Signal’s New PIN Feature Worries Cybersecurity Experts

On the unnofficial signal forums there are some discussions on this:

I’m worried about this. I agree that this is a useful feature, but should be optional and disabled by default.

Yup. But the conversation is more nuanced from what I found. This is part of signal’s project to move to a user id that is not based on phone numbers. And at least what was claimed by moxie was because of that migration, the contacts could not live on the phone (for doing contact discovery).

But I am not too deep on the issue. I also have my reservations, especially without warning the users and asking for consent (even if it is stored encrypted on signal’s servers).

But we know it may be hard to communicate technical questions to users…