Session: encrypted messaging without a phone number or account
Signal is better than WhatsApp. But Signal requires an account, and that account is tied to a phone number. You can now hide your number from other users, but the number itself remains the key Signal uses to know who you are.
Session: encrypted messaging without a phone number or account
Signal is better than WhatsApp. But Signal requires an account, and that account is tied to a phone number. You can now hide your number from other users, but the number itself remains the key Signal uses to know who you are.
Session approaches this differently. You register with nothing — no phone number, no email address, no name. You receive a random Session ID: a long alphanumeric string tied to nothing.
Who this guide is for
This guide is mainly for readers who want a persistent messenger identity without tying it to a phone number or central account.
It fits especially:
- people who need contact without revealing a phone number
- readers who care about onion-routed messaging enough to accept some latency and usability tradeoffs
- users deciding between Session and other higher-friction tools such as SimpleX or Briar
For most normal readers, Session is not the first messaging step. Signal remains the better mainstream default unless the phone-number requirement is itself the problem.
What you gain, and what it costs
If you use Session, you usually gain:
- messaging without a phone number or email address
- a persistent identity you can recover across devices
- onion-routed transport without relying on a single central operator
But it costs something:
- slower and less polished communication than Signal
- a smaller user base
- more ambiguity around which advanced protocol properties are already fully rolled out
For the right profile that is still a good trade. It becomes overkill when you mainly want everyday convenience or when your contacts are unlikely to move with you.
How Session works
On first launch, the app generates a cryptographic key pair and a corresponding Session ID. That ID is your identity in the network — and nothing more. No name, no number, no account on a server.
To make contact, you share your Session ID or let someone scan a QR code. There is no phonebook integration — you cannot “find” anyone in the system.
Messages do not pass through central servers. Session uses a decentralized network of nodes managed by volunteers and operators worldwide. Messages are sent via onion routing: the message passes through multiple nodes, each with one layer of encryption. No single node simultaneously sees the sender, the recipient, and the content.
This is similar to how Tor works — but for messaging.
What Session protects
| Signal | Session | |
|---|---|---|
| Message content | Encrypted | Encrypted |
| Phone number required | Yes | No |
| Central server | Yes (Signal Foundation) | No single central operator |
| Onion routing | No | Yes |
| Legally compellable data | Registration number + last connection | No account, no central log |
| Post-quantum encryption | No | Planned via Protocol V2 |
| Account recoverable | Via number/device | Via recovery phrase (seed phrase) |
Session cannot respond to a legal order with your phone number or account details — because they simply don’t exist. The network has no central operator that can be subpoenaed.
Honest caveats
Perfect Forward Secrecy (PFS) — this is a cryptographic property that ensures encryption keys are regularly rotated. If a key is ever compromised, previously sent messages remain safe.
In earlier versions of Session, PFS was entirely absent. That was a serious criticism, and rightfully so — it meant messages could theoretically be decrypted later if keys leaked. According to the current official documentation, Session Protocol V2 is being developed to add PFS and post-quantum properties, but you should not treat that as a fully finished story everywhere yet.
Use the latest available Session version, but do not automatically assume that every V2 claim has already been fully rolled out.
Recovery phrase — your Session ID and keys are stored locally. The only way to restore your account on a new device is via a recovery phrase (seed phrase) you receive during installation. If you lose it, you permanently lose access to your account and conversation history. Store the recovery phrase safely — in KeePassXC or on paper in a secure location.
Performance — onion routing adds latency. Messages are slightly slower than Signal or WhatsApp. For normal conversations this is barely noticeable, but with real-time conversations or a poor connection it can become apparent.
Smaller user base — Session has fewer users than Signal. The smaller the network, the more it stands out when someone uses it at all. In high-risk situations, that’s a consideration.
Installing and getting started
Session is available for Android, iOS, and desktop (Linux, macOS, Windows).
Android: via Google Play, the Session website, or F-Droid (recommended on GrapheneOS).
iOS: via the App Store.
Desktop: download from getsession.org.
On first launch:
- Choose “Create account” — no email or number required
- Choose a display name (stored locally only)
- Save your recovery phrase immediately — you only see it prominently once
Your Session ID appears in your profile. Share it with people you want to message, or let them scan your QR code.
What you can do with it
- Personal conversations (1 on 1)
- Group conversations (closed groups and open communities)
- Voice messages
- File sharing
- Disappearing messages (configurable per conversation)
Voice and video calls are supported. Quality is functional, but less polished than Signal or WhatsApp, and Session is still working on the network layer around calls. Do not assume onion-routed calling is already the finished default everywhere.
Who Session is for
Direct value:
- Journalists and sources who want contact without linking a phone number
- Activists in countries with surveillance infrastructure
- People who want to message someone without revealing their phone number to each other
- Anyone skeptical of central parties — the Signal Foundation, however trustworthy, is still a single point of failure
- IT professionals reaching clients without sharing a personal number
Less suitable for:
- Daily use where speed matters (onion routing adds latency)
- People who want to find contacts easily (no phonebook)
- Situations where nobody around you uses Session — the switching threshold is real
Session vs. SimpleX
Both apps work without a phone number. The difference lies in how identity works.
Session gives you a persistent Session ID — one identity you can restore across multiple devices via a recovery phrase. Convenient, but it also means that ID can become easier to correlate over time if someone follows metadata patterns long enough.
SimpleX has no identifier. Every connection is a new queue. There’s nothing to trace, but also nothing to recover. You choose based on your profile: do you want recoverability or maximum anonymity?
Background: decentralization and governance
Session was developed by the OPTF (Open Privacy Tech Foundation) in Australia. In November 2024 the project was transferred to a new organization and moved to Switzerland — the same jurisdiction as Threema and Proton. That’s a deliberate choice: Swiss privacy law offers better protection against international legal assistance requests than Australian law.
An independent security audit by Quarkslab was completed in 2024-2025. Found issues have been resolved.
Next step
Alternatives
- SimpleX Chat guide — maximum anonymity without a recoverable identity
- Threema guide — paid, Swiss, no phone number
- Briar guide — P2P via Tor, also works without internet
- Delta Chat guide — encrypted messaging over email
- WhatsApp and privacy: what the lock does and doesn’t protect
Reviews
- Signal and Molly review — Signal with extra privacy options