A month after TikTok rolled out multi-factor authentication (MFA) for its users, a ZDNet reader discovered that the company's new security feature was only enabled for the mobile app but not its website.
This lapse in TikTok's MFA implementation opens the door for scenarios where a malicious threat actor could bypass MFA by logging into an account with compromised credentials via its website, rather than the mobile app.
Reached out for comment on the ZDNet reader's findings, a TikTok spokesperson said the company plans to expand MFA to cover its official website in the coming future.
In the meantime, users who have enabled MFA for their TikTok account for security reasons should not be lowering their guard and reuse passwords from other accounts, thinking MFA blocks all attackers. These users should continue to use complex and hard-to-guess passwords.
www.zdnet.com
