I turned off the password on my main email account this spring, which is the sort of thing I do so you do not have to. Nothing broke. The phone asked for my fingerprint, the login went through, and a bearer secret that had survived three breaches and one very stupid sticky note simply stopped existing. So when the FIDO Alliance announced on World Passkey Day that there are now an estimated five billion passkeys in use worldwide, I was inclined to believe passkey use is genuinely climbing, even if that exact five-billion figure is a soft one.
Those headline numbers are survey findings, not measurements of the world. FIDO, the industry body that promotes passkeys, had Sapio Research poll 11,000 consumers across ten countries in April 2026; that State of Passkeys 2026 report puts self-reported awareness at 90 percent and says 75 percent have enabled a passkey somewhere. Interested party, self-reported, but not nothing. Microsoft, in its World Passkey Day post of May 7, 2026, says hundreds of millions of users now sign in with passkeys daily, and that 99.6 percent of its own users and devices run phishing-resistant authentication, both figures about Microsoft, from Microsoft. "Passkeys are moving into the mainstream because they deliver something the industry has struggled to achieve for decades: authentication that is both more secure and easier to use," said FIDO CEO Andrew Shikiar in the alliance's own World Passkey Day announcement.
Here is the part worth understanding. A passkey is a public and private key pair. The private key is never shared with the site you log into; the server stores only the public half, so there is no shared secret in a database to steal. (For the synced passkeys most consumers use, the private key does move between your own devices, but end-to-end encrypted through iCloud Keychain or Google Password Manager, never handed to the site.) That alone kills the breach-dump economy. The cleverer bit is origin binding. Each passkey is scoped to a relying party ID, normally the site's registrable domain, and per the WebAuthn spec your browser refuses to release a credential to an origin it was not created for. The signed login data carries the origin too, as a server-side backstop, but the first block comes earlier: the browser will not even offer the wrong site your key.
Play that forward against a phishing attack. You land on a pixel-perfect clone at paypa1-secure.com and try to log in. With a password you would type the secret straight into the attacker's form, because the page looks right. With a passkey there is nothing to type: the credential is bound to paypal.com, the browser sees the wrong origin, and the key simply does not fire. There is no secret to hand over. In its 2025 Digital Defense Report, Microsoft measured AI-generated phishing lures pulling a 54 percent click-through rate against 12 percent for ordinary human-written ones. The failure mode passkeys remove is exactly the one AI is making cheaper to exploit.
So we are done, yes? No. This is where I put the failing case first, as usual. FIDO's workforce study, 1,400 security decision-makers at organizations of 500 or more employees across the same ten countries, found that 57 percent of organizations that have already deployed passkeys still rely on phishable methods for primary, day-to-day sign-in. Read that twice. They shipped the passkey and left a one-time code or a security question behind it as the fallback. A passwordless front door with a phishable back door is still a phishable building. The attacker does not batter the reinforced part; they call the help desk and walk in through the reset flow.
The blocker is no longer users; awareness sits at 90 percent, adoption at 75, and in the same FIDO survey nearly half of people say they abandon a sign-in or purchase when they cannot remember a password. People want this. What we have not solved is recovery and fallback: losing the phone, buying a new laptop, proving it is really you without a device. Each quietly reintroduces the old weak secret. Microsoft is at least removing security questions as an Entra ID password-reset option starting in January 2027, which is the correct kind of unglamorous work.
The lesson is old and I keep relearning it: a system is only as strong as its weakest recovery path. Passkeys are the genuine article, not hype. But "we deployed passkeys" and "we killed the password" are different sentences, and most of the industry lives in the gap between them.
So, your homework this weekend. Turn on a passkey for one account you actually care about, email first. Then look at that account's recovery options and delete every phishable one you can: the SMS code, the security questions, the backup you set up in 2014 and forgot. The front door was never really the problem.



