attack.

An alarming test carried out by Princeton shows that the five largest US carriers fail to properly protect their customers against so-called SIM-swap attacks.

They were able to persuade the carriers to assign phone numbers to new SIMs without successfully answering any of the standard security questions. Once a phone number has been reassigned to a SIM in the possession of an attacker, they can reset passwords even on accounts protected by two-factor authentication (2FA).

The Princeton study found that carriers would permit the reassignment even if the attacker had repeatedly given incorrect answers to security questions designed to ensure that they were the legitimate account owner.

This is the reason Signal is introducing an additional layer of protection, which requires you to enter a PIN as well as the SMS code.

You will be asked to enter this PIN the next time you register your phone number with Signal. Your profile, settings, and contacts will restore when you reinstall Signal.

  • Enabling a Registration Lock will require the Signal PIN to register your phone number with Signal again. 
  • Go to Signal Settings profile_avatar.png > Privacy > Signal PIN > Registration Lock to enable or disable. This can only be modified on your phone.

Signal says there is no limit on PIN length, and although the company uses the term Personal Identification Number, it is in fact a password, so can include alphabetic characters as well as numbers.

To guard against the possibility of forgetting your PIN, you’ll be periodically asked to enter it.

Signal includes a built-in reminder feature that uses spaced repetition. To help you memorize your PIN, Signal will periodically ask you to confirm it. These reminders occur at the following intervals after the feature is first enabled:

  • 12 Hours
  • 1 Day
  • 3 Days
  • 7 Days
  • 14 Days

You can, however, reset the PIN on your registered device without having to know it: the PIN is only designed to protect against your phone number being assigned to a new device.

FTC: We use income earning auto affiliate links. More.

Incipio Organicore iPhone case

Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy's favorite gear