State of Passkey Authentication in the Wild: A Census of the Top 100K sites
Prince Bhardwaj, Nishanth Sastry
TL;DR
This paper introduces Fidentikit, a heuristic-based crawler, to measure passkey adoption across the top 100,000 websites, revealing that adoption correlates with site popularity and often relies on external identity providers.
Contribution
The paper presents Fidentikit, a novel browser-based crawler with 43 heuristics, and provides the first large-scale census of passkey adoption on major websites.
Findings
Higher adoption on popular sites
Dependence on external identity providers
Limited native passkey implementations
Abstract
Passkeys -- discoverable WebAuthn credentials synchronised across devices are widely promoted as the future of passwordless authentication. Built on the FIDO2 standard, they eliminate shared secrets and resist phishing while offering usability through platform credential managers. Since their introduction in 2022, major vendors have integrated passkeys into operating systems and browsers, and prominent websites have announced support. Yet the true extent of adoption across the broader web remains unknown. Measuring this is challenging because websites implement passkeys in heterogeneous ways. Some expose explicit "Sign in with passkey" buttons, others hide options under multi-step flows or rely on conditional mediation, and many adopt external mechanisms such as JavaScript libraries or OAuth-based identity providers. There is no standardised discovery endpoint, and dynamic,…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsUser Authentication and Security Systems · Web Application Security Vulnerabilities · Spam and Phishing Detection