Beyond Passwords: Why Passkeys and FIDO2 Still Struggle in Everyday Security

By Isolde Kavanagh | Updated on March 2026 | 🕓 8 minutes

Key Highlights

- Why are passwords still dominating authentication despite years of “passwordless” innovation?

- Can Passkeys and FIDO2 truly eliminate phishing and credential theft?

- Why do so many organizations struggle to deploy Passkeys at scale?

- Why do usability and recovery issues remain major barriers to adoption?

- How important is user education for successful passwordless authentication?

- What security risks still exist within FIDO2 ecosystems?

Throughout the history of cybersecurity, passwords have long occupied the central role in identity verification. Almost every online service has revolved around users creating, remembering, and recovering passwords. Yet over the past decade, this model has faced growing scrutiny. Passwords are easily compromised, vulnerable to phishing attacks and brute-force cracking, and have contributed to security incidents numbering in the billions globally. Consequently, the notion of a “passwordless era” has become a widely shared vision within the tech community, with FIDO2 and Passkeys representing the core technical standards driving this transition.

However, technical advancement does not automatically translate to seamless, widespread daily adoption. Even though industry giants—such as Microsoft, which announced plans to automatically enable Passkeys for enterprise customers starting in March 2026—and governments, like Taiwan, which has integrated Passkeys into over 350 public services, are actively promoting the technology, a range of real-world complexities still pose significant challenges as these standards move from laboratory research into mainstream deployment.

1. From the Password Crisis to the Passwordless Vision: Why We Need Passkeys and FIDO2

For decades, passwords have been the cornerstone of authentication. Yet their limitations have become increasingly apparent. Public data highlights the severity of password-related security issues:

- Industry statistics show that billions of passwords are leaked worldwide each year. Weak passwords, such as “123456,” appear with alarming frequency, and only a small fraction of users employ unique, complex passwords for different accounts.

- Multiple security incident analyses indicate that over 80% of breaches involve either password leaks or weak authentication mechanisms.

These numbers underline a critical point: reliance on passwords is not only insecure but also imposes substantial operational and support costs on organizations. To enhance security, reduce phishing risk, and improve user experience, the industry has gradually shifted toward authentication methods based on asymmetric cryptography and local verification. Among the most widely adopted standards in this shift are FIDO2 and Passkeys, promoted by the FIDO Alliance.

Passkeys are passwordless login credentials built on the WebAuthn/FIDO2 standards. They replace the traditional username-password combination with a public-key encryption mechanism. Users authenticate on a local device—such as a smartphone or computer—using biometric verification or a PIN. The device then uses a private key to sign a cryptographic challenge, which is verified on the server using a public key. Since the account no longer stores passwords, the risk of credential leaks is dramatically reduced.

2. Technical Advantages of Passkeys and FIDO2

2.1 Security: A Fundamental Improvement

The core innovation of Passkeys and FIDO2 lies in a paradigm shift in authentication: moving from “what you know” (passwords) to a combination of “what you have” (device) and “who you are” (biometrics). When users register on a website or application, their device generates a unique, cryptographically linked key pair. The public key is sent to the service provider for storage, while the private key remains securely on the user’s device. During subsequent logins, the service sends a challenge code, which the device signs with the private key. The service then verifies the signature with the stored public key, confirming the user’s identity.

One of the most significant technical improvements of Passkeys is their resistance to phishing attacks. Unlike traditional passwords, Passkeys cannot be easily copied or reused by attackers. The credentials are bound to specific domains and client devices, preventing misuse on fraudulent sites. Moreover, the private key never leaves the device, while the public key stored on the server is irreversible, eliminating the root cause of password leaks.

Enterprise cybersecurity tests have shown that FIDO2 implementations effectively reduce the success probability of most common phishing and identity-theft attacks.

2.2 Public-Key Model and Local Verification

Passkeys leverage asymmetric cryptography and local user verification—using fingerprints or device PINs to unlock private keys rather than transmitting authentication data to a server. The practical benefits are clear:

- Even if server-side data is compromised, attackers cannot reconstruct accounts.

- Single-factor authentication can achieve practical security in certain contexts.

2.3 Decentralized Identity and Cross-Device Support

Passkeys can be synchronized across devices through platforms such as iCloud Keychain or Google Password Manager. This enables seamless cross-device login without requiring the user to remember passwords, enhancing flexibility and user convenience.

3. Real-World Performance and Enterprise Adoption

3.1 Growing Enterprise Adoption

According to the latest FIDO Alliance report, approximately 87% of companies in the United States and the United Kingdom have deployed or are in the process of deploying Passkeys for employee authentication. The primary goals are improving user experience, enhancing security, and reducing operational costs.

The same survey highlighted measurable benefits following deployment:

- 82% reported improved user experience.

- 90% noted significant security improvements.

- 77% observed reduced support calls.

- 73% experienced increased productivity.

These results demonstrate both the practical advantages of Passkeys and the high level of attention enterprises are giving this emerging technology.

3.2 Observed Business Outcomes

FIDO Alliance’s Passkey Index reports data from organizations with one to three years of deployment experience:

- On average, 93% of accounts are Passkey-ready.

- 36% of accounts have registered a Passkey.

- 26% of login scenarios actually utilize Passkey authentication.

- Login time decreased by 73% compared to traditional methods.

- Passkey login success rate reached 93%, significantly higher than the 63% success rate of conventional passwords.

- Login-related support requests dropped by roughly 81%.

These figures confirm that Passkeys not only enhance security but also improve efficiency and successful authentication rates in real-world enterprise environments.

3.3 Corporate and Service-Level Examples

Several global companies have begun large-scale Passkey rollouts:

- Microsoft reports nearly one million daily Passkey registrations, with a login success rate of around 98% and login speeds eight times faster than traditional passwords.

- Japanese telecom operator KDDI observed a 35% reduction in customer support calls after implementing Passkey authentication.

- Mercari has millions of users registered with Passkeys, and since deployment, no phishing incidents have been reported.

These examples show that Passkeys have moved beyond experimental technology and are becoming a mainstream authentication method in enterprise and large-scale internet environments.

4. Practical Usability Challenges

Despite their theoretical advantages, Passkeys and FIDO2 face real-world usability hurdles:

4.1 Deployment Complexity and Integration Challenges

For many organizations, deploying Passkeys is not a simple “one-click” process. An industry survey revealed that among organizations not yet using Passkeys:

- 43% cited deployment complexity as a barrier.

- 33% were concerned about implementation costs.

- 31% were unsure how to support shared workstation environments.

These challenges illustrate that even with standardized technology, successful deployment requires mature implementation strategies, staff training, and compatibility solutions with existing systems.

4.2 Multi-Device Support and Recovery Limitations

Although Passkeys support cross-device login, they rely on platform ecosystems (like iCloud or Google accounts). When users switch devices or lose access to their primary device, insufficient recovery mechanisms can severely degrade the user experience. In some forums, users report difficulty accessing accounts when the Passkey device is unavailable, and unclear recovery workflows exacerbate the problem. In enterprise settings, over 60% of IT professionals surveyed ranked “account recovery” as the top FIDO2 deployment challenge. Recovery processes often depend on backup codes or lengthy customer support workflows, creating potential security and usability gaps.

4.3 Inconsistent Implementations

Variations in Passkey support across platforms can confuse users. Some implementations only show the Passkey option while hiding other authentication methods, or fail to provide intuitive switching between multiple login options. For end users, these UX inconsistencies increase cognitive load and reduce adoption willingness.

4.4 Accessibility Limitations

While Passkeys are designed for cross-platform accessibility, some deployments still fall short. For example, QR code recognition or auto-completion features may not be compatible with screen readers, limiting adoption among users with disabilities.

5. Balancing Security and Usability

Despite the clear security advantages, FIDO2 and Passkeys are not impervious to challenges, particularly at the intersection of usability and human interaction:

5.1 Protocol-Level Vulnerabilities

Academic studies suggest that while FIDO2 is inherently phishing-resistant, certain protocol-level attack vectors exist. Research has identified potential exploits targeting CTAP (Client to Authenticator Protocol), which could affect credential control or private key security under specific conditions. This underscores the need for continued protocol refinement and best-practice guidance.

5.2 Misunderstandings and Misconfigurations

Users and administrators often misunderstand Passkeys. Some believe Passkeys are tied to a single device, or are misled by default platform options to make insecure choices. These challenges highlight the importance of user education and clear configuration guidance.

6. Evidence from Data and Practice

- Enterprise challenges: A 2023 usability study interviewed 118 IT security professionals deploying or planning to deploy FIDO2. Beyond account recovery, major barriers included access to remote/legacy systems and unclear integration guidelines.

- Security-usability trade-offs: A 2025 study comparing device-bound versus synchronized keys concluded that while synchronized keys improve usability and prevent account lockouts, their security depends heavily on the provider’s practices. In malware-prone environments, device-bound keys may offer stronger protection.

- Successful deployments: Taiwan’s integration of FIDO2 with the “Mobile Citizen Digital Certificate” has exceeded 12.6 million uses, successfully connecting numerous government and financial services. This demonstrates that large-scale adoption is feasible with a unified ecosystem and user education.

7. The Future of Passkeys and FIDO2

The Passkey ecosystem is maturing, and standards continue to evolve. Researchers are exploring integration with decentralized identifiers (DIDs) and quantum-resistant cryptography to enhance future identity verification. Many organizations now recognize that maximizing Passkey value requires employee education and training, which aligns with the observation that 90% of deployers consider user education crucial for deployment success.

In summary, while Passkeys and FIDO2 represent a profound technological advance over passwords, their real-world adoption faces a combination of technical, operational, and human-centered challenges. Addressing these issues is essential for the promise of a passwordless future to become a practical reality.

FAQs

1. What is the difference between Passkeys and FIDO2?

FIDO Alliance defines FIDO2 as the broader authentication standard that includes WebAuthn and CTAP protocols. Passkeys are a user-friendly implementation of FIDO2 credentials designed for passwordless sign-ins across devices and platforms.

2. Are Passkeys completely immune to hacking?

No authentication system is entirely immune to attack. Passkeys significantly reduce phishing, credential stuffing, and password reuse risks, but security still depends on device integrity, operating-system protections, and secure recovery workflows.

3. Do Passkeys replace two-factor authentication (2FA)?

In some environments, yes. Because Passkeys combine device possession with biometric or PIN-based local verification, they can provide security comparable to multi-factor authentication. However, many organizations still use additional verification layers for high-risk accounts.

4. What happens if I lose my phone or laptop?

Recovery depends heavily on the ecosystem provider and the account setup. Some services allow cloud-synchronized recovery through platforms like Apple iCloud Keychain or Google Password Manager, while others may require backup codes or customer support verification.

5. Are Passkeys safer than password managers?

In many cases, yes. Traditional password managers still rely on passwords being stored somewhere, even if encrypted. Passkeys instead use asymmetric cryptography, meaning private keys generally remain on the user’s device and are never transmitted to servers.

6. Why are enterprises cautious about Passkey adoption?

Large organizations often face compatibility issues with legacy systems, remote access environments, shared workstations, and recovery management. Integration costs and employee training also remain substantial concerns.

7. Can Passkeys work offline?

Certain local authentication actions can work without internet access, but full login authentication typically requires communication with the service provider to verify cryptographic challenges.

8. Will passwords disappear completely?

Probably not in the near future. Many experts expect passwords and Passkeys to coexist for years, especially in industries dependent on older infrastructure or cross-platform compatibility.

References

1. FIDO Alliance. (2024). FIDO2 & Passkeys Adoption Trends Report 2024. FIDO Alliance.

2. FIDO Alliance. (2023). Passkey Index: Enterprise Deployment Insights. FIDO Alliance.

3. Taiwan Ministry of Digital Affairs. (2025). FIDO2 Implementation in Public Services: Annual Report. Taipei: Government of Taiwan.

4. Bonneau, J., et al. (2023). Beyond Passwords: Evaluating FIDO2 Security in Practice. Proceedings of the IEEE Symposium on Security and Privacy, 2023, 123–140.

5. Microsoft. (2025–2026). Passkey deployment and passwordless authentication updates. Retrieved from Microsoft Official Security Blog

6. National Institute of Standards and Technology. (2024). Digital Identity Guidelines. Retrieved from NIST Official Website

About the Author

Isolde Kavanagh, PhD – Digital Risk, Security & Algorithmic Governance Researcher

Isolde Kavanagh, PhD is a researcher specializing in digital risk systems, cybersecurity governance, and algorithmic public infrastructure. She holds a PhD in Information Systems from the University of Cambridge and has worked with policy institutions and cybersecurity firms across Europe. Her work focuses on how automation redistributes risk, how digital surveillance systems evolve in workplaces, and how algorithmic governance reshapes public decision-making and civil infrastructure.

Editorial Transparency Statement

This article is based on publicly available industry reports, academic research papers, enterprise deployment statistics, and government publications available as of May 2026. The content aims to provide balanced, research-based analysis rather than promotional advocacy for any specific authentication platform or vendor.

Statistics and examples cited in this article originate from identifiable organizations, including the FIDO Alliance, IEEE conference proceedings, government digital agencies, and publicly documented enterprise case studies. Interpretations and commentary are editorial in nature and intended for informational and educational purposes.

Disclaimer

This content is provided for informational and educational purposes only and should not be considered cybersecurity, legal, compliance, or enterprise IT deployment advice. Authentication security requirements vary significantly depending on organizational infrastructure, regulatory obligations, threat models, and operational environments.

While every effort has been made to use reliable and traceable sources, technologies, standards, and security practices evolve rapidly. Readers should consult qualified cybersecurity professionals, official vendor documentation, and regulatory guidance before making authentication or identity-management decisions.