Verifying the identity of your contacts

Recently, my old phone number was reassigned to another person. This happened because I changed my number a few years ago, and the phone provider eventually recycled it after a period of inactivity.

This creates several problems.

The problem

Losing control of your old phone number is a problem for multiple reasons.

First, if you used that number for two-factor authentication but forgot to update your accounts, and you don’t have another authentication method, you could lose access to them. Even worse, the new owner of your old number could, in theory, reset your passwords and take over your accounts.

And second (which is mainly what this article will be about), is the fact that your contacts may not realize the number now belongs to someone else. Some messaging apps notify you when a contact changes their number, but this happens only once and under specific conditions. Even then, your old number usually remains in their address book, meaning the new owner may still appear under your name.

This second problem is what motivated me to write this article. Another person now has my old number, which confused some of my contacts. To make matters worse, this person has learned my name (probably because my contacts assumed it was me) and even tried to scam one of them by requesting money.

Possible solutions

There are probably multiple solutions and ways to prevent or mitigate this issue specifically, and I will make an effort to keep this article up to date as I learn more methods, but these are few methods I am familiar with.

First and foremost: as mentioned previously, never rely solely on a phone number as your only multi-factor authentication method. If you lose that number, you are risking losing access to your accounts. You have to use more than one multi-factor authentication method, such as TOTP or security keys. And of course, use a password manager properly.

Digital Signatures

Digital signatures are a reliable way to confirm someone’s identity (provided that the private key is kept secure). There are several digital signature tools out there. The one we are going to be reviewing in this article is GPG.

GPG

1. Bob (the person being verified) generates a GPG key pair.
2. Bob keeps his private key secret and shares his public key with Alice (the verifier).
3. If Alice suspects something, Alice can ask Bob to sign a message.
4. Alice then verifies the signature using Bob’s public key.

This works as long as Bob’s public key hasn’t been compromised.

Generating a key:

1. Run the following command and follow the instructions:

gpg --full-generate-key

2. List your generated GPG keys:

gpg --list-secret-keys --keyid-format=long

3. Copy the code that appears under the sec section:

sec   rsa4096/... 2025-09-18 [SC] [expires: 2027-09-18]
      <a bunch of numbers and letters> <---- copy this one
uid                 [ultimate] Franco Colmenarez <info@francoacg.com>
ssb   rsa4096/... 2025-09-18 [E] [expires: 2027-09-18]

4. Export the public key:

gpg --armor --export <the code you just copied>

5. You should see something like this:

-----BEGIN PGP PUBLIC KEY BLOCK-----
<a bunch of letters and numbers>
-----END PGP PUBLIC KEY BLOCK-----

This is your public key. You can share it with your contacts or put it somewhere accessible. Keep in mind that your keys are stored in the ~/.gnupg folder, so you must handle it carefully.

If for some reason you need to export these keys (either because you want to use them with a different program or you want to back them up), you can run the following commands:

# Export the public key
gpg --armor --export <your-key-id> > ~/public.key

# Export the private key
gpg --export-secret-keys --armor <your-key-id> > ~/private.key

# Export the private key in .asc format (if you want to use it in Thunderbird for example)
gpg --export-secret-keys <your-key-id> > ~/key.asc

Reference: https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key

Sending an encrypted message

1. Alice wants to send a secret message to Bob.
2. Alice and Bob generate their GPG key pairs.
3. Bob exports his public key in base64 format and sends it to Alice.

gpg --export -a bob@email.com | base64

4. Alice imports Bob’s public key.

echo "<base64 of Bob's public key>" | base64 --decode | gpg --import

5. Alice encrypts her message and encodes it in base64 format.

echo "secret message" | gpg --encrypt -r bob@email.com | base64

6. Bob decrypts the message.

echo "<Alice's base64 encoded encrypted message>" | base64 --decode | gpg --decrypt

Verifying someone’s signature

Assuming that Bob generated his GPG keys and Alice already imported it, you can follow these steps:

1. Alice wants to verify Bob’s signature.
2. Bob creates any file that he wants to sign.

echo "test file" > example.txt

3. Bob signs it and sends both files to Alice.

gpg --detach-sig --output example.txt.sig --sign example.txt

4. Alice downloads them and puts them in the sale folder, and runs

gpg --verify example.txt.sig example.txt

Note: A detached signature contains only the signature. A non-detached one also includes the signed file itself.

References:

• https://www.gnupg.org/gph/en/manual/x135.html
• https://superuser.com/questions/1579649/how-to-fix-warning-not-a-detached-signature

Verification codes within the chat app

Some messaging apps allow you to verify your contact’s encryption keys. This requires meeting in person and comparing codes. If someone else registers an account with your old number, the verification icon will disappear.

Having a “secret code” shared between your relatives

Another interesting approach you might have heard of is to agree on a shared “secret word” with family or close friends, used only to confirm your identity. This can work for non-technical people, but it has a major weakness: if an attacker learns the code, the method is compromised. Updating it regularly adds inconvenience.

WhatsApp

1. Open the chat.
2. Tap the contact’s name to open the contact info screen.
3. Tap Encryption to open the verification page.
4. Wait for automatic verification to complete and check the result.
5. You can also verify manually by viewing the QR code or 60-digit number.

https://faq.whatsapp.com/820124435853543#how-do-i-verify-a-chat-is-end-to-end-encrypted

Signal

1. Open a chat with a contact.
2. Tap on the chat header or more-horiz-24.png the overflow menu then chat settings.
3. Select View Safety Number.

https://support.signal.org/hc/en-us/articles/360007060632-What-is-a-safety-number-and-why-do-I-see-that-it-changed

SimpleX

1. open the conversation with the contact
2. tap the contact name on top of the conversation
3. tap “Verify security code”
4. ask your contact to do the same
5. the connection is secure if you and your contact have the same security code

https://simplex.chat/docs/guide/privacy-security.html#security-code-verification

XMPP, Matrix, etc

XMPP and Matrix have many client implementations, but most follow a similar pattern for verifying keys. Check your specific client’s documentation.

Conclusion

A phone number does not represent someone’s identity. There’s no guarantee that a number will always belong to the same person. Never assume the number you have in your contacts still belongs to the same person, and be cautious about what information you share.

You have to use other methods (like the ones mentioned in this article) to confirm that you are truly speaking to the right person.