Five Billion Passkeys - And the Gap That Remains
On World Passkey Day 2026, the FIDO Alliance announced that an estimated 5 billion passkeys are now in active use worldwide. 1Five Billion Passkeys: A Milestone, Not a Finish Line Just six weeks earlier, in mid-April, that number stood at 4 billion. The acceleration is striking, but the FIDO Alliance itself frames the figure as "a milestone, not a finish line." 1Five Billion Passkeys: A Milestone, Not a Finish Line
The headline statistic comes from the Alliance's State of Passkeys 2026 report, released the same day. The report draws on two parallel surveys conducted in April 2026 by Sapio Research: a consumer survey of 11,000 adults across ten countries and a workforce survey of 1,400 decision-makers at organizations with 500 or more employees, covering the same ten markets. 2The State of Passkeys 2026: Global Consumer and Workforce Report
The Consumer Picture: Awareness Is Near-Universal, but Habits Lag
The consumer data paints a picture of a technology that has crossed into mainstream awareness but has not yet become habitual. 90% of consumers are now familiar with passkeys, 75% have enabled at least one passkey on at least some accounts, and 49% say they use passkeys whenever they can or most of the time. 2The State of Passkeys 2026: Global Consumer and Workforce Report
Yet passwords remain the dominant method for most daily sign-ins. The FIDO Alliance reports that nearly half of consumers have abandoned a purchase because they could not remember a password. 1Five Billion Passkeys: A Milestone, Not a Finish Line That friction represents both a measurable cost to businesses and an argument for accelerating the transition.
The challenge, as the Alliance describes it, is moving from "enabled to default behavior." Many services have deployed passkeys but have not optimized the user experience to make passkeys the first option presented at login. 1Five Billion Passkeys: A Milestone, Not a Finish Line
Workforce Adoption: Deployed but Not Yet Dominant
Enterprise numbers are growing but reveal a similar tension between deployment and daily use. 68% of organizations with 500 or more employees are now deploying, piloting, or rolling out passkeys for employee authentication. 2The State of Passkeys 2026: Global Consumer and Workforce Report However, 57% of organizations still rely on password-based methods as the primary way employees sign in. 1Five Billion Passkeys: A Milestone, Not a Finish Line
The gap between "we have passkeys available" and "our employees actually use them" matters for security teams. Passkeys eliminate phishing risk only when they are the dominant method in practice, not merely an option alongside passwords. If password fallbacks remain the path of least resistance, the credential-theft attack surface persists largely unchanged.
The FIDO Alliance acknowledges this directly, stating that enterprises need "clear implementation guidance on how to roll out across environments, manage devices and recovery, and ensure employees use passkeys in daily sign-ins." 1Five Billion Passkeys: A Milestone, Not a Finish Line
Beyond Login: The Agentic Authentication Frontier
While the passkey adoption data dominates the World Passkey Day announcements, a parallel development carries longer-term significance. The FIDO Alliance is building standards for how AI agents authenticate and transact on behalf of users.
As previously reported, the Alliance formed two technical working groups in late April 2026 to address this: an Agentic Authentication Technical Working Group and a Payments Technical Working Group. 3Google and Mastercard Contribute Agentic Commerce Standards to FIDO Alliance Google contributed its Agent Payments Protocol (AP2) and Mastercard contributed its Verifiable Intent framework as foundational inputs. 3Google and Mastercard Contribute Agentic Commerce Standards to FIDO Alliance
The logic connecting passkeys to agentic authentication is direct: if passkeys solve human authentication using cryptographic proof instead of shared secrets, the same principles must extend to autonomous agents acting on a user's behalf. Current agent workflows frequently rely on delegated credentials - API keys, OAuth tokens, or worse, stored passwords - that reintroduce the very risks passkeys eliminate for human users.
Google's Stavan Parikh stated that contributing AP2 to the FIDO Alliance "ensures AP2 remains platform-agnostic and community-led, while accelerating adoption of secure agentic payments." 3Google and Mastercard Contribute Agentic Commerce Standards to FIDO Alliance
Authenticate APAC 2026: The Industry Converges on Singapore
The timing of the 5-billion milestone is no accident. Authenticate APAC 2026, the FIDO Alliance's flagship Asia-Pacific conference, opened today (June 2) at the Grand Hyatt Singapore, with speakers from Apple, OpenAI, Samsung Electronics, Grab, and Adidas on the agenda. 4FIDO Alliance Announces Agenda for Authenticate APAC 2026 The event runs through June 3, followed by a FIDO Alliance member-only plenary on June 4-5. 4FIDO Alliance Announces Agenda for Authenticate APAC 2026
The Singapore venue is significant. The Asia-Pacific region represents some of the most advanced passkey deployment markets - South Korea, Singapore, and Japan all feature prominently in the State of Passkeys survey. 2The State of Passkeys 2026: Global Consumer and Workforce Report The presence of OpenAI and Grab alongside traditional identity players reflects how the conference's scope has expanded from authentication into AI agent identity and digital commerce.
What Has Changed Since Our Last Coverage
NullSec has covered the passkey transition extensively over recent weeks. In April, we reported on the 4-billion milestone, the UK NCSC's formal endorsement of passkeys, Microsoft's Entra ID rollout, and the formation of the FIDO Alliance's agentic working groups. What the June 1 data adds:
- Scale acceleration: A 25% jump in active passkeys (4 billion to 5 billion) in approximately six weeks suggests deployment is compounding, not plateauing.
- Consumer habit data: The 49% "regular use" figure is new and provides a baseline for measuring whether the industry succeeds in making passkeys the default.
- Workforce gap quantified: The 57% figure for organizations still relying primarily on passwords clarifies how far enterprise deployment still needs to go before password fallbacks can be retired.
Looking Forward
The FIDO Alliance's data makes the trajectory clear: passkeys have won the standards and platform battle. The remaining challenge is behavioral. Closing the gap between availability and habitual use - across both consumer services and enterprise workforces - requires sustained UX optimization, clear implementation guidance, and realistic timelines for retiring password fallbacks.
Simultaneously, the authentication problem is expanding. As AI agents take on more transactional authority, the same phishing-resistant, cryptographically verifiable principles that make passkeys work for humans must be extended to non-human actors. The FIDO Alliance's parallel investment in both passkey scaling and agentic authentication standards positions it at the center of both conversations - but the specifications for agent authentication remain early-stage.
For security teams, the practical implication has not changed since April: enable passkeys wherever supported, harden account recovery flows, and begin tracking the agentic authentication working groups for future planning. The password is not dead - but at 5 billion passkeys and counting, its role as the default is ending.
Bild: Towfiqu barbhuiya / Unsplash
