For years, bullish supporters have heralded passkeys as the future of sign-on, while traditional passwords are seen as a relic of the past. Yet in daily practice, many users still type passwords countless times a week. Despite impressive adoption — over 15 billion accounts now support passkeys, according to the FIDO Alliance — their usage remains far from universal. Google reports that its own passkeys have authenticated users over a billion times across more than 400 million accounts. At WWDC 2025, Apple introduced a new account creation tool that lets apps sign you up with a passkey from the start, so no password is ever required. Microsoft went further by making new accounts passwordless by default. However, passwords are still very much alive.
How passkeys work explains why they are more secure
A passkey consists of two cryptographic keys: a private key that never leaves the user's device and a public key stored on the website being accessed. When signing in, the device proves it holds the private key without ever sending data a cybercriminal could intercept, making passkeys immune to phishing. On Apple devices, Face ID or Touch ID handle verification while the private key resides in the Secure Enclave. If you use multiple devices, iCloud Keychain syncs the private keys across iPhone, iPad, and Mac, all within Secure Enclave-protected boundaries.
Sponsored Protocol
Corporate resistance to passkey adoption slows the transition
Despite the benefits, many companies are reluctant to abandon passwords. A new website recently appeared to shame popular services that still don't offer passkeys, including Instagram, Spotify, and Netflix. The main reason for resistance is account recovery. FIDO2, the standard passkey protocol, has no built-in recovery flow. If a user loses all devices holding their passkeys, the fallback is an email reset link — exactly the weak point passkeys were meant to eliminate. Consequently, many SaaS companies keep the old password field on the login screen as a backup.
Sponsored Protocol
Portability and interoperability remain open challenges
Portability is another hurdle. Since passkeys live in iCloud Keychain, Google Password Manager, different browsers, and so on, those vaults do not communicate and cannot hand credentials to each other. Switching ecosystems can therefore turn passwordless into lock-in. Apple made a significant move with iOS 26 by introducing cross-platform passkey import and export, a notable shift from its previously closed Keychain ecosystem. However, until the Credential Exchange Protocol works seamlessly across all platforms, the transition will remain bumpy.
Sponsored Protocol
The future of passkeys is promising but still distant
The cryptography behind passkeys is sound and offers superior phishing resistance. Yet the real problem is not technical but operational: recovery must be reliable, portability seamless, and websites must actually remove the password field. Apple is ahead of most with the smoothest ecosystem experience and shipped export support before Google. But until these gaps are closed, passwords will not disappear anytime soon. For more on related security topics, check out our article on MQTT for IoT. For a general overview of passkeys, see the Wikipedia page.