For the overwhelming majority of people, it would just lead to alert fatigue, where users start ignoring the alerts because 99% of the time they're not actually indicative of a problem.
Where I live at least people rarely switch phone numbers and I have yet to hear about a single person that I know or have worked with who have had their phone number hijacked.
So, lets say that other people are less lucky than me and this warning will pop up twice a year, -will that be enough to trigger warning fatigue?
IMO, probably not.
Will we still have a problem with warning fatigue? Yes. Why? Because of the sticker and warning requirements created by American lawsuits and EU cookie law. (Oh, and IIRC my country isn't much better in this regard, just smaller so less of a problem.)
While not a citation I hope this explains my reasoning.
> Where I live at least people rarely switch phone numbers…
First, it's not about people switching phone numbers. It's about switching devices. This can be something as innocuous as uninstalling/reinstalling the WhatsApp app. Or upgrading their phone on a one or two year cycle. Or because they broke their phone and are using a friend's old phone for a few weeks. Or wanting to send and read messages on their laptop too. And their work laptop. Except they also had their work laptop reinstalled because of a virus, or because IT needed to do an upgrade, or whatever.
This shit happens all the time.
> …and I have yet to hear about a single person that I know or have worked with who have had their phone number hijacked.
I think this proves my point. The signal-to-noise ratio for this type of message is precisely zero for greater than 99.999% of WhatsApp users who are not being singled out by a nation-state for surveillance. And he number of these users who actually bothers to confirm keys out-of-band is, while not precisely zero, near enough as to make no difference.
For users who do anticipate being singled out, there are two plausible options: they are savvy enough to look into the settings and ensure the toggle is enabled, or they're not savvy enough to look for this type of option, and they're probably screwed anyway because actually achieving practical privacy against a highly-funded and highly-motivated governmental adversary is brutally hard and requires significantly more active involvement than merely toggling a switch on a messaging app.
> So, lets say that other people are less lucky than me and this warning will pop up twice a year
Twice a year times fifty contacts adds up to seeing this message frequently enough that you learn to subconsciously ignore it. People still try to bypass virtually every TLS warning browsers throw at them even though that number for most people is less than once per year, and even though browsers have made it painfully difficult to do so.
