The year of the passkey is still far away

In 2023, passkeys popped up all over the place. Big tech companies embraced them, which trickled down to smaller firms, until passkeys became a ubiquitous part of any security conversation. To give passkeys the credit they deserve, top security experts agree that the new way of logging in comes with greater security. Like every other security advancement from SMS-based multifactor authentication to hardware authentication keys, however, adoption lags because people still hesitate to make the leap.

Passkeys let you log in without a password. Instead, it creates a digital authentication credential, or a "key," between your device and where you want to login to verify your identity. In practice, this usually looks like a fingerprint or face scan to prove that its really you, and the rest happens on the cryptographic backend. Support for the new way of logging in skyrocketed in 2023, going from “a handful of sites with no users to hundreds of sites with billions of accounts” that could potentially log in using passkeys, according to Andrew Shikiar, executive director of the FIDO Alliance, one of the organizations driving passkey adoption.

To understand the scope of end user passkey adoption, I asked around a bit. Companies that touted passkey compliance, like password manager Bitwarden, declined to share specific figures about adoption. Competitor Dashlane’s chief product officer Donald Hasson shared that the company is seeing about 20,000 passkey-based sign-ins per month, “with growth doubling quarter over quarter.” It’s impressive, but worth noting that it still appears to be a small fraction of actual Dashlane users.

Travel company Kayak told Engadget that it switched completely over to passkeys at the end of last year, which is certainly one way to push people on board. Users can either use single-sign on, passkeys or an email to log on. There are still some legacy password users, but they’re being fazed out by being pushed to switch to the other options when they attempt to log on, said Matthias Keller, chief scientist and senior vice president of technology at KAYAK. “Sign in with Google and sign in with Apple are very popular because they're probably still the easiest experience if you're already logged into these systems,” Keller said. “For new account creation, we see, I would say, around two-thirds of users taking the passkey option.” Still, he declined to share specific login figures. We reached out to Adobe, Apple, GitHub, LinkedIn, Nintendo, PayPal, Roblox, Robinhood, TikTok, and Uber about passkey implementation, but none have responded by time of publication.

Shikiar sees the switch to passkeys playing out like biometrics (e.g. fingerprint and face ID). Switching to passkeys aligns more with the seamless single action you get from just looking at your phone to unlock it, not the clunky steps of MFA that involve another device or extra time to access an account, Shikiar said. The problem, in short, is that we’re stuck in our ways. We love our passwords, no matter how many times we’re told that they’re fallible. The username and password combination has been our comfort zone for logging in since the dawn of computer accounts, and users will drag their heels to avoid any change. We saw this with the slow adoption of multifactor authentication that still falls behind today.

Users are slow to adopt passkeys, and companies are still catching up, too. It is getting easier for smaller companies to adopt passkeys because they no longer need to build out support in-house. For example, password manager 1Password launched Passage last year as a way for businesses to support passkey authentication without having to DIY the infrastructure. But while passkeys have caught on in principle, a year of transformative passkey adoption is still far away.

Security analyst and consultant Cole Grolmus detailed why consumers have been slow to adopt passkeys in October. He set out to change as many logins as possible from passwords to passkeys and, despite being all in on passkeys in principle, ran into roadblock after roadblock. Out of the 374 apps Grolmus uses, only 17 supported passkeys, which led him to conclude we’ll be stuck with passwords for the foreseeable future. “The hype is very well merited,” Grolmus told Engadget. “At the same time, I think you just have to be realistic about the amount of time that it takes for any technological change, particularly ones involving consumer adoption, to play out.”

Still, passkeys could mark a shift in personal security if we give it time to play out. New ways of doing things often struggle to replace the entrenched patterns we’ve gotten used to, even if the new paradigm is superior on paper. At least passkeys smooth out the login experience, as opposed to adding another security hurdle like we saw with MFA. Once people see that passkeys can be a “wonderful experience,” they’ll make the switch, said Grolmus.

If you have the chance to switch to passkeys, it's worth a shot. If you use PayPal, Shopify, Uber, Roblox or other big name companies (the list goes way on), you can get it set up today, but keep in mind, most services probably don't have the option, and might not for a while.