The Password is Dying: How Passkeys Reached 5 Billion Users by 2026
Backed by new government standards and tech giants, cryptographic passkeys have reached critical mass, effectively neutralizing phishing attacks for billions of users.
By Factlen Editorial Team
- Security Standards Bodies
- Focus on eliminating shared secrets and establishing mathematically sound, phishing-resistant protocols.
- Platform Providers
- Prioritize usability and consumer adoption by syncing credentials seamlessly across their device ecosystems.
- Enterprise IT Leaders
- Value the technology for its return on investment, specifically reducing helpdesk costs and mitigating workforce breaches.
- Security Researchers
- Highlight implementation flaws, user behavior risks, and the danger of centralizing trust in cloud sync fabrics.
What's not represented
- · Elderly or low-tech users who struggle with biometric device locks
- · Privacy advocates concerned about the normalization of biometric authentication
Why this matters
Passwords are the root cause of over 80% of data breaches and a constant source of daily frustration. The mass adoption of passkeys means your digital accounts are becoming mathematically immune to phishing, while simultaneously becoming easier to log into.
Key points
- By mid-2026, an estimated 5 billion passkeys are in active use worldwide.
- Passkeys use public-key cryptography, meaning no shared secret is stored on corporate servers.
- The technology effectively neutralizes phishing and credential stuffing attacks.
- NIST updated its digital identity guidelines to formally recognize syncable passkeys for high-security environments.
- Enterprises report a 35% reduction in helpdesk tickets related to password resets.
- Security researchers warn that centralizing passkeys in cloud accounts creates a single point of failure.
For decades, the cybersecurity industry has chased a singular, elusive goal: killing the password. In 2026, the data suggests they have finally succeeded.[7]
The FIDO Alliance estimates that 5 billion passkeys are now in active use worldwide, marking a permanent shift in how humans authenticate their digital lives.[1]
According to the State of Passkeys 2026 report, 90% of consumers are now aware of the technology, and 75% have enabled a passkey on at least one account.[1]
Passkeys replace traditional passwords with a cryptographic mechanism known as FIDO2 or WebAuthn. Instead of typing a memorized string of characters, users simply unlock their device using a biometric scan—like a fingerprint or facial recognition—or a local PIN.[5]
The underlying security relies on public-key cryptography. When a user creates a passkey for a website, their device generates a unique cryptographic key pair.[4]
The public key is sent to the website's server, while the private key remains locked inside the device's secure hardware enclave. Because the private key never leaves the device, there is no "shared secret" stored on a corporate server.[5]
This architectural shift effectively neutralizes phishing and credential stuffing. Even if hackers breach a company's database, they only steal useless public keys, and fake login pages cannot trick a passkey into handing over credentials.[4]
This architectural shift effectively neutralizes phishing and credential stuffing.
The consumer tipping point arrived when major platform providers integrated passkeys directly into their operating systems. Google accelerated this transition in late 2023 by making passkeys the default sign-in option for personal accounts.[3]
By embedding passkeys into the native "sync fabrics" of iOS, Android, and Windows, tech giants solved the technology's biggest historical hurdle: device loss. If a user drops their smartphone in a lake, their passkeys are safely restored on a new device via their cloud keychain.[3][7]
Following the consumer rollout, the enterprise and government sectors received a crucial green light in July 2025. The U.S. National Institute of Standards and Technology (NIST) released Revision 4 of its SP 800-63 Digital Identity Guidelines.[2]
The updated NIST guidelines officially recognized "syncable passkeys" as meeting Authenticator Assurance Level 2 (AAL2). This regulatory blessing allowed heavily regulated industries, such as finance and healthcare, to deploy passkeys for their workforces without violating strict compliance frameworks.[2]
For businesses, the return on investment has been immediate. Organizations deploying passkeys report a 45% reduction in employee login times and a 35% drop in helpdesk tickets related to password resets.[1][6]
However, security researchers caution that passkeys are not entirely invulnerable. Academic studies analyzing FIDO2 deployments have found that when users are required to set a fallback PIN for hardware security keys, up to 40% choose simple, easily guessable numbers.[4]
Furthermore, the reliance on synced passkeys introduces a new centralized point of failure. Because passkeys are backed up to Apple, Google, or Microsoft cloud accounts, the security of a user's entire digital life is now inextricably linked to the security of that primary ecosystem account.[4][7]
Cross-ecosystem friction also remains a challenge. While transferring a passkey from an old iPhone to a new iPhone is seamless, moving credentials between competing ecosystems—such as from Apple to Android—still relies on clunky QR code scans or third-party password managers.[6][7]
Despite these growing pains, the trajectory of authentication is set. The password is no longer the default front door to the internet; it is rapidly becoming a legacy fallback, reserved only for old systems and rare account recovery scenarios.[7]
How we got here
2013
The FIDO Alliance is founded with the mission to solve the world's password problem.
2022
Apple, Google, and Microsoft commit to expanding support for FIDO standards across their platforms.
Late 2023
Google makes passkeys the default sign-in method for personal accounts, accelerating consumer adoption.
July 2025
NIST updates its digital identity guidelines (SP 800-63-4) to formally recognize syncable passkeys.
Mid-2026
The FIDO Alliance reports that 5 billion passkeys are in active use globally, with 75% of consumers enabling at least one.
Viewpoints in depth
Security Standards Bodies
Focus on eliminating shared secrets and establishing mathematically sound, phishing-resistant protocols.
Organizations like the FIDO Alliance and NIST view the password as a fundamentally broken concept because it relies on a 'shared secret'—a piece of data that both the user and the server must know. By transitioning to public-key cryptography, these bodies aim to remove the human element from authentication security. Their primary goal is to ensure that even if a user is tricked by a perfect replica of a login page, the underlying cryptographic protocol will refuse to hand over the credentials.
Platform Providers
Prioritize usability and consumer adoption by syncing credentials seamlessly across their device ecosystems.
For tech giants like Apple, Google, and Microsoft, the priority is removing friction. They recognized that early hardware-bound security keys were too cumbersome for the average consumer. By building 'sync fabrics' that back up passkeys to the cloud, they ensured that users wouldn't lose access to their digital lives if they lost their phones. This approach prioritizes convenience and ecosystem lock-in, making the transition away from passwords practically invisible to the end user.
Enterprise IT Leaders
Value the technology for its return on investment, specifically reducing helpdesk costs and mitigating workforce breaches.
Corporate IT departments view passkeys through the lens of operational efficiency and risk management. Password resets are historically one of the largest drains on IT helpdesk resources, costing enterprises millions annually. By deploying passkeys, these leaders not only close their largest security vulnerability—phished employee credentials—but also realize an immediate return on investment through faster login times and drastically reduced support tickets.
Security Researchers
Highlight implementation flaws, user behavior risks, and the danger of centralizing trust in cloud sync fabrics.
While acknowledging the massive security upgrade passkeys represent, academic researchers focus on the edge cases and new vulnerabilities. They point out that 'syncable passkeys' shift the target on a user's back: instead of stealing individual passwords, hackers will now focus entirely on compromising the user's primary Apple or Google cloud account. Furthermore, researchers note that when users are forced to create fallback PINs for hardware keys, human nature often leads them to choose weak, easily guessable numbers, undermining the cryptographic strength of the system.
What we don't know
- How quickly legacy websites and smaller businesses will update their infrastructure to support passkeys.
- Whether cross-ecosystem credential sharing (e.g., moving passkeys seamlessly between Apple and Android) will ever become truly frictionless.
- How the legal system will treat biometric passkey unlocks in jurisdictions where police can compel a fingerprint but not a memorized password.
Key terms
- FIDO2
- An open authentication standard developed by the FIDO Alliance that enables passwordless, phishing-resistant logins.
- Public-Key Cryptography
- A cryptographic system that uses pairs of keys: a public key stored on a server, and a private key kept securely on the user's device.
- Credential Stuffing
- A cyberattack where hackers use lists of compromised passwords from one breach to try and log into other unrelated accounts.
- Sync Fabric
- The cloud infrastructure (like Apple iCloud Keychain or Google Password Manager) that securely backs up and synchronizes passkeys across a user's devices.
- NIST SP 800-63
- The U.S. government's official digital identity guidelines, which set the standard for secure authentication in federal agencies and regulated industries.
Frequently asked
What exactly is a passkey?
A passkey is a digital credential tied to your device that uses public-key cryptography to log you into accounts without a password. You unlock it using your device's biometric scanner or PIN.
What happens if I lose my phone?
Most modern passkeys are 'syncable,' meaning they are securely backed up to your Apple iCloud, Google, or Microsoft account. When you sign into a new device, your passkeys are restored.
Can a passkey be phished or stolen?
No. Because the private key never leaves your device and is never sent over the internet, there is no 'shared secret' for a hacker to steal from a database or trick you into entering on a fake website.
Are traditional passwords completely gone?
Not yet. While passkeys are becoming the default, passwords remain as a legacy fallback for older systems and certain account recovery scenarios.
Sources
Source coverage
7 outlets
4 viewpoints surfaced
[1]FIDO AllianceSecurity Standards Bodies
State of Passkeys 2026 Report
Read on FIDO Alliance →[2]National Institute of Standards and TechnologySecurity Standards Bodies
SP 800-63-4: Digital Identity Guidelines
Read on National Institute of Standards and Technology →[3]Google Security BlogPlatform Providers
Passwordless by default: Make the switch to passkeys
Read on Google Security Blog →[4]ResearchGateSecurity Researchers
Passkeys and FIDO2: A Comprehensive Review of Phishing-Resistant Authentication
Read on ResearchGate →[5]The Wall Street JournalEnterprise IT Leaders
Passwordless security isn't just a toggle
Read on The Wall Street Journal →[6]DescopeEnterprise IT Leaders
Passkey adoption stats from the FIDO Alliance's 2026 report
Read on Descope →[7]Factlen Editorial Team
Synthesis by Factlen editorial team
Read on Factlen Editorial Team →
Every angle. Every day.
Get technology stories with full source coverage and perspective breakdowns delivered to your inbox.