If you've received a spam message in Signal Private Messenger, you know that anyone can contact you as long as they have your linked phone number. But when it comes to the people you're actually trying to have a private conversation with, how do you know it's really them?
When you first strike up a conversation with somebody on Signal, it's a good idea to verify that they are who they say they are. They should also do the same to you. This will help ensure that no man-in-the-middle attack has taken place and that your encrypted conversations are indeed private.
To verify the other person's identity, open up the conversation thread with the individual from Signal's homepage, then tap on their name or phone number at the top. On this screen, tap on "Show Safety Number," which is Signal's fancy way of saying "fingerprint" (a term more familiar in the world of cryptography).
It will say whether or not the user has been verified. There will also be an easy-to-scan QR code and a unique 60-digit number laid out in 12 groups of five digits, which is this conversation's Safety Number. This number is stored the very first time you have communications with the contact. It's in numeric coding, which Signal says is easier to localize than the usual hexadecimal, reduces the size of the encoded value, and improves speed and accuracy.
The Safety Number is actually a "sorted concatenation of two 30-digit individual numeric fingerprints," which allows advanced users to separate the two fingerprints for more complex use-cases. We won't be covering that in this guide, though.
From here, you have a few choices as to how to verify the conversation. Choosing the right one depends on how physically close you are to each other or how secure you'd like this conversation to be. Phone numbers are not embedded in QR codes, so each method below has a similar degree of privacy.
If your contact is local, you could meet up with him/her and have them open up the Safety Number for your conversation in their app. Then, with your Safety Number page also open, tap on your QR code to initiate the camera and scan the QR code on their screen. Afterward, either tap on "Mark as Verified" to confirm (iOS) or tap on the "Verified" toggle (Android).
If you're not in the same location, you could also take a screenshot of the QR code to share with them, then message it to them outside of Signal (otherwise, what's the point of verifying them?). Then they can scan it and verify you. They can also send you theirs so you can do the same. Just make sure to tap on either "Mark as Verified" (iOS) or the "Verified" toggle (Android) when the codes match up.
If you don't like the QR code option, you could share your Safety Number with the other person using the share options on your device. Whether you're using Android or an iPhone, just tap on the share icon in the top right of the Safety Number page. Here, you can choose to email it, text it, and send it via other apps such as Facebook and Twitter. You can also copy it to your clipboard.
Alternatively, you could also just long-press on the 60-digit number and select either "Copy" (iOS) or "Copy to clipboard" (Android), then share however you want to.
If you've received a 60-digit code, you don't have to worry about manually comparing each number to the one in your conversation's Safety Number page. Signal makes it super easy to match the numbers with barely any effort. Just copy the 60-digit code to your clipboard, then go to the Safety Number page and long-press on the 60-digit code and select "Compare with Clipboard." It's that easy.
You could also just get on a phone call with each other and read out the numbers to verify them and manually mark each other as verified. There isn't really anything to worry about when it comes to sharing the 60-digit code or QR code in the above methods, but if you're ultra paranoid and want to recognize their voice at the same time as comparing the Safety Number, this is your best bet.
Just manually verify them by tapping on either "Mark as Verified" (iOS) or the "Verified" toggle (Android) on the Safety Number screen.
Whether or not you choose to verify the identity key of the person you're communicating with when you first start talking, if they decide to set up Signal on a new device, or if someone hijacks their account by setting up Signal using their phone number, Signal will provide you a warning the next time they contact you.
The alert will be in the conversation thread and will appear whether or not they recently messaged you. It will say something like "Your safety number with [contact] has changed." Given how easy it is to take over somebody's Signal account, it's best to re-verify them before continuing the conversation. To do so, either follow the instructions in the first few steps above or tap on the alert to open up the Safety Number immediately to begin the verification process.
Once your conversation is verified, there will be a small check mark symbol underneath the contact's name or phone number in the conversation thread. You can also tell that they're verified by viewing the Safety Number page again.