The Password is Dying: Passkeys Hit 5 Billion Global Users
Global passkey adoption has reached 5 billion active users, marking a critical tipping point in the transition to phishing-resistant, passwordless authentication.
By Factlen Editorial Team
- FIDO Alliance & Standards Bodies
- Focuses on driving global adoption and the architectural security benefits of open standards.
- Enterprise IT Leaders
- Focuses on the operational ROI, legacy system compatibility, and change management.
- Cybersecurity Agencies
- Focuses on mandating phishing-resistant authentication to protect critical infrastructure.
What's not represented
- · Small Business Owners
- · Elderly or Less Tech-Savvy Users
Why this matters
Passwords are the root cause of most major data breaches, identity theft, and corporate ransomware attacks. The mass adoption of passkeys fundamentally neutralizes phishing, making your personal accounts and workplace systems mathematically immune to the internet's most common attacks.
Key points
- An estimated 5 billion passkeys are now in active use globally, marking a major shift away from traditional passwords.
- Consumer awareness has reached 90%, with 75% of users having enabled a passkey on at least one account.
- 68% of enterprise organizations are currently deploying or piloting passkeys for employee authentication.
- Early enterprise adopters report a 47% improvement in security posture and a 35% reduction in IT helpdesk costs.
- Legacy system compatibility and user resistance remain the primary barriers to achieving fully passwordless environments.
The password is finally dying. After decades of relying on easily compromised strings of characters, the technology industry has reached a critical tipping point in the transition to passwordless authentication. According to new data released in May 2026, an estimated 5 billion passkeys are now in active use worldwide.[1][3][7]
This milestone represents a massive behavioral shift across both consumer and enterprise environments. The primary evidence comes from the FIDO Alliance's "State of Passkeys 2026" report, a comprehensive study surveying 11,000 consumers and 1,400 enterprise decision-makers across ten countries.[1][6]
The data reveals that consumer awareness has reached near-universal levels. Ninety percent of consumers are now familiar with passkeys, up from 75% the previous year, and three-quarters have enabled them on at least one account. Crucially, nearly half of consumers report using passkeys proactively and consistently whenever they are available.[1][2][8]
The security claims driving this adoption are rooted in the underlying mechanism of public-key cryptography. When a user registers a passkey, their device generates a unique cryptographic key pair. The public key is shared with the service provider, while the private key remains securely locked inside the device's hardware enclave, accessible only via a local biometric check.[4][6]
This architectural difference fundamentally eliminates the threat of phishing and credential stuffing. Because the private key never leaves the user's device, attackers cannot trick users into handing over their credentials via fake login pages. Cybersecurity agencies, including the U.S. Cybersecurity and Infrastructure Security Agency (CISA), explicitly mandate this type of "phishing-resistant" authentication for critical infrastructure.[4][5]
While consumer adoption has been driven by major platform updates from Apple, Google, and Microsoft, the evidence shows enterprise deployment is now accelerating. The FIDO workforce survey indicates that 68% of organizations with over 500 employees are currently deploying, piloting, or rolling out passkeys for employee sign-ins.[1][9]
While consumer adoption has been driven by major platform updates from Apple, Google, and Microsoft, the evidence shows enterprise deployment is now accelerating.
The business case for this transition is supported by tangible operational data. Among organizations further along in their passkey deployments, 47% report an improved overall security posture, and 45% cite faster login times for employees.[2][3]
The financial return on investment is also becoming clear. Thirty-five percent of early-adopter organizations report measurable reductions in IT helpdesk costs, primarily driven by the elimination of routine password reset requests, which have historically drained enterprise IT resources.[1][2]
However, the evidence also highlights significant friction points that threaten to slow the final phase of the passwordless transition. Deploying passkeys is not synonymous with eliminating passwords entirely, and many organizations are struggling to bridge the gap between initial rollout and full operational adoption.[6][9]
Legacy system compatibility remains a primary technical hurdle. Many older enterprise applications and on-premises infrastructure do not natively support modern FIDO2 protocols, forcing IT departments to maintain parallel authentication systems and diluting the security benefits.[1][8]
User behavior and change management present an equally formidable challenge. While 53% of global organizations describe user resistance as a minor factor requiring basic training, the data shows a stark regional divergence. In the United States, 43% of enterprise decision-makers report active user resistance to passkeys, with 15% stating it has directly delayed their rollout timelines.[1][2]
Another area of uncertainty revolves around account recovery. When a private key is tied to a specific physical device, losing that device historically meant losing access. While ecosystem providers have introduced cloud-synced passkeys to mitigate this, enterprise IT leaders must carefully balance the convenience of synced keys against the strict security requirements of highly regulated environments.[5][6]
Despite these hurdles, the trajectory is unambiguous. The FIDO data shows that 82% of enterprise organizations view fully passwordless authentication as their ultimate goal, even if only 28% have achieved it today.[3][9]
The 2026 data marks a clear inflection point in the cybersecurity landscape. The focus has shifted from establishing the underlying standards and ensuring platform availability to driving primary usage and actively deprecating legacy passwords. As the ecosystem matures, the 5 billion passkeys currently in circulation represent not just a technological upgrade, but the beginning of the end for the internet's oldest security vulnerability.[1][6][7]
How we got here
2013
The FIDO Alliance is founded by tech industry leaders to solve the global password vulnerability problem.
2018
The FIDO2 standard is officially launched, enabling passwordless authentication across web browsers and devices.
2022
Apple, Google, and Microsoft announce expanded support for the FIDO standard, introducing the consumer-friendly term 'passkeys.'
May 2025
FIDO reports 75% consumer awareness of passkeys, though active usage remains fragmented across different platforms.
May 2026
The global ecosystem hits a milestone of 5 billion active passkeys, with 68% of enterprises deploying the technology.
Viewpoints in depth
FIDO Alliance & Standards Bodies
Argues that the transition to passkeys is an existential necessity for internet security.
This camp points to the 5 billion active passkeys as proof that open standards can successfully align competing tech giants to solve a universal vulnerability. They emphasize that passwords are fundamentally broken and that only hardware-bound, public-key cryptography can stop the industrial-scale phishing and credential stuffing attacks that plague the modern internet.
Enterprise IT Leaders
Focuses on the operational realities and friction of deploying passwordless technology.
While enterprise leaders highly value the 35% reduction in helpdesk costs and improved security posture, they highlight the friction of the transition phase. Their primary concerns are legacy system compatibility—since many older applications do not support FIDO2—and the challenge of managing user resistance, which actively delays rollouts in nearly half of U.S. organizations.
Cybersecurity Agencies
Views passkey adoption through the lens of national security and critical infrastructure protection.
Government agencies like CISA mandate phishing-resistant MFA because traditional passwords—even when paired with SMS text codes—remain highly vulnerable to state-sponsored attacks and sophisticated phishing kits. For this camp, passkeys are not just a UX improvement, but a mandatory baseline defense against catastrophic breaches.
What we don't know
- How quickly legacy enterprise software vendors will update their platforms to natively support FIDO2 standards.
- Whether the 43% user resistance rate observed in the U.S. will decrease as passkeys become the default consumer experience.
- How the ecosystem will standardize account recovery processes for high-security environments that prohibit cloud-synced passkeys.
Key terms
- Passkey
- A digital credential tied to a device that allows users to log in without a password, using a biometric check or PIN.
- FIDO Alliance
- An open industry association whose mission is to develop and promote authentication standards that reduce reliance on passwords.
- Public-Key Cryptography
- A cryptographic system that uses pairs of keys: public keys shared with services, and private keys kept securely on the user's device.
- Phishing-Resistant MFA
- Multi-factor authentication methods that cannot be compromised by attackers tricking users into entering credentials on fake websites.
- Credential Stuffing
- A cyberattack where stolen account credentials from one breach are used to gain unauthorized access to user accounts on other systems.
Frequently asked
What exactly is a passkey?
A passkey is a digital credential tied to your device that lets you log in without a password, using a biometric check (like Face ID or a fingerprint) or a device PIN.
Are my biometrics shared with the websites I log into?
No. Your fingerprint or facial scan never leaves your device. It is only used locally to unlock the cryptographic private key stored in your device's secure hardware.
What happens if I lose my phone?
Most modern passkeys are synced to your cloud account (like Apple iCloud Keychain or Google Password Manager), meaning you can recover them when you sign into your account on a new device.
Why are passkeys considered phishing-resistant?
Because the login process relies on a cryptographic challenge-response tied to the specific website's domain, a passkey simply will not work on a fake or spoofed website.
Sources
Source coverage
9 outlets
3 viewpoints surfaced
[1]FIDO AllianceFIDO Alliance & Standards Bodies
The State of Passkeys 2026: Global Consumer and Workforce Report
Read on FIDO Alliance →[2]DescopeEnterprise IT Leaders
The State of Passkeys 2026: What the Data Says
Read on Descope →[3]Business WireEnterprise IT Leaders
Five Billion Passkeys: FIDO Alliance Reports Mainstream Global Usage on World Passkey Day 2026
Read on Business Wire →[4]Cybersecurity and Infrastructure Security AgencyCybersecurity Agencies
Implementing Phishing-Resistant MFA
Read on Cybersecurity and Infrastructure Security Agency →[5]National Institute of Standards and TechnologyCybersecurity Agencies
Digital Identity Guidelines: Authentication and Lifecycle Management
Read on National Institute of Standards and Technology →[6]Factlen Editorial TeamCybersecurity Agencies
Synthesis by Factlen editorial team
Read on Factlen Editorial Team →[7]TechCrunchFIDO Alliance & Standards Bodies
Passkeys hit 5 billion users as FIDO Alliance reports mainstream adoption
Read on TechCrunch →[8]The VergeFIDO Alliance & Standards Bodies
The password is dying: 5 billion passkeys are now in use
Read on The Verge →[9]Dark ReadingEnterprise IT Leaders
Enterprise Passkey Adoption Surges to 68%, FIDO Report Finds
Read on Dark Reading →
Every angle. Every day.
Get technology stories with full source coverage and perspective breakdowns delivered to your inbox.