(Credit: tadamichi / Getty Images)
A new report shows that passkeys have passed significant adoption milestones. Large majorities of people know what these passwordless credentials are and use them to log in to at least some accounts, but they are being held back by organizational inertia.
The State of Passkeys 2026, released Thursday by the FIDO Alliance, draws that mixed conclusion from surveys of 11,000 consumers and 1,400 IT decision-makers in 10 countries.
Across that assortment of nations—the US; a European sample of France, Germany, and the UK; and an Asian set of Australia, China, India, Japan, Singapore, and South Korea—90% of consumers said they are aware of passkeys, and 75% report using them to log into “at least some” accounts.
Almost half of these respondents say they login with passkeys “whenever possible” or “most of the time”: 49% in those 10 countries, 48% in the US, where the survey drew responses from about 2,000 consumers and 200 IT folks.
There are good reasons to prefer passkeys to passwords: Done right, they condense a login to a tap of a fingerprint sensor or a glance at your device’s biometric-ID camera, a confirmation of your identity that kicks off an exchange of cryptographic identifiers bound to that site’s domain name. That dispenses with the need to verify a password with any form of multifactor authentication and closes the risk of being fooled by a lookalike phishing site.
(The everyday experience of passkeys can be less elegant when your browser, your operating system, or your password manager keeps trying to claim ownership of passkey management by throwing passkey dialogs in front of each other.)
This survey by FIDO (short for “Fast Identity Online”), the industry group that manages the passkey standard, underscores the risks of password-first authentication, with the dismaying stat that a third of respondents reported either the theft of a password or another account compromise in the past year.
In the US, the figure was even higher at 41%. The ranks of people who have had accounts hacked have recently featured such high-profile types as FBI Director Kash Patel, who apparently saw his Gmail account breached by Iranian hackers. (That should not have been possible—or at least would have been harder—had Patel switched to the passkey authentication that Google began offering three years ago.)
The survey also asked about the lesser hassle of forgetting your password, something that you can easily fix by using a password manager: 47% of respondents and 51% of US respondents said they were likely to abandon a sign-in attempt or give up on an online purchase because they couldn’t remember the right password.
FIDO has been making those points for years; last year, it rebranded the First Thursday of May from World Password Day to World Passkey Day. But even as customers have gotten clued in about the concept—the 90% awareness number in this year’s survey represented a serious jump from the 75% in last year’s report—its stats about enterprise adoption show a lot of IT types have yet to Get The Memo.
In particular, while a clear majority of organizations surveyed “have deployed, are deploying, or are actively piloting passkeys”—68% worldwide, 72% in the US—smaller majorities continue to make their primary authentication method one that remains vulnerable to phishing—57% worldwide, 56% in the US.
The share of organizations that have made passkeys their primary authentication mechanism was far smaller: 30% over those 10 countries, 34% in the US.
The enterprises that made that switch cited reasons like “strengthen protection against phishing and MFA fatigue” (39%), “strengthen phishing-resistant authentication across the organization” (37%), and the generic justifications of “modernize / digital transformation” (36%).
Those that had not pointed to issues that may not surprise anybody: “compatibility with legacy internal systems” (38%), “getting budget / investment approval” (35%), and “concerns over device recovery and account restoration” (33%).
That last item is a legitimate concern: While the passkey standard now allows for the secure transfer of passkey credentials between platforms, implementation of that extension has lagged.
Meanwhile, many high-profile consumer services and sites have yet to roll out passkeys but seem determined to make password logins as annoying as possible. They demand that you confirm every login with a multi-factor authentication code sent via insecure text messaging, then block you from copying and pasting that code into a browser or app and instead require you to type it in, one character at a time.
Sapio Research conducted this survey for FIDO in April 2026 among respondents “who regularly log in to websites, apps, or online services.” The survey's fine print reports a margin of error of ±0.9 percentage points at a 95% confidence level.