The End of the Password: The Evidence Behind the 5 Billion Passkeys Now in Use
With 5 billion passkeys now active globally, the transition to passwordless authentication has reached a tipping point. Evidence shows the cryptographic standard is virtually eliminating credential phishing, though enterprise fallback systems remain a vulnerability.
By Factlen Editorial Team
- Standards Bodies & Platform Providers
- Advocates for universal passkey adoption to eliminate credential theft.
- Enterprise IT & Security Teams
- Focused on the practical challenges of deployment, legacy compatibility, and secure recovery.
- Cybersecurity Analysts
- Monitoring the shift in attacker behavior as traditional phishing becomes less effective.
What's not represented
- · Small business owners who lack the IT budget to overhaul legacy authentication systems.
- · Users with older smartphones that lack the biometric hardware required for seamless passkey use.
Why this matters
For decades, stolen passwords have been the primary vector for identity theft and corporate data breaches. The mainstream adoption of passkeys represents a rare, structural victory in cybersecurity that permanently removes human memory from the authentication process, making users fundamentally safer.
Key points
- There are now an estimated 5 billion passkeys in active use globally, with 75% of consumers having enabled at least one.
- Passkeys rely on public key cryptography, making them mathematically immune to traditional credential phishing.
- Microsoft data shows passkey sign-ins succeed 98% of the time and are eight times faster than password logins.
- Enterprise adoption is accelerating, with 68% of organizations actively deploying or piloting passkeys for employees.
- The primary hurdle to full enterprise adoption is securing the 'fallback' recovery process when a user loses their device.
- Cross-ecosystem syncing remains a friction point for consumers moving between Apple, Google, and Windows devices.
For decades, the cybersecurity industry has treated human memory as its greatest vulnerability. The reliance on reusable passwords has fueled a multi-billion-dollar economy of credential stuffing, phishing, and identity theft. But in 2026, the data suggests the industry is finally engineering its way out of the problem. The transition to passwordless authentication, driven by the FIDO Alliance's "passkey" standard, has crossed a critical threshold from early adoption to an operational baseline.[1][8]
The scale of the shift is staggering. According to the FIDO Alliance's 2026 State of Passkeys report, there are now an estimated 5 billion passkeys in active use worldwide. Consumer awareness of the technology has climbed to 90%, up from 75% just a year prior, and three-quarters of consumers have enabled a passkey on at least one of their accounts.[1][2]
The core claim behind passkeys is that they eliminate credential phishing entirely. Unlike a password, which is a shared secret that can be intercepted or typed into a fake website, a passkey relies on public key cryptography. When a user registers a passkey, their device generates a unique cryptographic key pair. The public key is shared with the website, while the private key never leaves the user's device.[8]
Because the authentication protocol requires the device to sign a cryptographic challenge bound to the specific domain of the website, a passkey cannot be tricked by a lookalike phishing page. If a user clicks a malicious link to a fake banking site, the passkey simply will not authenticate, because the domain does not match the cryptographic record stored on the device.[2][8]
The evidence of this efficacy is now materializing in large-scale deployments. The Japanese e-commerce marketplace Mercari, which serves millions of users, reported zero phishing incidents since it introduced passkeys in 2023. Beyond security, the usability metrics are driving corporate adoption. Microsoft's telemetry data reveals that passkey sign-ins succeed 98% of the time, compared to a dismal 32% success rate for traditional password logins.[3][5]
Furthermore, Microsoft found that passkey authentications are eight times faster than typing a password and waiting for a multi-factor authentication (MFA) code. This reduction in friction is a primary reason why 49% of consumers now report using passkeys regularly whenever they are available.[1][3]
Furthermore, Microsoft found that passkey authentications are eight times faster than typing a password and waiting for a multi-factor authentication (MFA) code.
The enterprise sector is moving in parallel, driven by the stark reality of the threat landscape. The Verizon 2025 Data Breach Investigations Report confirmed that 22% of all breaches still begin with stolen credentials, making it the leading vector for initial access. To combat this, 68% of organizations surveyed in 2026 are either deploying or actively piloting passkeys for their employee sign-ins.[1][2][6]
This represents a broader shift toward "phishing-resistant" authentication. For years, companies relied on SMS text messages or standard authenticator apps for MFA. However, attackers easily bypass these methods using proxy sites that intercept the one-time codes. According to identity provider Okta, the enterprise adoption of truly phishing-resistant authenticators—which includes passkeys and hardware security keys—surged by 63% year-over-year by early 2025.[4][7][8]
Despite the overwhelming evidence of their security benefits, the transition is not without friction. The primary uncertainty lies in legacy compatibility and organizational inertia. A PCMag analysis of the FIDO data noted that while 68% of organizations are piloting passkeys, 57% still rely on phishable authentication methods for their employees' primary day-to-day sign-ins.[2]
The hesitation often stems from the complexity of the "fallback" path. If an employee loses their smartphone or laptop, they lose the physical device holding their passkeys. Organizations must design secure recovery workflows to restore access without reverting to a vulnerable password. If the helpdesk simply emails a temporary password to a user who lost their phone, the entire passwordless security model is undermined.[7][8]
Consumer adoption faces its own set of structural challenges. The passkey ecosystem is currently dominated by the major platform providers—Apple, Google, and Microsoft—who sync passkeys across their respective cloud environments. While this makes recovery easy if a user stays within the Apple ecosystem, moving a passkey from an iPhone to a Windows PC can still introduce confusing dialog boxes and friction.[2][8]
Third-party password managers are aggressively updating their software to manage passkeys across different operating systems, but users frequently encounter competing prompts from their browser, their OS, and their password manager, all vying to save the credential. This user experience fragmentation remains the largest barrier to universal, seamless adoption.[2][8]
Even with these hurdles, the trajectory is clear. The threat that passkeys exist to stop is immense; Microsoft reports blocking roughly 7,000 password attacks per second across its Entra ID network. As the technology matures, the strategic debate among cybersecurity professionals has shifted from convincing users to adopt the standard, to ensuring that corporate infrastructure can support it securely.[5][7]
The era of the reusable password is not ending with a sudden switch, but through a steady, cryptographic attrition. With 5 billion passkeys already deployed and major platforms enforcing the standard, the industry has finally produced a security control that is both mathematically superior and fundamentally easier for the average person to use.[1][8]
How we got here
2012
The FIDO Alliance is founded to develop open standards for passwordless authentication.
2022
Apple, Google, and Microsoft announce expanded support for the FIDO standard, coining the term 'passkeys'.
2023
Major consumer platforms, including Amazon and WhatsApp, roll out passkey support to billions of users.
2025
Phishing-resistant authenticator adoption in the enterprise jumps 63% year-over-year.
May 2026
The FIDO Alliance reports that 5 billion passkeys are now in active use worldwide.
Viewpoints in depth
Standards Bodies & Platform Providers
Tech giants and the FIDO Alliance view passkeys as the ultimate solution to the password problem.
For the architects of the passkey standard—including Apple, Google, and Microsoft—the technology represents the culmination of a decade-long effort to deprecate the reusable password. Their evidence points to massive usability gains: Microsoft reports that passkey sign-ins are eight times faster than passwords and succeed 98% of the time. By embedding the cryptographic keys directly into the operating systems and syncing them via cloud ecosystems, these providers argue they have finally aligned high security with low user friction.
Enterprise IT & Security Teams
Corporate defenders are eager for the security benefits but struggle with legacy integration.
While CISOs recognize that passkeys eliminate credential phishing, the enterprise reality is messy. IT teams must manage a hybrid environment where modern SaaS applications support passkeys, but legacy on-premises software does not. Furthermore, security teams are highly focused on 'fallback' mechanisms. If an employee loses their device and the helpdesk issues a temporary password to restore access, that password becomes the weakest link. For enterprises, the challenge has shifted from adopting the technology to governing the recovery process.
Threat Actors
Cybercriminals are adapting to the passwordless shift by targeting session cookies and recovery flows.
The criminal ecosystem is highly pragmatic. As passkeys make traditional credential stuffing and phishing pages obsolete, attackers are pivoting. Security researchers note a rise in 'adversary-in-the-middle' attacks aimed at stealing session cookies—the temporary tokens generated after a successful login. Additionally, attackers are increasingly targeting the IT helpdesk through social engineering, attempting to trick human operators into resetting an account's primary authentication method back to a phishable standard.
What we don't know
- How quickly legacy on-premises enterprise software will be updated to support modern passkey standards.
- Whether a unified, frictionless standard for transferring passkeys between competing ecosystems (like Apple to Windows) will be universally adopted.
- The long-term impact of adversary-in-the-middle attacks targeting session cookies once passwords are fully deprecated.
Key terms
- Passkey
- A discoverable FIDO credential that replaces a password with a cryptographic key pair, unlocked via local biometrics or a PIN.
- Phishing-resistant MFA
- Multi-factor authentication methods that cannot be intercepted or tricked by fake websites, such as hardware security keys and passkeys.
- Credential Stuffing
- An automated attack where hackers use lists of stolen passwords to breach user accounts across multiple websites.
- Public Key Cryptography
- The underlying math of passkeys, where a public key is stored on the server and a private key remains securely on the user's device.
Frequently asked
What exactly is a passkey?
A passkey is a digital credential tied to your device that uses cryptography instead of a password. You unlock it using your device's biometrics (like Face ID or a fingerprint) or a PIN.
What happens if I lose my phone?
Passkeys are typically backed up to your cloud ecosystem (like Apple iCloud Keychain or Google Password Manager) and sync across your devices, allowing you to recover them on a new device.
Can a passkey be phished?
No. Because passkeys rely on a cryptographic exchange bound to a specific website's domain, a fake login page cannot trick your device into handing over the credential.
Are passwords completely gone?
Not yet. While passkey adoption is surging, many legacy systems and enterprise fallback methods still rely on passwords, which remain a target for attackers.
Sources
Source coverage
8 outlets
3 viewpoints surfaced
[1]FIDO AllianceStandards Bodies & Platform Providers
Five Billion Passkeys: FIDO Alliance Reports Mainstream Global Usage on World Passkey Day 2026
Read on FIDO Alliance →[2]PCMagEnterprise IT & Security Teams
Passkeys Pass Major Milestones, But Organizational Inertia Holds Them Back
Read on PCMag →[3]BrightDefenseCybersecurity Analysts
Future of Password Security: 2026 Statistics and Trends
Read on BrightDefense →[4]OktaEnterprise IT & Security Teams
Secure Sign-in Trends Report 2025
Read on Okta →[5]MicrosoftStandards Bodies & Platform Providers
Microsoft Digital Defense Report 2025
Read on Microsoft →[6]VerizonEnterprise IT & Security Teams
2025 Data Breach Investigations Report
Read on Verizon →[7]NHIMGCybersecurity Analysts
2026 FIDO Report: Passkeys at Global Scale
Read on NHIMG →[8]Factlen Editorial TeamStandards Bodies & Platform Providers
Synthesis by Factlen editorial team
Read on Factlen Editorial Team →
More in technology
See all 6 stories →Mars Exploration
NASA Taps Eric Schmidt's Relativity Space for 2028 Mars Weather Mission
6 sources
Smart Home
Aura Launches Cordless $499 E-Ink Photo Frame That Looks Like a Real Print
6 sources
AI Infrastructure
Fine-Tuning Forgets, RAG Leaks: Why Hypernetworks Are the Next Era of AI Infrastructure
6 sources
Open Social Web
How the Open Social Web is Finally Giving Users Control of Their Data
8 sources
Every angle. Every day.
Get technology stories with full source coverage and perspective breakdowns delivered to your inbox.