(Credit: pcess609 via Getty Images)
Don't miss out on our latest stories. Add PCMag as a preferred source on Google.
Dashlane's latest report about passkeys doesn't offer fresh insights about why adoption of this account-security upgrade remains so uneven, but it does draw out two selfish reasons for sites to deploy it: either they're afraid of a sign-in snafu costing them a single sale, or they fear a compromised login will cost them a customer's money and then all of that person's future business. In fewer words: Greed clarifies.
The password manager's study, released Thursday, finds striking progress in passkey adoption, even looking past the obvious leaders: Amazon, which has moved aggressively to make passkeys a standard sign-in, and Google, which began offering passkeys worldwide in May 2023.
Google has done so well at getting people to adopt passkeys—in which you usually confirm your login with your device's biometric authentication, kicking off an exchange of cryptographic identifiers bound to the site's domain name that can't be gamed by lookalike phishing sites—that Dashlane didn't count it among its leaderboard of passkey-supporting sites.
(Credit: Dashlane)(Dashlane's study, based on "millions of anonymized and aggregated web and mobile passkey authentications," doesn't cite absolute numbers of passkey logins, just percentage shares.)
As for Amazon and other online retailers, the pro-passkey argument involves removing the login holdups—a forgotten password, a two-step verification code sent too late—that can lead a would-be buyer to abandon their shopping cart.
"Led by Amazon's commanding 39.9% share, e-commerce platforms represent approximately 45% of all passkey authentications," Dashlane says. "Amazon, eBay, Lowe's, Home Depot, and Target collectively demonstrate how retail giants are embracing passwordless authentication to reduce checkout friction."
"Business leaders are quickly recognizing that passkeys have the potential to generate billions in revenue and cost savings by removing the user friction inherent in passwords and nearly eliminating the risk of account compromise for their customers," says Andrew Shikiar, CEO and executive director of the FIDO Alliance, the industry group that manages the passkey standard.
With cryptocurrency-trading sites, passkeys aren't just a good idea, but sometimes an outright requirement to avoid scams that can result in the theft of an entire online wallet's worth of digital currency assets. As the Dashlane report observes: "When digital assets worth billions are at stake, security isn't optional; it's existential." Coinbase stands in fourth place on the report's list of the most popular passkey domains, as measured by its share of all authentications handled by Dashlane through its apps.
The companies between Amazon's first-place rank and Coinbase's fourth-place standing each have their own outsize presence in our digital lives: Intuit's TurboTax, ranked second, collects immense amounts of personal-finance data, and Microsoft's GitHub software-development repository has become a frequent target of supply-chain attacks.
Dashlane's report also lists the domains with the fastest growth in passkey authentication over a three-month period, starting in the second quarter of 2025, which reveals some surprises. First place does not go to an online retailer or a cryptocurrency hub, but to Roblox, which saw passkey logins grow by 856% during that time period.
(Credit: Dashlane)Dashlane credits that multiplayer gaming platform for coming to the same recognition as the likes of Amazon and Coinbase: Its customers have a lot at stake.
"The gaming platform has gone all in on passkeys, recognizing that its users have something genuinely valuable to protect: Purchased items, created worlds, and significant time investments within their accounts," its report says.
Second place goes to the cryptocurrency exchange Gemini. Third goes to another unusual suspect: Germany's Bundesagentur für Arbeit (Federal Employment Agency), which Dashlane says is moving toward requiring passkeys.
This report includes some compare-and-contrast commentary about how Apple and Google have rolled out passkey support. Dashlane observes that Apple does not allow people to export Apple-account passkeys, a "walled garden" approach, even while Apple's Passwords family of apps now supports the secure export of passkeys for other sites and services.
Google, meanwhile, gets applause for pushing passkeys into its mainstream user experience: "By making passkeys the path of least resistance rather than an opt-in security feature, Google transformed passkey adoption from a trickle into a flood." Google, however, has yet to ship a passkey-transfer feature.
Dashlane competes with both Apple and Google, although its recent move to terminate its free tier leaves it vying for the business of people willing to pay for a cross-platform solution that feels at home on multiple operating systems.
Dashlane's report doesn't get into what has led other companies with major direct-to-consumer businesses—for example, airlines and credit-card issuers—to hold off on passkeys. It also doesn't address the single most annoying category of passkey deniers: The sites that require you to confirm every login with a multi-factor authentication code sent via insecure text messaging, then won't let you copy and paste the entire code into a browser or app and instead demand that you type it in, one character at a time.
Editors' note: We updated the post to clarify descriptions of Apple-account passkeys and of Dashlane's assessment of Apple's overall passkey support.