State of Passkey Authentication in the Wild: A Census of the Top 100K sites

TL;DR

Fidentikit, a browser-based crawler implementing 43 heuristics across five categories -- UI elements, DOM structures, WebAuthn API calls, network patterns, and library detection developed through iterative refinement over manual examination of 1,500 sites, is presented, producing the first large-scale census of passkey adoption.

Abstract

Passkeys -- discoverable WebAuthn credentials synchronised across devices are widely promoted as the future of passwordless authentication. Built on the FIDO2 standard, they eliminate shared secrets and resist phishing while offering usability through platform credential managers. Since their introduction in 2022, major vendors have integrated passkeys into operating systems and browsers, and prominent websites have announced support. Yet the true extent of adoption across the broader web remains unknown. Measuring this is challenging because websites implement passkeys in heterogeneous ways. Some expose explicit ``Sign in with passkey'' buttons, others hide options under multi-step flows or rely on conditional mediation, and many adopt external mechanisms such as JavaScript libraries or OAuth-based identity providers. There is no standardised discovery endpoint, and dynamic, JavaScript-heavy pages complicate automated detection. This paper makes two contributions. First, we present Fidentikit, a browser-based crawler implementing 43 heuristics across five categories -- UI elements, DOM structures, WebAuthn API calls, network patterns, and library detection developed through iterative refinement over manual examination of 1,500 sites. Second, we apply Fidentikit to the top 100,000 Tranco-ranked domains, producing the first large-scale census of passkey adoption. Our results show adoption strongly correlates with site popularity and often depends on external identity providers rather than native implementations.

Figures (10)

• Figure 1: Simplified passkey authentication flow. The user initiates login, the relying party requests authentication via navigator.credentials.get(), the authenticator prompts for user verification (biometric/PIN), signs the challenge, and returns the signed assertion to the relying party for verification.
• Figure 2: Fidentikit's Design and Architecture. The Orchestrator coordinates continuous archiving, connects to long-term storage, and provides snapshots. Multiple crawlers retrieve requests from the queue to analyze specific domains.
• Figure 3: Comparison of automated passkey detection versus manually curated directories, stratified by Tranco rank bins. The left bars show Fidentikit's automated detection (9,397 sites), while the right stacked bars combine two manual directories: Passkey Directory (163 sites, purple) and 2FA Directory with U2F support (193 sites, orange). Our automated approach detects 26.4$\times$ more passkey-supporting sites than manual curation. Manual directories exhibit strong bias toward high-ranked sites (27.6% in top 1K), while automated detection finds the majority of deployments in the long tail (84.5% beyond rank 10K). This validates that manual curation systematically underestimates passkey adoption, particularly among smaller sites that collectively serve substantial user populations.
• Figure 4: Authentication landscape of websites across rank bins. (Left) Distribution of sites supporting passkeys versus those without passkey authentication, stratified by Tranco rank (1-1K, 1K-10K, 10-50K, 50-100K). (Right) Detailed breakdown of passkey-supporting sites, distinguishing between native passkey implementation and external identity provider. Higher-ranked sites demonstrate substantially greater passkey adoption, with the top 1,000 sites showing 4.2$\times$ higher adoption than sites ranked 50K-100K. Stacked bars represent percentage distribution within each rank bin.
• Figure 5: Distribution of sites without passkey support, categorised by whether they require user login. Sites classified as "No Login Required" showed no recognised identity providers or authentication UI on their landing pages (e.g., content sites, news portals). Among non-passkey sites, the proportion with login functionality increases in lower rank bins, indicating that many sites have authentication systems but have not yet adopted passkeys.