Skip to content

Verifying Signal Safety Numbers: How to Confirm You're Talking to Who You Think You Are

Signal's Safety Numbers let you cryptographically confirm that your conversation hasn't been tampered with, but it can be confusing to navigate. Here's a guide to verifying Signal Safety Numbers.

πŸ“– The Basics

What It Is

A Safety Number is a unique fingerprint assigned to every Signal conversation. It's the same number for both people in the conversation, generated from both parties' cryptographic keys. If your Safety Number matches your contact's, you're confirmed to be exchanging encrypted messages directly with each other, with no one intercepting or substituting keys in the middle.

You can find the Safety Number for any conversation by opening it in Signal, tapping the contact's name at the top, and selecting View Safety Number.

How It Works

Why Safety Numbers Exist

End-to-end encryption protects the content of your messages from being read in transit. But it requires trusting one thing: that the public key your app received for your contact actually belongs to them. In theory, a compromised server or a sufficiently sophisticated attacker could substitute their own key into that exchange, letting them silently read messages both parties believe are private. This is a man-in-the-middle attack, and it's the one threat that encryption alone doesn't neutralize.

Safety Numbers exist specifically to close this gap. By comparing a fingerprint derived from both parties' keys through an independent, out-of-band channel, you verify that no substitution has occurred. If the numbers match, the key exchange was clean.

Verifying In Person

This is the best method, and it's fast. Both people open the conversation in Signal, tap the contact name, and select View Safety Number. One person taps the QR code to scan, and the other holds their screen up. Signal confirms the match instantly. Mark the contact as verified, and you're done.

Verifying Digitally

If you can't meet in person, you need an already-established safe channel outside of Signal like email, a different messaging app, a video call, anything where you've already confirmed the other person's identity. One person sends the other their raw Safety Number through that channel.

Important: The person doing the verifying, the one who received the first Signal message and wants to confirm who reached out...should be the one receiving the Safety Number, not sending it. If you send your Safety Number to the person you're trying to verify, they can simply echo it back, since it's the same number for both of you. You only get one shot at meaningful verification. Wait for them to send it to you unprompted, then compare.

Once you've confirmed the numbers match, tap Mark as Verified in the conversation. Signal will display a small verified indicator in the chat.

What Happens When Safety Numbers Change

If something changes on either side of the conversation like a new device, a reinstall, or a SIM transfer, Signal will alert you that the Safety Number has changed. This doesn't automatically mean something is wrong. Most Safety Number changes are completely innocent: your contact got a new phone.

But it does mean you should re-verify before continuing any sensitive conversation. A changed Safety Number that your contact can't explain is a reason to pause.

Switching Devices Without Drama

Whether your Safety Numbers change at all when switching devices depends on how you switch, and Signal gives you methods that avoid triggering the change entirely. Methods that preserve your Safety Numbers:

  • Signal's built-in account transfer (phone to phone, same OS): Using Signal's "Transfer or restore account" flow during setup carries your identity keys over to the new device. Your contacts won't see a Safety Number change because the keys that generate it haven't changed.
  • Linked devices (Desktop, iPad): Adding a desktop or iPad as a linked device doesn't change your Safety Numbers at all since linked devices share your phone's keys. Signal also now supports syncing your message history when first linking a deviceβ€”including media from the last 45 daysβ€”so you don't start blank.

However, a fresh registration where you install Signal on a new phone, enter your number, and skip the transfer flowβ€”generates entirely new identity keys. This is the scenario that changes Safety Numbers and sends alerts to all your verified contacts. Avoid this if you want a clean switchover.

If a Safety Number change is unavoidable, it's recommended to do the following:

  1. Verify Safety Numbers with your important contacts before switching.
  2. Let those contacts know you're switching devices so they expect the change and don't assume the worst.
  3. After the switch, re-verify with those same contacts.
  4. Keep a secondary safe channel established with anyone you communicate with sensitively, so you have somewhere to check in if something unexpected happens.

Not Just Signal: Apple's Equivalent

Signal isn't the only app with this feature. Apple added Contact Key Verification to iMessage. You can compare verification codes with a contact in person or over another trusted channel, or share a Public Verification Code that others save to your contact card. Once set up, iMessage automatically alerts you if a contact's keys change or an unrecognized device joins their accountβ€”the same continuous-verification principle described throughout this guide. If you and your contacts live in iMessage rather than Signal, it's worth turning on.

🎯 Why It Matters

Here's an example from my own experience. Techlore gets a fair number of outreach messages, including from people who say they represent a project and want to have a sensitive conversation on Signal. Someone messages me on Signal claiming to be the CEO of a browser, search engine, VPN, or another privacy tool. The message says "Hey, it's [name], let's chat here."

The way I handle this: I ask them to send our Safety Number through an already-established channel, like maybe an email thread we've been using. But here's the important nuance. Matching Safety Numbers doesn't prove the person emailing me is who they claim to be...I still have to trust that the email account is actually theirs. What it does prove is that the Signal conversation I'm in is cryptographically tied to the same identity as whoever sent that email. And once verified, Signal will alert me if that ever changes. That's the real power: not just a one-time handshake, but ongoing cryptographic assurance that I'm talking to the same party every time I open that thread.

This is what Safety Numbers are actually for. The initial verification still has to come from a trusted person, and Safety Numbers don't replace that. What they do is lock in and continuously verify that the Signal conversation stays connected to that same identity over time. For any situation where impersonation or account compromise would be genuinely damaging, it takes thirty seconds to set up and runs silently in the background from then on.

πŸ’‘ Common Misconceptions

"If Signal is encrypted, I don't need to verify anything."

Encryption protects message content from being read in transit. It doesn't protect against a scenario where the keys themselves have been substituted. Safety Number verification is the check that confirms the key exchange was clean. The two protections are complementary, not redundant.

"I should send my Safety Number to the person I'm trying to verify."

This is the most common mistake. Both parties in a Signal conversation have the same Safety Number, so if you send it first, the other person can simply read it back to you. The person doing the verifying should wait for the other party to independently send the number through a separate channel, then compare.

"A changed Safety Number means my contact has been compromised."

Usually it just means they got a new phone, reinstalled Signal, or transferred their number to a new SIM. Safety Number changes are a prompt to re-verify, not a conclusion. Check in with your contact through your secondary safe channel, confirm the reason for the change, and re-verify. That's the full process.

"This is only relevant for journalists and activists."

Verification is most critical at higher threat levels, but the underlying value is universal: knowing you're actually talking to who you think you're talking to. Confirming a business contact before sharing a sensitive document, or verifying a new contact who claims to be a mutual friend, are both reasonable uses. The tool is there; the threshold for using it depends on your situation.

πŸ—£οΈ Henry's Take

I wrote this guide because even technically literate people were getting confused about what Safety Numbers are for and, more importantly, who's supposed to send the number first.

My practice is to verify in-person whenever I can, it's a ten-second process and it's the strongest form of verification available. For contacts I can't meet physically, I use a trusted secondary channel.

The worst time to figure out your re-verification process is after you've already switched phones and your contacts are seeing unexpected Safety Number changes and wondering what happened. A short heads-up message through a secondary channel before you switch, and a re-verification after, keeps everything clean.

βœ… Henry's Picks

  • Signal: the app this entire article is about. Free, open source, independently audited, and the gold standard for encrypted messaging. Safety Numbers are built into every conversation.
  • Signal's own explainer on Safety Numbers: the official documentation, worth reading alongside this.

See the broader recommendation set at Techlore's SPA Tools.

πŸ”— Go Deeper

Related wiki articles:

External sources:

Found an error? Report it here β†’