The first time I spoke to any governmental group about online privacy or security was at the FTC’s 2002 Consumer Information Security Workshop in Washington, DC where (as a twentysomething analyst) I presented our findings on consumers’ frustrations with passwords.
Since then a lot has clearly changed, but much stays the same: passwords continue to frustrate and fail many users (per Pew Research 2023). Despite two decades of incremental improvements—password managers, multi-factor authentication (MFA), and privacy tools—breaches, phishing, and password fatigue remain rampant.
More recently, passkeys have emerged as the most promising attempt yet to replace passwords entirely. They’re built on strong cryptographic standards (FIDO2/WebAuthn), avoid phishing vulnerabilities, and promise a user-friendly, “no memorized secret” login experience. Yet, even with surging adoption numbers (and big efforts by Google, Apple, Microsoft and others), skepticism is warranted. Passkeys may be an elegant solution on paper, but the real-world path to replacing billions of passwords is complex, messy, and far from guaranteed.
The Same Headaches, Evolving Tools
Back in 2002 in our Jupiter Media Metrix survey, 80% of consumers expressed a willingness to adopt more robust methods to authenticate to websites. Flash forward today, while 32% of consumers now use password managers—a vast improvement - many still rely on weaker or single-factor logins, and over two-thirds of people feel overwhelmed by password management. Despite greater awareness of digital risks and the proliferation of security tools, the fundamental friction around passwords persists. People want convenience, yet also want certainty that their data is secure. Enter passkeys, which promise to remove the guesswork and cut the risk of phishing in half—or more.
In the last year, a variety of companies including 1Password, Google, and Microsoft observed they’d seen a rise in passkey adoption:
1Password reported in November 2024 that 1 in 3.4 users has at least one passkey saved, with over 2.1 million monthly passkey authentications. They say corporate usage is growing but still lags consumer adoption.
Microsoft now offers passkeys for major consumer apps like Xbox or Microsoft 365. They observe that passkey sign-ins are 3x faster than passwords and 8x faster than password + MFA, and users are 3x more likely to succeed on a passkey login attempt than a password one.
Amazon reports 175 million passkey users, and X (formerly Twitter), Walmart, Target, Discord, WhatsApp (but not other Meta services afaik) and others have added passkeys as a login option.
Remember when Facebook tried to brand “two factor authentication” as “login approvals” and later changed their mind and went back to 2FA? Or when passwordless “magic links” were the new hotness (these still exist of course - including on Substack) - I launched an app in 2016 that went back to passwords because the email-login method so confused people. Likewise, skepticism about passkeys remains:
Fallback Passwords: Most platforms still allow a standard password in parallel, negating some security gains. If hackers can still guess, phish, or brute force a user’s password, passkeys might not help.
Multi-Device Friction: Cross-platform syncing of passkeys is simpler than it was—but still not perfectly seamless. Users with older devices or multiple systems may find themselves stuck at times. Let’s see what changes in 2025.
User Awareness: Mass adoption of new login flows isn’t a “flip of the switch.” People have used passwords for decades, and passkeys might sound alien or confusing, especially to older or less tech-savvy populations.
Persistent Attacker Innovation: As passkeys become more mainstream, adversaries will seek social engineering or technical workarounds. A “phishing-free” world remains idealistic, at least in the short term.
Microsoft’s Approach: Start Small, Experiment, Then Scale
Microsoft’s UX insights for driving adoption to adopt passkeys indicated that messaging speed (“sign in faster”) and security (“safer login”) resonated more than “easier” or “less hassle.” Roughly 25% of users who saw these prompts created passkeys. If someone declines to set up a passkey now, they aren’t permanently opted out. Microsoft reminds them later, believing repeated nudges eventually win them over. Passkey becomes the default method if a user has one, with the login flow automatically funneling them to that option. After reworking the sign-in flow, Microsoft saw a 10% drop in password use and a 987% rise in passkey usage. They plan to continue broad-scale nudging and passwordless pushes.
Users won’t magically adopt a new method just because it’s available. They need well-timed invitations (like at a successful login or a password reset) and clear messaging (“faster,” “more secure”), plus repeated chances to opt in.
But while the industry promotes passkeys, we still need to educate users on what happens if they lose their phone or if they need to recover passkeys in a new environment. If a company provides frictionless fallback (secure backup codes, account recovery methods) they should also be transparent that if a password remains, so do certain phishing risks. And we should still expect pushback from users who are comfortable with their old password and/or worried about device compatibility.
Even if you get “everyone” to create a passkey, password-based fallback might linger for years. Many platforms can’t or won’t go fully passwordless until the broader ecosystem (apps, devices, OS versions) is fully aligned. Recognize that truly “removing passwords” requires rethinking everything from user provisioning to enterprise group policies, device reassignments, and so on.
No Quick Goodbye to Passwords
It’s clear the technology to replace most passwords does exist, and major players are seeing meaningful, measurable passkey adoption. The data suggests an accelerating trend: as more top-tier services encourage passkeys, more users discover their speed, convenience, and security benefits.
But: old habits die hard. Many users still rely on password-based fallbacks (or don’t fully trust brand-new methods). Meanwhile, attackers constantly look for social-engineering gaps to exploit. And though passkeys are undeniably a leap forward, genuine passwordless environments require thorough backups, cross-platform consistency, and repeated user education.
In other words, the password era is changing, but it’s far from dead. Organizations that embrace passkeys—while acknowledging the real-world friction and ongoing reliance on older methods—will find themselves ahead of the curve. We probably still have years of education and persistence (not to mention well-tested UX nudges and experiments) ahead of us.