WhatsApp Starts Username Reservations, Finally Decoupling Identity From Phone Numbers

WhatsApp is rolling out global username reservations starting Monday, letting its three-billion-plus user base claim a handle that can stand in for the phone number that has anchored every account since 2009.

The feature is opt-in. Users who want one can reserve a username now; the ability to actually connect with someone by username — instead of by digits — follows later.

This is an identity change more than an auth change. The phone number isn't going away as the underlying account identifier, and SIM-bound registration still gates account creation. What's shifting is the discoverability layer: the string other people use to find you.

For anyone who has watched the slow, grinding move away from phone numbers as universal identifiers, this matters. E.164 numbers are terrible identifiers. They're recyclable, regionally portable, often tied to government ID, and trivially enumerable — the 2021 scrape that exposed 500-million-plus WhatsApp numbers worked precisely because the namespace is small, ordered, and guessable.

Usernames don't fix that on their own. But they let a user share a contact handle in a forum, on a business card, or in a Signal-style QR exchange without leaking a number that doubles as an SMS 2FA target and a SIM-swap lure.

The security questions worth asking, in order of how much I care:

• Namespace squatting. Reservations are starting now, which suggests Meta has learned from Bluesky and Threads that a land rush is preferable to a launch-day collision. Expect impersonation disputes anyway.
• Resolution privacy. When someone types @lorna, does the lookup happen client-side against a hashed directory, or server-side with Meta logging the query graph? The privacy delta between those two designs is enormous.
• Account recovery. If a username becomes the public identifier but the phone number remains the recovery factor, SIM-swap risk on WhatsApp accounts doesn't drop. It just gets a prettier facade.
• Business API surface. WhatsApp Business uses verified display names; how usernames interact with that namespace (and with deep links like wa.me/) will determine whether phishing gets easier or harder.

Meta has not yet published a technical writeup on the reservation flow, claim disputes, or the lookup protocol. Until it does, treat the rollout as an identifier change with privacy upside and unknown plumbing.

Would enabling two-step verification on your account help here? Yes — and it would have helped before usernames too. WhatsApp's two-step verification adds a user-set PIN that blocks re-registration of a number on a new device, which is the single most useful control against SIM-swap takeovers. Turn it on before you claim a username, not after.

The death of the phone number as an identifier is not happening this week. But it just got a little closer.