WhatsApp Usernames Are Coming, But Regulators Are Not Convinced

Category: News | Published: 2026-06-09

Your mobile phone number has quietly become one of the most sensitive pieces of personal information you carry. It is tied to your bank account, your email recovery options, your two-factor authentication codes, and dozens of other digital services. Giving it to someone you have just met, or to a business contact, or to a community group online, means handing over a thread that connects to a significant portion of your digital life.

WhatsApp has built its entire identity system around phone numbers since launch. To use the platform, you need a number. To contact someone, you need their number. That has always created a privacy tension at the heart of one of the world's most popular communication tools. The company is now attempting to resolve that tension with WhatsApp usernames, and the plan has immediately run into regulatory opposition in its largest national market.

What WhatsApp Usernames Actually Are

Announced at the end of June 2026, the WhatsApp username system lets users reserve a unique handle that others can use to start a conversation without needing to know the phone number attached to the account. Meta describes it as the biggest identity overhaul in WhatsApp's history.

The format follows the familiar @ convention. Usernames must be between 3 and 35 characters and can contain lowercase letters, numbers, full stops, and underscores. They cannot begin with the letters w-w-w or end in a way that resembles a website domain, which is a deliberate safeguard against people disguising a username as an official link.

WhatsApp opened an early reservation system in June 2026, allowing users to secure a name ahead of the wider launch planned for later in the year. The platform has more than three billion users, so many people will inevitably want similar or identical names, which is why the reservation process is being introduced gradually.

There Is No Directory

One of the most significant design decisions in the WhatsApp username system is that there is no public directory. You cannot search for a username, browse suggestions, or discover contacts through the platform. To send someone a message via their username, you need to already know what that username is.

That is a deliberate privacy choice. The system is designed to allow people to share a contactable identity without being publicly discoverable. In practical terms, it works rather like sharing a phone number: you give it to the people you want to be contactable by, but it does not appear on any list that strangers can browse.

The Username Key

For users who want an extra layer of control, WhatsApp is also introducing an optional username key. If you enable this, anyone wanting to contact you needs to know both your username and your key. Neither alone is sufficient. This creates a two-part credential for initiating contact, which significantly raises the bar for unwanted approaches.

Accounts that have a username but no key can still be contacted by anyone who knows the username. Accounts with a username key require both pieces of information before a conversation can begin.

Why WhatsApp Is Doing This

The privacy case for WhatsApp usernames is genuine and specific. Phone numbers are harvested regularly from WhatsApp group chats, where every participant's number is potentially visible to others in the group. People who join community groups, professional networks, event chats, or online marketplaces through WhatsApp often do so at the cost of sharing their number with everyone else in the conversation.

Phone numbers are also central to SIM-swap attacks, a form of identity fraud in which a criminal convinces a mobile network to transfer your number to a SIM card they control, giving them access to any service that uses your number for authentication. Reducing the situations in which your phone number is shared reduces that particular exposure.

Businesses and creators with an existing presence on Instagram or Facebook can also claim their existing username on WhatsApp, giving them a consistent identity across Meta's platforms without needing to share a phone number with every customer or follower who wants to get in touch.

Why India Said Stop

India is WhatsApp's largest single market, and the Indian government moved quickly to ask the company to pause the introduction of usernames in the country while consultations take place. The concerns centre on fraud, phishing, and impersonation.

The specific worry is that criminals could create WhatsApp usernames designed to resemble those of banks, government departments, major businesses, or well-known public figures, and then use those usernames to contact potential victims without a phone number being visible. In the current phone-number-based system, there are at least some signals that a contact is unfamiliar: you do not recognise the number, it might be from an unusual area code, and the contact does not appear in your address book. A plausible-sounding username removes some of those signals.

This concern is particularly pressing in India because of the scale of cyber fraud the country has been dealing with, including digital arrest scams in which criminals impersonate police officers, tax authorities, or government officials to extort victims. If WhatsApp usernames make impersonation more credible, law enforcement concerns are understandable.

What WhatsApp Has Put in Place

WhatsApp has not dismissed these concerns, and the company says it has built several safeguards into the system before launch.

Usernames associated with public figures, government bodies, verified businesses, and well-known Meta accounts have been reserved so they can only be claimed by their legitimate owners. Variations of protected names are also being blocked to prevent near-miss impersonation. The company says it will limit the number of new contacts an account can initiate in a given period, which constrains the speed at which a fraudulent username could be used in a mass-contact campaign. Its systems are also being trained to detect patterns associated with impersonation and abuse.

When you receive a message from someone for the first time, WhatsApp will display contextual information about the sender: whether they have a new account, whether you share any mutual groups, and whether they are contacting you from another country. That context gives recipients some basis for assessing a first approach before responding.

The EU Is Also Sitting It Out

India is not the only major jurisdiction where WhatsApp usernames will not launch immediately. The European Union has also been excluded from the initial rollout, not because of fraud concerns specifically, but because of data privacy regulatory requirements. The exact nature of the hurdle has not been detailed publicly, but the EU's data protection framework imposes significant obligations on how platforms handle identity data, and it appears Meta has not yet cleared those requirements for the username system in European markets.

The irony is notable. The EU is typically the jurisdiction that pushes hardest for privacy-enhancing features, and WhatsApp usernames are primarily a privacy feature. The delay suggests that the mechanics of how username data is stored, processed, and linked to phone number records have not yet satisfied the requirements of regulators who are generally sympathetic to the feature's stated purpose.

The Underlying Tension

The controversy around WhatsApp usernames illustrates a genuine and recurring difficulty in consumer technology. Features that protect legitimate users from unwanted exposure almost always extend some of that protection to people acting in bad faith. Full anonymity systems are used by dissidents in authoritarian states and by criminals running fraud operations. Privacy tools that limit traceability help genuine privacy-seekers and people with something to hide. WhatsApp usernames sit in that same tension.

The system as designed is not anonymous: a phone number is still required to create an account, and WhatsApp presumably retains the link between a username and the underlying number for law enforcement purposes. But the practical experience for a recipient is that the sender has no immediately visible phone number, which removes one of the friction points that currently makes some fraud attempts easier to identify.

Whether the safeguards WhatsApp has built are sufficient is a question that regulators in different markets are answering differently. India says pause first and consult. The EU says the framework is not yet in place. Most of the rest of the world appears to be proceeding.

What This Means for Businesses

For businesses, the introduction of WhatsApp usernames is worth tracking from a security awareness perspective. As the feature rolls out, phishing attempts via WhatsApp that use plausible-sounding usernames rather than unfamiliar phone numbers are a realistic development. Training staff to apply the same scepticism to WhatsApp messages as they would to emails, regardless of how professional the sender's username appears, is a sensible precaution.

Our Cyber Security page covers the protections and staff awareness training we help businesses put in place as the channels through which social engineering and fraud attempts arrive continue to evolve.