- 24% of the world's most popular websites have not yet adopted passkey technology.
- Passkeys are considered the industry standard for preventing phishing and credential stuffing.
- A new accountability platform is publicly tracking companies to encourage faster adoption.
- The delay in implementation is attributed to resource allocation rather than technical limitations.
The Passkey Accountability Project: Tracking Web Security Laggards
A new industry monitor reveals that nearly a quarter of top-tier websites continue to ignore the gold standard in login security.

Key Takeaways
In the ongoing battle for digital security, the password has long been considered the weakest link. For years, cybersecurity experts have advocated for the adoption of passkeys—cryptographic credentials that replace traditional, easily phished passwords with biometric authentication or device-based hardware keys. Despite the clear security advantages, a significant portion of the global web remains tethered to legacy authentication methods.
A new accountability website, launched this week, has quantified this inertia. The data reveals that 24% of the world’s most popular websites still fail to offer passkey support to their users. By aggregating data on major platforms, the project aims to "name and shame" companies that prioritize speed of development over the long-term safety of their user base.
Passkeys represent a fundamental shift in how we interact with the internet. Unlike a traditional password, which can be stolen, leaked in a data breach, or guessed via social engineering, a passkey is tied to a user’s specific device—such as a smartphone or a laptop. Even if a server is compromised, there is no "master list" of credentials for hackers to steal.
Key benefits of passkey technology include:
- Phishing Resistance: Because passkeys are cryptographically bound to the domain, they cannot be used on fraudulent or spoofed websites.
- Elimination of Credential Stuffing: Attackers can no longer use leaked passwords from one site to gain unauthorized access to another.
- Seamless UX: Users can log in using familiar biometrics, such as FaceID, TouchID, or a PIN, removing the need to remember complex, unique passwords for every service.
Despite the clear benefits, the adoption rate among industry giants has been uneven. The new monitoring site highlights that while tech-forward companies have embraced FIDO-standard authentication, many legacy organizations and service providers remain stagnant. This disparity creates a fragmented security landscape where users are protected on some platforms but left vulnerable on others.
Industry analysts suggest that the delay in implementation is rarely due to a lack of technical capability. Instead, it is often a matter of resource allocation. Implementing passkeys requires a fundamental re-engineering of the authentication flow, which many product teams view as a significant investment with uncertain immediate ROI.
By publicly tracking which companies have adopted passkeys and which have not, the project organizers hope to leverage consumer demand to force change. The logic is simple: if users begin to associate security with brand reputation, companies will be incentivized to upgrade their authentication protocols to remain competitive.
For developers, the message is equally clear. The industry standard is shifting, and maintaining password-only workflows is becoming an increasingly difficult position to justify. As browsers and operating systems continue to push for a passwordless future, organizations that remain behind the curve may soon find themselves facing not just security risks, but also a loss of user trust.
As we move deeper into 2026, the digital identity landscape is reaching a critical inflection point. The "name and shame" strategy used by this new website is the latest in a series of efforts to accelerate the transition to more secure standards. Whether this pressure will be enough to move the needle on that stubborn 24% remains to be seen, but one thing is certain: the era of the password is fading, and those who cling to it are doing so at their own peril.
For now, users are encouraged to check their most frequently used services for passkey support and prioritize those that offer the highest level of protection. Security, ultimately, is a shared responsibility between the platform and the person using it.
Enjoying this article?
Get the daily AI briefing sent straight to your inbox.
Frequently Asked Questions
What is a passkey?
A passkey is a digital credential that replaces traditional passwords with biometric authentication or device-based security, making it significantly harder for hackers to access accounts.
Why are some websites still not using passkeys?
Many companies cite the complexity of re-engineering authentication systems and the associated development costs as reasons for the slow transition to passkeys.
How can I see if a website supports passkeys?
You can check the security or account settings page on the website in question, or consult independent monitoring sites that track passkey availability.
Comments
0Related articles

Inside the AI Arms Race: Why Experts Fear a Global 'Chernobyl Moment'
Top AI experts in China are echoing Western fears regarding the unchecked development of advanced models, warning of a potential global disaster.

Agility Robotics Targets $2.5B Valuation in Landmark SPAC Deal
Agility Robotics is set to go public via a SPAC merger, valuing the company at $2.5 billion as it races to define the future of industrial automation.

Upgrade Your Workflow: 5 Essential Desk Gadgets for Maximum Productivity
Struggling to stay focused? We explore five desk gadgets that reduce clutter and boost efficiency for the modern remote or office worker.