HeadlinesBriefing favicon HeadlinesBriefing.com

Passkeys Still Haven't Replaced Passwords Despite Major Adoption

9to5Mac •
×

Passkeys were supposed to kill passwords years ago, yet this week the author authenticated with traditional passwords more times than they could count. Adoption metrics are impressive: the FIDO Alliance reports over 15 billion accounts now support passkey sign-in, and Google says its passkeys have authenticated users more than a billion times across 400 million accounts. At WWDC 2025, Apple introduced an account creation tool that lets apps register users with a passkey from the start, while Microsoft made new accounts passwordless by default.

Technically, passkeys are sound. Each consists of a private key that never leaves your device — stored in the Secure Enclave on Apple hardware — and a public key on the service. Face ID or Touch ID verifies you locally, so nothing phishable travels over the wire. iCloud Keychain syncs private keys across iPhone, iPad, and Mac within their respective enclaves.

Yet major holdouts remain. A new shame site lists Instagram, Spotify, and Netflix among services still lacking passkey support. The resistance centers on recovery: the FIDO2 standard has no built-in recovery flow, so losing every enrolled device falls back to an email reset link — the exact weakness passkeys were meant to eliminate. Portability is another friction point; passkeys live in siloed vaults (iCloud Keychain, Google Password Manager, browsers) that don't yet interoperate.

Apple moved first on portability with iOS 26's cross-platform passkey import and export, a notable shift for its historically closed Keychain. The Credential Exchange Protocol aims to standardize this, but until recovery is reliable, portability seamless, and sites actually remove the password field, the password era isn't ending. Passkeys will win eventually — just not on the timeline bullish supporters promised.