Why TikTok’s passkeys are advancing online security

Passkeys leverage biometric security features like fingerprint authentication to simplify and secure user logins. Image created by DALL·E 3.

Passkeys are gaining traction in the enterprise world, much like a TikTok video trending globally, generating millions of likes, comments, and shares. As the risks of phishing and ransomware continue to grow, organisations like Visa, Mercari, SK Telecom, and now TikTok, are adopting passwordless authentication to enhance security and protect users.

With TikTok evolving from an entertainment hub into an online marketplace following the introduction of its Yellow Basket feature, stronger security measures are critical to safeguarding buyers and sellers alike.

“Our journey started back during COVID. At that time, we wanted to explore how we could leverage technology which could improve our enterprise security,” said Yan Cao, TikTok’s Engineering Manager, during the FIDO APAC Summit 2024 in Malaysia.

Evolving landscape

There are many reasons an organisation might adopt passwordless features on their platform. Foremost among these is the vulnerability of passwords to phishing, which poses significant risks to banking apps, e-commerce platforms, and social media accounts.

Additionally, users often forget their passwords, facing difficulties retrieving them. This can lead to abandoned online purchases, resulting in lost sales.

Yan Cao, Engineering Manager, TikTok. Image courtesy of TikTok.

In the third quarter of 2022, TikTok completed its internal enterprise single sign-on (SSO) integration and introduced multi-factor authentication for its employees.

“Around that same time, Apple introduced iOS passkey support at WWDC, and we became more confident that passkey is the future of authentication. By Q1 2023, we kicked off our passkey project for TikTok on iOS to get more help from FIDO community leaders. We joined the FIDO Alliance in the same quarter, and almost six months later, we began our iOS roll-out,” Cao said.

As this was the company’s first global roll-out, TikTok proceeded cautiously, conducting extensive AB testing to gather clear evidence of passkeys’ effectiveness. The roll-out began in territories outside the United States before eventually expanding to the US. Five months after launch, 35 million TikTok users have signed up for the passkey feature.

Passkey support for Android soon followed, launching in the first quarter of 2024. By the subsequent quarter, TikTok had reached 100 million passkey sign-ups, and by Q3, the number was nearing 130 million.

Meanwhile, the success rate for one-time logins using passkeys stood at 97%, according to Sean Liu, TikTok’s Technical Program Manager.

“Compared to other security login methods, passkey is actually 17 times faster. Passkeys also saved us 2% annually on SMS one-time password costs,” he said.

Passkey strategy

Even with two-factor authentication, TikTok has demonstrated that passkeys are a far superior sign-in method compared to passwords. However, there was still a learning curve in getting people to try it. 

“The first thing we did was to make passkeys the primary login method. Many companies introduce passkeys as just a secondary option within the 2FA login approach, because they want to minimise changes to the existing mode, but the problem is the low adoption rate of 2FA,” Liu observed.

Sean Liu, Technical Program Manager, TikTok. Image courtesy of TikTok.

For Android users, the technical requirements are as follows:

  • A device running Android 9.0 or later.
  • A screen lock enabled on the device.

For iOS users, the following are required:

  • A device running iOS 16, iPadOS 16, macOS Ventura, tvOS 16 or later.
  • iCloud Keychain turned on in the Apple device settings.
  • Two-factor authentication enabled for the Apple ID.

“Passkeys can provide a more secure and simplified login method than traditional passwords because they take advantage of security features already allowed on your device, such as Face ID (Apple), Passcode (Apple), Touch Unlock (Android), and PIN (Android). TikTok can’t access this biometric data and is only notified if the authentication is accepted,” TikTok explained in its FAQ page.

The second strategy TikTok implemented was the ‘discover login approach,’ which identifies the last login at the beginning of the process.

“The whole process is really smooth. Users don’t need to type in anything during login appearance. To be honest, we initially worried about this dramatic change due to potential negative feedback from users, especially those with multiple accounts on the same device. This one page, which offers discover login, shows all the passkeys on the device and links them with the app. People may be confused at first by the number of passkeys, but the facts show that they can figure it out and adopt a new approach,” Liu added.

Thirdly, TikTok introduced passkeys during the account sign-up process.

“We may be one of the few companies that introduced passkeys during account sign-up. It simplified our account sign-up process from seven steps to four steps,” Liu remarked.

Meanwhile, Cao revealed that they took different approaches to securing buy-in from internal stakeholders and consumers.

“On the consumer side, we took a bottom-up approach, involving identifying the right product team that helps with the flow and explaining it to the ROI team. On the enterprise side, we took more of a top-down approach. After reviewing with our CISO and securing the buy-in, we worked with our IT team to manage the internal output,” he said.

Following the iOS and Android roll-outs, TikTok is now working to enable web users to leverage passkeys and is planning to add more functionalities, such as public payments and risk verification, Cao concluded.