A Guide To Verifying Signal Safety Numbers

Even technical individuals who I’ve migrated to Signal seem a bit confused over how to verify a safety number and what exactly it’s supposed to do. To save people time going forward, here’s a guide to link people to when in the process of migrating to Signal. The general concepts should more-or-less apply to any messenger with a verification system. Signal has a blog on this here as well

What’s a Safety Number?

image

It’s a unique number unique to every Signal conversation, which should be the same number for both people in the conversation. You can find the safety number of all Signal messages by going into each conversation’s settings > View Safety Number.

Why Verify?

At its core, the goal of verifying is to ensure the person you’re talking to is actually the person you think you’re talking to.

For example, we at Techlore receive several emails a day from random people and projects. Let’s say the CEO of a project wants to talk to me on Signal. I send them my number on Signal, then they add me on Signal with a “Hello it’s the CEO” - To verify it’s actually them, I can email back asking what phone number they reached out from, then compare the phone numbers. But an even more fool-proof way to verify the authenticity of the conversation is to ask the CEO to send our safety number to an established safe place of communication - in this scenario, email. I can then compare the safety numbers and mark it as approved.

The best method of verifying safety numbers is in-person, but if there’s an already-establish ‘safe space’ where you can verify a user is who they say they are - it can be done digitally as well.

Verifying a safety number also continues to ensure you’re chatting with someone safely. If someone switches devices, it will reset the safety number and alert the contact of the change. If anything changes, the safety number changes. This is incredibly useful - as in theory, a compromised Signal account will instantly alert all contacts of a changed safety number. (With the exception of an endpoint attack where the attacker gains direct access to the contact’s device and can directly impersonate them.)

How to Verify

It’s very simple:

  • If in-person, just click on the contact in Signal, and click View Safety Number, then scan the QR code.
  • If digitally, you have to have an already-established place of communication, then one person sends the other person the raw safety number in the safe space away from Signal (The person who sends it should be the person who receives the first Signal message, aka the person who did not initiate the Signal conversation and needs to verify the authenticity of the new conversation)

IMPORTANT: If you’re the person verifying the authenticity of the other user, DO NOT SEND THEM THE SAFETY NUMBER. If you are trying to verify the other user and you send them the safety number, the other person can just send back the same number you sent them. (Again, it’s the same number for both of you, so you only have one shot at verifying them) You should wait for THEM to send you the safety number.

After verifying, you should see this in the conversation:
image

If the safety number changes, due to a device change or anything else (hopefully not an attacker), it’ll look like this:
image

How to change devices without drama

It’s best practice to:

  • Verify safety numbers of all contacts on Signal
  • Alert your main Signal contacts when you are switching devices, so they can know of the upcoming safety number change & not think you have been compromised.
  • Have a secondary ‘safe space’ to be able to verify the authenticity of your Signal conversation, so that your contacts are able to check-in on you in the event your account is compromised and they’ve been alerted of a non-authorized safety number change.
  • When safety numbers change, re-verify!

This is too technical, what’s the TLDR?

A safety number is the same for both users in a Signal conversation, and it’s designed to ensure the chat is and continues to be safe.

  • If User A messages User B on Signal, User B should ask User A to send over their safety number on a safe platform that is not Signal to ensure User A is who they say they are. Both users should have the same safety number.
  • Signal will mark the conversation as verified if you confirm the numbers match.
  • Signal will alert you if the safety number changes. These changes can occur from people switching devices, and does not inherently mean the other user is compromised. It is your job after a safety number change to confirm why the change occurred.
1 Like