Passkeys vs passwords: why the world is finally burying the password

By Newsroom

Every account breach you've read about has a password at its center. A leak, a phishing scam, a reused password that fell on one site and unlocked ten others. A password is a shared secret: you know it, the server knows it, and anyone who intercepts it or tricks you into typing it now knows it too. That model is on the clock, and not because of a fad. In May 2025, Microsoft began creating new accounts passwordless by default¹. Google already has more than 400 million accounts on the replacement². And the standard underneath isn't owned by anyone. It's open. Let's start from the top.

What a passkey actually is

A passkey swaps the shared secret for a pair of cryptographic keys. When you create a passkey on a service, your device generates two mathematically linked keys: the public key, which lives on the server (and is useless if it leaks), and the private key, which never leaves your device³. At login, the service sends a challenge. Your phone signs that challenge with the private key, unlocked by Face ID, a fingerprint or a PIN, and returns the signature. The server checks it against the public key. You type nothing, and the real secret never travels the network³.

Here's the part that changes the game: a passkey is bound to the domain (origin-bound). Your bank's credential only works on your bank's real site. If a scammer sends you a pixel-perfect clone of bаnk.com (with one swapped character), the passkey simply doesn't show up, because it doesn't recognize that address³. That's why passkeys are called "phishing-resistant by construction": there's no credential to paste into the wrong site, because there's no pasteable credential at all.

Technically, this runs on the FIDO2 standard, which combines WebAuthn (the browser API maintained by the W3C) and CTAP2 (the protocol between the browser and the authenticator)³. WebAuthn became an official W3C Recommendation in March 2019 and got its Level 2 in April 2021⁴. This isn't one company's tech: it's an open standard, with Apple, Google and Microsoft as implementers.

Why the world wants out of passwords

Because the password is, statistically, where crime gets in. Verizon's annual Data Breach Investigations Report, the DBIR, is an industry benchmark, and in 2025 it found that 22% of breaches had a compromised credential as the initial way in, and that stolen credentials showed up more broadly in 55% of cases⁵. For web-application attacks, the math is uglier still: 88% involved stolen credentials⁵.

The scale of automated attack explains the rest. Microsoft says it logs 7,000 password attacks per second, more than double the 2023 rate¹. And the password fails even when no one is attacking you: Microsoft measures a 98% sign-in success rate with passkeys against 32% with passwords, people forget, mistype, give up¹. The FIDO Alliance estimates that 47% of consumers abandon a purchase after forgetting a password⁶. The password isn't just insecure. It's expensive.

Adoption is already enormous

This isn't a future promise. More than 1 billion people have activated at least one passkey, and over 15 billion accounts support passkey sign-in¹ ⁶. Nearly half of the world's 100 largest sites (48%) accept them⁶. Google reports passkeys are roughly 50% faster than typing a password²; Microsoft says it's registering nearly 1 million new passkeys a day¹.

In October 2025, FIDO's Passkey Index, built with data from Amazon, Google, Microsoft, PayPal, Target, TikTok and others, estimated 5 billion passkeys in active use, with 26% of sign-ins at those companies already happening via passkey⁷. And the business case landed: the same study measured a ~30% lift in login conversion versus passwords, with a median sign-in time of 13.6 seconds against 27.5 for passwords⁸. For an e-commerce site, that's money on the table.

Even the regulator came aboard. The NIST, the U.S. standards agency that shapes much of corporate security practice, published the final revision of its digital-identity guidelines in July 2025, recognizing synced passkeys at the AAL2 assurance level and device-bound passkeys at AAL3, treating phishing-resistant authenticators as a baseline⁹.

Where it still hurts: portability and recovery

It's not all victory, and the weak spot is an honest one. For years, a passkey created in iCloud was stuck in Apple's world; moving it to a third-party manager or to Android was hard or impossible. A fair lock-in complaint.

That started to turn in 2025. At June's WWDC, Apple showed passkey import/export coming to iOS 26 and macOS 26, using an open FIDO standard (the Credential Exchange Protocol) to transfer credentials app-to-app, with biometrics and no plaintext file in between¹⁰. iOS 26 shipped on September 15, 2025, and managers like Bitwarden and 1Password announced support¹⁰. The wall between ecosystems is coming down.

The thornier problem is account recovery. If you lose every registered device, you fall back to a backup path (email, a code) that can itself be a phishing target¹¹. A 2025 academic review of passkey adoption flags exactly this, recovery and device dependence, as the biggest barriers¹². Killing the password without solving "what if I lose everything?" just moves the weak link somewhere else.

What the community is saying

The read across technical communities (Hacker News, r/sysadmin, r/cybersecurity, r/Bitwarden, r/1Password) is cautious optimism, but divided, and all of this is opinion, not fact. Almost no one defends the password; the consensus is that it's done. The fight is about execution.

On one side, the enthusiasm of people running third-party managers: with the right vault, syncing a passkey between phone and desktop "just works," and the arrival of the export/import standard was cheered as the exit from lock-in. On the other, two recurring anxieties. First, lockout. In a busy Hacker News thread, the fear that kept coming back was "traveling without your phone and getting locked out." Second, the fallback. The skeptic's argument is that if recovery still runs through SMS or a security question, "in practice it's no safer than a password, the weakest link wins." One story became almost a meme: users locked out of an Amazon account after losing the device with the passkey, cited as proof that bad implementation poisons a good idea. The most-repeated rebuttal set the tone: a passkey is like a seatbelt, not 100% foolproof, but "not-100%-foolproof" isn't the same as useless. The gain is at the population level.

Verdict

The password is ending, and that's good. The passkey's cryptography genuinely closes the three biggest holes in the old model (reused passwords, server-side leaks, and phishing), and adoption is past the point of no return: billions of accounts, the regulator on board, platforms making passwordless the default. The fair part of the criticism isn't the technology, it's the execution: lock-in (being solved by the export/import standard) and account recovery (not yet). For an ordinary user today, the most solid path is to turn on passkeys wherever you can, but store them in a cross-platform manager rather than getting hostage to one ecosystem, and to treat recovery of your root account (Apple, Google or Microsoft) as the most valuable asset you own. The password won't die tomorrow. But for the first time in decades, it has an expiration date.

---

Sources

1. "Pushing passkeys forward: Microsoft's latest updates for simpler, safer sign-ins" · Microsoft Security Blog · https://www.microsoft.com/en-us/security/blog/2025/05/01/pushing-passkeys-forward-microsofts-latest-updates-for-simpler-safer-sign-ins/ · 2025-05-01.
2. "Google shares update on passkeys and new ways to protect accounts" · Google (blog.google) · https://blog.google/innovation-and-ai/technology/safety-security/google-passkeys-update-april-2024/ · 2024-05-02.
3. "What Is a FIDO Passkey?" / "What Is FIDO2?" · Akamai / Microsoft Security · https://www.akamai.com/glossary/what-is-a-fido-passkey · https://www.microsoft.com/en-us/security/business/security-101/what-is-fido2 · accessed 2026-06-18.
4. "Web Authentication: An API for accessing Public Key Credentials" (WebAuthn L1 / L2) · W3C · https://www.w3.org/TR/webauthn-2/ · L1 Recommendation 2019-03-04, L2 2021-04-08.
5. "2025 Data Breach Investigations Report (DBIR)" · Verizon Business · https://www.verizon.com/business/resources/reports/dbir/ · 2025.
6. "FIDO Alliance Champions Widespread Passkey Adoption... on World Passkey Day 2025" · FIDO Alliance · https://fidoalliance.org/fido-alliance-champions-widespread-passkey-adoption-and-a-passwordless-future-on-world-passkey-day-2025/ · 2025-05-01.
7. "Passkey Index 2025" · FIDO Alliance + Liminal · https://fidoalliance.org/passkey-index-2025/ · 2025-10-14.
8. "FIDO Alliance Launches Passkey Index, Proving 30% Conversion Lift Over Passwords" · ID Tech Wire · https://idtechwire.com/fido-alliance-launches-passkey-index-proving-30-conversion-lift-over-passwords/ · 2025-10-17.
9. "NIST SP 800-63B-4 — Digital Identity Guidelines: Authentication and Lifecycle Management" · NIST · https://csrc.nist.gov/pubs/sp/800/63/b/ · Rev. 4, July 2025.
10. "iOS 26: Apple solved one of the biggest passkey headaches" · 9to5Mac · https://9to5mac.com/2025/06/13/ios-26-passkeys-password-transfer/ · 2025-06-13 (Apple WWDC25, session 279; iOS 26 shipped 2025-09-15).
11. "Passkeys aren't the finish line: Eliminating fallbacks and fixing recovery" · Microsoft Entra Blog · https://techcommunity.microsoft.com/blog/microsoft-entra-blog/passkeys-arent-the-finish-line-eliminating-fallbacks-and-fixing-recovery · 2025.
12. "Challenges and Potential Improvements for Passkey Adoption — A Literature Review with a User-Centric Perspective" · Applied Sciences (MDPI), vol. 15, art. 4414 · https://www.mdpi.com/2076-3417/15/8/4414 · 2025 · DOI: 10.3390/app15084414.

Community (opinion, separate from the sources list): Hacker News (passkeys thread, news.ycombinator.com/item?id=42442639); r/sysadmin, r/cybersecurity, r/Bitwarden, r/1Password, r/apple (aggregated sentiment).