The promise was simple: no more forgotten passwords, no more phishing, no more credential stuffing. Passkeys — the cryptographic login standard backed by Apple, Google, and Microsoft were supposed to make all of that obsolete. And technically, they still might.
But technically isn’t the same as practically. Right now, passkeys are winning the security argument and losing the adoption war. Here’s why.
What Passkeys Actually Are (in Plain English)
A passkey replaces your password with a cryptographic key pair. One key lives on your device (never leaves it), the other sits on the website’s server. When you log in, your device proves it holds the right key using biometrics: Face ID, fingerprint, or a PIN and you’re in. No password to steal. No database to breach.
From a security standpoint, it’s a leap forward. Passkeys are resistant to phishing by design, the keys are bound to the specific site they were created for. A fake login page simply can’t use them.
“The security case for passkeys is essentially settled. The usability case is still being made.”
So What’s Going Wrong?
Each moment in Parry’s reel maps to a real drop-off point…
1. The Experience Isn’t Consistent
Try setting up a passkey on an iPhone, then log in on a Windows laptop, then hand your Android phone to a colleague. In theory, it works. In practice, you’ll encounter a different interface, different prompts, and different failure modes at every step.
Apple, Google, and Microsoft each implement passkeys slightly differently, and most websites layer their own UI on top. The result is a login experience that feels slick on one device and baffling on another.
2. Recovery is Still a Mess
Passwords are frustrating to reset, but everyone knows how. Passkeys don’t yet have an equivalent safety net that users instinctively understand. What happens if you lose your phone? What if your iCloud account is compromised? Many sites offer a passkey option but quietly fall back to password + SMS as the recovery path, which undercuts the whole security gain.
3. People Don’t Know What They’re Being Asked to Do
“Create a passkey” means nothing to most users. The prompts appear mid-session, offer no context, and often arrive when someone just wants to buy a coffee or check their bank balance — not learn a new authentication paradigm.
When adoption depends on users voluntarily changing a habit they’ve had for 30 years, friction isn’t just an inconvenience. It’s a dealbreaker.
4. Password Managers Complicated the Picture
Ironically, the tools that made passwords bearable — 1Password, Bitwarden, LastPass — made people less desperate to abandon them. If your password manager auto-fills a 32-character random string, passwords feel pretty frictionless already. The pain that was supposed to drive passkey adoption has been partially numbed.
Password manager support for passkeys is improving, but syncing passkeys across devices and vaults introduces new complexity that early adopters are still working through.
The Identity Layer is the Bottleneck
Here’s the underlying issue: passkeys are a credential format, not an identity system. They solve the “proving you know a secret” problem very well. But they don’t solve the harder questions underneath:
- Who are you, really?
- How do we verify that across context, device, session, risk level?
- What happens when something goes wrong?
Those questions belong to the identity layer and that’s where the real work is happening. Passkeys are a better key. But you still need a better lock, a better door, and a better building.
“For organisations moving toward passwordless, passkeys are a meaningful step, but they’re one component in a broader identity strategy, not a finish line.”
What This Means for You
If you’re evaluating your authentication stack, the case for enabling passkeys is strong — especially for consumer-facing products where phishing risk is high. But go in with realistic expectations:
- Passkeys work best as an option, not a mandate, the ecosystem-switching friction is real, and users who hit a wall early won’t come back.
- Pair them with strong fallback flows that don’t reintroduce the risks you’re trying to eliminate.
- Invest in the onboarding moment users who understand what they’re creating are far more likely to use it.
Passkeys aren’t failing because the technology is wrong. They’re struggling because changing how people log in means changing how people think and that takes more than a new standard. It takes deliberate design, clear communication, and an identity architecture that holds everything together.
That’s exactly what Passkeys Plus is built for.
Passkeys Plus combines standard FIDO2 passkey authentication with VerifEye adding the human verification layer that passkeys alone can’t provide. That means cross-device account recovery that doesn’t fall back to SMS or email links, liveness detection, and uniqueness verification to prevent multi-accounting. It works across every ecosystem: iOS, Android, any credential manager so the platform-switching gaps that stall adoption don’t become your problem.
“Passkeys verify the device. Passkeys Plus verifies the person.”
Ready to eliminate authentication friction? Explore Passkeys Plus and see how passive liveness detection can transform your user experience, without compromising on security.