Passkeys Haven’t Replaced Passwords Yet—Here’s Why

Passkeys have been championed as the future of authentication, offering a more secure and user-friendly alternative to traditional passwords. Despite significant advancements, passwords remain prevalent in daily use.

Passkeys utilize a pair of cryptographic keys: a private key stored securely on the user’s device and a public key held by the service provider. This method ensures that authentication is resistant to phishing attacks, as the private key never leaves the device. On Apple devices, for instance, Face ID or Touch ID verifies the user, with the private key safeguarded within the Secure Enclave. iCloud Keychain facilitates the synchronization of these keys across multiple devices.

Adoption rates for passkeys have been noteworthy. The FIDO Alliance reports that over 15 billion accounts are now capable of using passkeys. Google has documented over a billion passkey authentications across more than 400 million accounts. In 2025, Apple introduced a tool at WWDC that enables apps to create accounts using passkeys from the outset, eliminating the need for passwords. Microsoft has also made strides by setting new accounts to be passwordless by default.

Despite these advancements, many prominent companies have yet to implement passkey support. Notable platforms such as Instagram, Spotify, and Netflix still rely on traditional password systems. This hesitancy is largely attributed to concerns about account recovery processes. The FIDO2 standard, which underpins passkeys, lacks a built-in recovery mechanism. Consequently, if users lose all devices containing their passkeys, they often resort to email reset links—the very vulnerability passkeys aim to eliminate.

While passkeys offer a promising path toward enhanced security and user convenience, their widespread adoption is hindered by the need for robust recovery solutions. Addressing these challenges is crucial for passkeys to fulfill their potential in replacing passwords.