Multi Factor Authentication and WhatsApp

Microsoft starts sending MFA codes to WhatsApp

3 February 2025
Tony Brett

Staying cyber security aware is more important than ever and some staff have reported that their Multi Factor Authentication (MFA) codes are now coming via WhatsApp instead of SMS text messages. We can confirm that this is legitimate and is not a security problem. 

If you receive Microsoft MFA verification codes via text message (SMS), you may now start receiving these codes through WhatsApp (if it’s installed on your phone). This is due to an update being rolled out globally by Microsoft to move users away from receiving verification codes via text message. WhatsApp’s end to end encryption makes it more secure than texting.

Received a WhatsApp message from Microsoft?

An MFA verification code sent via WhatsApp looks similar to the text message you are used to. In addition it has “Microsoft Business Account” branding and a verified checkmark (tick logo), which validates the sender. The WhatsApp message will look like this screenshot:

The first time you receive a verification code in WhatsApp, you should also receive a notification text via SMS to notify you of the change to WhatsApp. We are aware that this might not always be happening.

Will everyone receive codes via WhatsApp now?

No, you won't get these if you have the Microsoft Authenticator or a security key set up, or you don't have WhatsApp. 

No WhatsApp?  No problem!

If you don’t have WhatsApp you’ll receive a verification code by text message as usual. If you aren’t in an area with internet you’ll also get a text message.

I don’t want to use my WhatsApp for this purpose

There is no mechanism for individuals to disable WhatsApp verification codes if you’ve got the Phone text message option chosen for your MFA. If you don’t wish verification codes to go to WhatsApp, you need to deselect “Phone” for MFA authentication and choose a different option, such as the Microsoft Authenticator app.  If you have Authenticator or a Security Key set up, Microsoft will use these in preference to text or WhatsApp as they are more secure.

Microsoft Authenticator app

Microsoft Authenticator logo

Our recommendation is to use the Microsoft Authenticator mobile app with notifications switched on. When you try to access resources which require authentication, like Outlook web access or other services such as PeopleXD or Canvas, you will see “Approve request” and be shown a two digit code, which you enter into the Microsoft Authenticator app on your smartphone.  If your App is set up with your phone screen lock you can then proceed to log in via that rather than by using a password.  That's a good secure way to log in.

 

based on a post from Reading University.  Used with permission.

Review your Microsoft Security

CHECK MFA SETTINGS

Related Content