Posted by Niharika Arora – Developer Relations Engineer
From breaking information and leisure to sports activities and politics, X is a social media app that goals to assist almost 500 million customers worldwide get the complete story with all of the reside commentary. Lately, X builders revamped the Android app’s login course of so customers by no means miss out on the conversations they’re keen on. Utilizing the Credential Supervisor API, the crew carried out new passkey authentication for faster, simpler, and safer entry to the app.
Simplifying login with passkeys
As we speak, conventional password-based authentication techniques are much less safe and extra susceptible to cyber assaults. Many customers usually select easy-to-guess passwords, which unhealthy actors can simply crack utilizing brute drive assaults. In addition they reuse the identical passwords throughout a number of accounts, which means if one password is hacked, all accounts are compromised.
Passkeys handle the rising concern of account safety from weak passwords and phishing assaults by eliminating the necessity for passwords completely. The characteristic gives a safer, extra seamless sign-in expertise, liberating customers from having to recollect their usernames or passwords.
“Passkeys are an easier, safer option to log in, changing passwords with pins or biometric knowledge like fingerprints or facial recognition,” mentioned Kylie McRoberts, head of security at X. “We explored utilizing passkeys to make signing in simpler and safer for customers, serving to defend their accounts with out the trouble of remembering passwords.”
Since implementing passkeys, the X crew has seen a considerable discount in login occasions and metrics exhibiting improved login circulation. With passkeys, the app’s profitable login fee has doubled in comparison with when it solely relied on passwords. The crew has additionally seen a decline in password reset requests from customers who’ve enabled passkeys.
In line with X builders, adopting passkeys even got here with advantages past enhanced safety and a simplified login expertise, like decrease prices and improved UX.
“Passkeys allowed us to chop down on bills associated to SMS-based two-factor authentication as a result of they provide sturdy, inherent authentication,” mentioned Kylie. “And with the convenience of login, customers usually tend to have interaction with our platform since there’s much less friction to recollect or reset passwords.”
Passkeys depend on public-key cryptography to authenticate customers and supply them with non-public keys. Which means web sites and apps can see and retailer the general public key, however by no means the non-public key, which is encrypted and saved by the person’s credential supplier. As keys are distinctive and tied to the web site or app, they can’t be phished, additional enhancing their safety.
Seamless integration utilizing the Credential Supervisor API
To combine passkeys, X builders used Android’s Credential Supervisor API, which made the method “extraordinarily easy,” in response to Kylie. The API unifies Sensible Lock, One Faucet, and Google Signal-In right into a single, streamlined workflow. This additionally allowed builders to take away a whole bunch of traces of code, boosting implementation and lowering upkeep overhead.
In the long run, the migration to Credential Supervisor took X builders solely two weeks to finish, adopted by an extra two weeks to completely assist passkeys. This was a “very quick migration” and the crew “didn’t anticipate it to be that easy and easy,” mentioned Saurabh Arora, a employees engineer at X. Due to Credential Supervisor’s easy, coroutine-powered API, the complexities of dealing with a number of authentication choices have been primarily eliminated, lowering code, the chance of bugs, and total developer efforts.
X builders noticed a major enchancment in developer velocity by integrating the Credential Supervisor API. With their shift to passkey adoption by Credential Supervisor API, they achieved an:
- 80% code discount within the authentication module
- 90% decision of legacy edge case bugs
- 85% lower in GIS, One Faucet, and Sensible Lock dealing with code
Utilizing the Credential Supervisor API’s top-level strategies, like createCredential and getCredential, simplified integration by eradicating customized logic complexities surrounding particular person protocols. This uniform strategy additionally meant X builders may use a single, constant interface to deal with numerous authentication varieties, akin to passkeys, passwords, and federated sign-ins like Sign up with Google.
“With Credential Supervisor’s easy API strategies, we may retrieve passkeys, passwords, and federated tokens with a single name, slicing down on branching logic and making response dealing with cleaner,” mentioned Saurabh. “Utilizing totally different API strategies, like createCredential() and getCredential(), additionally simplified credential storage, letting us deal with passwords and passkeys in a single place.”
X builders didn’t face many challenges when adopting Sign up With Google utilizing the Credential Supervisor API. Changing X’s earlier Google Signal In, One Faucet, and Sensible Lock code with an easier Credential Supervisor implementation meant builders not needed to deal with connection or disconnection statuses and exercise outcomes, lowering the margin of error.
A future with passkeys
X’s integration of passkeys reveals that attaining a safer and user-friendly authentication expertise will be achieved. By leveraging Credential Supervisor API, X builders simplified the combination course of, lowered potential bugs, and improved each safety and developer velocity—all whereas sharpening the person expertise.
“Our recommendation for builders contemplating passkey integration can be to reap the benefits of the Credential Supervisor API,” mentioned Saurabh. “It actually simplifies the method and reduces code it is advisable to write and preserve, making implementation higher for builders.”
Trying forward, X plans to additional improve the person expertise by permitting sign-ups with passkeys alone and offering a devoted passkey administration display.
Get began
Learn to enhance your app’s login UX utilizing passkeys and the Credential Supervisor API.
