5 Billion Passkeys Are ‘In Use’—So Why Are People Still Getting Phished? The Sync Detail That Quietly Recreates a Password Problem
Passkeys can kill credential phishing at the login prompt—yet synced backups, recovery flows, and legacy sign-ins can quietly reopen the side doors. The milestone is real; the risk just moved.
By TheMurrow Editorial
May 21, 2026
Key Points
- 1Recognize the milestone but not the victory: 5 billion passkeys in use doesn’t mean 5 billion people are passwordless.
- 2Understand the sync tradeoff: multi-device passkeys stay phishing-resistant at login, yet shift risk to sync-account takeover and recovery.
- 3Harden the side doors: legacy passwords, SMS/email fallbacks, device enrollment, and recovery flows can still enable account takeover.
Five billion is the kind of number that makes technology executives beam and security teams exhale. On May 7, 2026—World Passkey Day—the FIDO Alliance announced it estimates 5 billion passkeys are now in active use worldwide. The headline practically writes itself: the password era is ending.
A quieter truth sits behind that milestone. Passkeys are a better way to sign in, but they are also a new way to lose access, a new way to get tricked, and a new way for organizations to misconfigure security while believing they’ve “solved” identity.
The most interesting tension in the passkey story is not cryptography. It’s human behavior, account recovery, and the uncomfortable reality that usability always drags risk back in.
“Five billion passkeys is a milestone. It’s also a reminder: identity security doesn’t end—it moves.”
— — TheMurrow Editorial
The 5 billion passkeys milestone: what it is—and what it isn’t
The FIDO Alliance’s announcement landed with crisp timing: May 7, 2026, alongside its State of Passkeys 2026 report. The blog post framing matters as much as the number itself: the milestone is “not a finish line,” FIDO argues, signaling that broad adoption does not equal universal protection. The figure is an estimate of passkeys in active use, not a claim that five billion people have gone passwordless.
The accompanying report provides adoption context with unusually specific survey details. In April 2026, researchers conducted online interviews with 11,000 adults across 10 countries (margin of error ±0.9 percentage points) and surveyed 1,400 workforce decision-makers (margin of error ±2.6 points). Those numbers give the toplines weight—and also give readers a reason to treat the findings as a snapshot rather than gospel.
The accompanying report provides adoption context with unusually specific survey details. In April 2026, researchers conducted online interviews with 11,000 adults across 10 countries (margin of error ±0.9 percentage points) and surveyed 1,400 workforce decision-makers (margin of error ±2.6 points). Those numbers give the toplines weight—and also give readers a reason to treat the findings as a snapshot rather than gospel.
5 billion
FIDO Alliance estimates this many passkeys are now in active use worldwide, announced May 7, 2026 (World Passkey Day).
What the consumer adoption numbers actually say
The consumer results are striking:
- 90% of consumers report they’re familiar with passkeys
- 75% say they’ve enabled at least one passkey
- 49% say they use passkeys “whenever they can or most of the time”
- 90% of consumers report they’re familiar with passkeys
- 75% say they’ve enabled at least one passkey
- 49% say they use passkeys “whenever they can or most of the time”
90%
Consumers who report they’re familiar with passkeys, per FIDO’s State of Passkeys 2026 survey.
Workplace adoption is moving fast too
Workplace adoption is moving fast too:
- 68% of organizations are deploying, piloting, or rolling out passkeys
- 28% describe themselves as already “fully passwordless”
- 68% of organizations are deploying, piloting, or rolling out passkeys
- 28% describe themselves as already “fully passwordless”
68%
Organizations deploying, piloting, or rolling out passkeys, according to the State of Passkeys 2026 report.
The temptation is to read these figures as a turning point where phishing and credential theft fade into history. The research itself argues against that simplistic victory lap. Passkeys can be widespread while accounts remain vulnerable through older sign-in methods, weak recovery processes, and new forms of social engineering.
“A passkey can close the front door while the side doors—password reset, SMS codes, old login routes—stay wide open.”
— — TheMurrow Editorial
Passkeys, briefly: the security property that made them inevitable
A passkey replaces the most fragile part of online security: a shared secret. Passwords work only if users choose strong ones, store them safely, never reuse them, and never type them into the wrong site. That’s a long list of human perfection.
Passkeys (technically, discoverable credentials under WebAuthn/FIDO) rely on asymmetric cryptography. A service stores a public key. The user’s device or credential manager holds the private key. During sign-in, the device proves it has the private key without revealing it.
Passkeys (technically, discoverable credentials under WebAuthn/FIDO) rely on asymmetric cryptography. A service stores a public key. The user’s device or credential manager holds the private key. During sign-in, the device proves it has the private key without revealing it.
Origin binding: why many phishing attempts fail outright
The essential security boost comes from origin binding. A passkey is scoped to a specific relying party identity (effectively, the site it was created for). A lookalike domain can’t simply prompt you for “your passkey” and replay it elsewhere the way it can with a password. The credential won’t match the fake site’s identity.
That origin binding is why passkeys are described as phishing-resistant rather than merely “stronger passwords.” The difference isn’t just entropy; it’s that the credential cannot be meaningfully handed to the attacker.
That origin binding is why passkeys are described as phishing-resistant rather than merely “stronger passwords.” The difference isn’t just entropy; it’s that the credential cannot be meaningfully handed to the attacker.
Two kinds of passkeys now matter in the real world
The story gets more complicated at the moment the user buys a new phone, loses a device, or tries to sign in on a laptop they’ve never used before. That is where two practical classes of passkeys enter:
- Multi-device (synced) passkeys: designed to be backup-eligible and often synchronized via a platform cloud or credential manager
- Single-device (device-bound) passkeys: not backup-eligible, typically anchored to one device’s hardware security or a hardware security key
Neither approach is “bad.” Each reflects a tradeoff between recoverability and containment. Multi-device passkeys make adoption practical for normal people. Device-bound passkeys can reduce blast radius if a cloud account is compromised, but they demand more discipline and backup planning.
- Multi-device (synced) passkeys: designed to be backup-eligible and often synchronized via a platform cloud or credential manager
- Single-device (device-bound) passkeys: not backup-eligible, typically anchored to one device’s hardware security or a hardware security key
Neither approach is “bad.” Each reflects a tradeoff between recoverability and containment. Multi-device passkeys make adoption practical for normal people. Device-bound passkeys can reduce blast radius if a cloud account is compromised, but they demand more discipline and backup planning.
The sync detail that reintroduces an old risk: account takeover by proxy
Passkeys didn’t become mainstream because users love security architecture. They became mainstream because they can be usable. Syncing and backup are a big part of that usability—and they also move part of the trust boundary to wherever the passkeys are synced.
The point isn’t that passkeys are flawed. The point is that the threat model changes.
The point isn’t that passkeys are flawed. The point is that the threat model changes.
WebAuthn explicitly anticipates backup and sync
The W3C WebAuthn Level 3 specification formalizes the reality that passkeys can be copied and restored. It defines two protocol signals:
- Backup Eligibility (BE): set at creation time; if true, the credential is a multi-device credential
- Backup State (BS): can change; indicates whether a multi-device credential is currently backed up
WebAuthn goes further, listing possible backup pathways: “peer-to-peer sync, cloud sync, local network sync, and manual import/export.” The standard isn’t pretending every passkey is a single-device secret. It’s building a world where many passkeys are portable by design.
- Backup Eligibility (BE): set at creation time; if true, the credential is a multi-device credential
- Backup State (BS): can change; indicates whether a multi-device credential is currently backed up
WebAuthn goes further, listing possible backup pathways: “peer-to-peer sync, cloud sync, local network sync, and manual import/export.” The standard isn’t pretending every passkey is a single-device secret. It’s building a world where many passkeys are portable by design.
The uncomfortable implication: attackers may target the sync account
A synced passkey can remain phishing-resistant at the login prompt—and still be exposed indirectly if an attacker gains control of the account that syncs it. That control might come from social engineering, SIM swaps, weak recovery routes, or legacy authentication factors.
That’s not hypothetical alarmism; it’s a straightforward shift in attacker incentives. If stealing passwords stops working, attackers hunt for the next chokepoint: the account that can enroll a new device, restore credentials, or trigger recovery.
That’s not hypothetical alarmism; it’s a straightforward shift in attacker incentives. If stealing passwords stops working, attackers hunt for the next chokepoint: the account that can enroll a new device, restore credentials, or trigger recovery.
“Passkeys remove the shared secret. Syncing can reintroduce a shared dependency.”
— — TheMurrow Editorial
“Why am I still getting phished?” Because the old doors often remain open
A reader who starts using passkeys and still experiences account takeover attempts isn’t crazy. Many services add passkeys as a new sign-in method without removing older, easier-to-attack options.
Adding a passkey does not necessarily remove passwords or recovery factors
Google’s own help documentation makes the point plainly: adding a passkey does not remove existing authentication or recovery factors. Passwords, SMS one-time codes, email links, and account recovery mechanisms can remain enabled. An attacker doesn’t need to beat the passkey if a weaker route still works.
That reality complicates the consumer narrative. A person can be “using passkeys” and still be vulnerable to:
- Password reuse attacks (if the password still exists)
- Recovery-channel compromise (email takeover, SIM swap)
- Social engineering that targets support flows or device enrollment
Services often keep legacy routes for compatibility, accessibility, customer support, and regulatory reasons. Those are legitimate pressures. The risk comes when organizations treat passkey rollout as a finish line rather than a layered redesign of authentication and recovery.
That reality complicates the consumer narrative. A person can be “using passkeys” and still be vulnerable to:
- Password reuse attacks (if the password still exists)
- Recovery-channel compromise (email takeover, SIM swap)
- Social engineering that targets support flows or device enrollment
Services often keep legacy routes for compatibility, accessibility, customer support, and regulatory reasons. Those are legitimate pressures. The risk comes when organizations treat passkey rollout as a finish line rather than a layered redesign of authentication and recovery.
The passkey login can be strong while the account is still fragile
Passkeys shine at the moment of authentication. But account security also depends on:
- How devices are added
- How recovery is handled
- Whether users can disable weaker sign-in routes
- Whether organizations monitor anomalous enrollment or recovery attempts
If those systems are weak, attackers route around the strongest part. Readers should interpret “passkey adoption” as a new foundation, not a full renovation.
- How devices are added
- How recovery is handled
- Whether users can disable weaker sign-in routes
- Whether organizations monitor anomalous enrollment or recovery attempts
If those systems are weak, attackers route around the strongest part. Readers should interpret “passkey adoption” as a new foundation, not a full renovation.
Synced vs device-bound passkeys: the real tradeoff is recovery versus containment
Security teams love absolutes: “turn it on,” “turn it off,” “passwordless by Q4.” Passkeys resist that kind of binary thinking because their practical risk profile depends on whether they’re synced across devices.
Multi-device passkeys: frictionless, scalable—and dependent on account security
Multi-device passkeys are the reason mainstream adoption can happen. A user can get a new phone and still sign in. An employee can move between a laptop and a mobile device without heroic planning.
The tradeoff is dependency. If passkeys are synced, the security of the synced credentials becomes entangled with the security of the platform account and its recovery process. Strong platform controls can mitigate that. Weak recovery can undermine it.
The FIDO Alliance’s numbers help explain why the industry accepts this trade: 75% of consumers have enabled at least one passkey, and 49% use passkeys most of the time or whenever possible. People don’t adopt security that strands them when a device breaks.
The tradeoff is dependency. If passkeys are synced, the security of the synced credentials becomes entangled with the security of the platform account and its recovery process. Strong platform controls can mitigate that. Weak recovery can undermine it.
The FIDO Alliance’s numbers help explain why the industry accepts this trade: 75% of consumers have enabled at least one passkey, and 49% use passkeys most of the time or whenever possible. People don’t adopt security that strands them when a device breaks.
49%
Consumers who say they use passkeys “whenever they can or most of the time,” per FIDO’s State of Passkeys 2026.
Device-bound passkeys: harder to steal at scale, harder to live with
Device-bound passkeys (or passkeys held on dedicated security keys) can limit the impact of a cloud-account takeover. If the credential never leaves a device, an attacker who compromises an account can’t necessarily restore the passkey to their own hardware.
The cost is operational. Lose the device, lose the credential—unless backups are planned, alternate authenticators are enrolled, or recovery is carefully designed. Many organizations can handle that. Many consumers cannot.
A fair assessment recognizes that both models are rational. The stronger editorial question is whether services and employers clearly communicate which model they’re using—and what it means when something goes wrong.
The cost is operational. Lose the device, lose the credential—unless backups are planned, alternate authenticators are enrolled, or recovery is carefully designed. Many organizations can handle that. Many consumers cannot.
A fair assessment recognizes that both models are rational. The stronger editorial question is whether services and employers clearly communicate which model they’re using—and what it means when something goes wrong.
Synced vs device-bound passkeys (practical tradeoff)
Before
- Multi-device (synced) passkeys—backup-eligible
- easy device changes
- depends on sync account recovery
After
- Single-device (device-bound) passkeys—not backup-eligible
- contained blast radius
- higher lockout/ops burden
The workforce reality: “fully passwordless” is a claim that deserves scrutiny
FIDO’s workforce finding—28% of organizations say they’re already “fully passwordless”—sounds like an inflection point. It might also reflect a definitional problem.
“Passwordless” can mean any of the following in practice:
- Passwords are disabled for primary login, but recovery still uses legacy methods
- Passwords exist but are not used by most users
- Passwords are disabled for employees, not contractors or privileged accounts
- Passwords are replaced in one environment (SSO) but remain in downstream apps
The report also notes that 68% of organizations are deploying, piloting, or rolling out passkeys. That suggests many teams are mid-transition, living in hybrid systems where old and new authentication coexist. Hybrid is where security failures breed: exceptions, compatibility modes, emergency access, and inconsistent policy.
“Passwordless” can mean any of the following in practice:
- Passwords are disabled for primary login, but recovery still uses legacy methods
- Passwords exist but are not used by most users
- Passwords are disabled for employees, not contractors or privileged accounts
- Passwords are replaced in one environment (SSO) but remain in downstream apps
The report also notes that 68% of organizations are deploying, piloting, or rolling out passkeys. That suggests many teams are mid-transition, living in hybrid systems where old and new authentication coexist. Hybrid is where security failures breed: exceptions, compatibility modes, emergency access, and inconsistent policy.
28%
Organizations that describe themselves as already “fully passwordless,” per the State of Passkeys 2026 workforce findings.
Practical implication for security leaders: redesign recovery, not just login
Passkey deployment should trigger a second project plan focused on the non-glamorous parts: device enrollment, account recovery, and policy enforcement. The attack surface doesn’t disappear; it migrates.
A mature rollout asks questions that are rarely featured in launch announcements:
- Can users disable passwords after enabling passkeys?
- Are SMS one-time codes still allowed as a fallback?
- How are “new device” events verified?
- How is anomalous recovery behavior detected and handled?
If those questions aren’t answered, “passwordless” can become a branding term rather than a security posture.
A mature rollout asks questions that are rarely featured in launch announcements:
- Can users disable passwords after enabling passkeys?
- Are SMS one-time codes still allowed as a fallback?
- How are “new device” events verified?
- How is anomalous recovery behavior detected and handled?
If those questions aren’t answered, “passwordless” can become a branding term rather than a security posture.
Key Insight
Passkeys strengthen authentication, but recovery and device enrollment are where attackers shift when passwords stop working.
Three real-world scenarios passkeys don’t magically fix (and what to do about them)
Passkeys reduce many credential theft attacks, but they don’t end social engineering, and they don’t eliminate weak fallback routes. Three scenarios show how the risk shifts.
Scenario 1: A service keeps passwords enabled “just in case”
A user creates a passkey and starts signing in with Face ID or a fingerprint prompt. The account still has a password set, and the user never changes it. An attacker who acquired that password from an older breach may still get in—because they never needed the passkey.
What to do:
- Look for account settings that let you remove or disable passwords after enabling passkeys.
- Use a password manager for any account that still requires a password.
- Treat passkeys as additive unless a service explicitly confirms passwordless-only access.
What to do:
- Look for account settings that let you remove or disable passwords after enabling passkeys.
- Use a password manager for any account that still requires a password.
- Treat passkeys as additive unless a service explicitly confirms passwordless-only access.
Scenario 2: Recovery becomes the target
Attackers can stop trying to “phish the passkey” and start trying to convince a support workflow—or an automated recovery process—that they are you. If recovery routes rely on email access or phone numbers, the weakest link may be the mailbox or carrier account.
What to do:
- Audit your recovery options and remove the weakest ones where possible.
- Secure email accounts as if they were your master key, because they often are.
- For organizations: treat recovery events as high-risk and monitor them like authentication events.
What to do:
- Audit your recovery options and remove the weakest ones where possible.
- Secure email accounts as if they were your master key, because they often are.
- For organizations: treat recovery events as high-risk and monitor them like authentication events.
Scenario 3: Sync account compromise leads to new device enrollment
Multi-device passkeys are designed to be restored. If an attacker takes over the account that syncs them, they may be able to enroll a device and inherit credentials—depending on platform controls and recovery.
What to do:
- Protect the platform account used for syncing with the strongest available safeguards.
- Prefer device-bound credentials for high-risk accounts where feasible, paired with planned backups.
- In the enterprise: define policy for which accounts may use synced passkeys and which require device-bound authenticators.
What to do:
- Protect the platform account used for syncing with the strongest available safeguards.
- Prefer device-bound credentials for high-risk accounts where feasible, paired with planned backups.
- In the enterprise: define policy for which accounts may use synced passkeys and which require device-bound authenticators.
If you’re using passkeys, harden the “side doors”
- ✓Disable or remove passwords where the service allows it
- ✓Reduce or eliminate SMS/email fallbacks when possible
- ✓Lock down the sync/platform account that can restore passkeys
- ✓Treat recovery and new-device enrollment as high-risk events
What readers should take away from “5 billion passkeys”
FIDO’s milestone deserves recognition. A security technology that reduces credential phishing and password reuse has reached a scale few security initiatives ever achieve. The State of Passkeys 2026 report also signals that passkeys have crossed a familiarity threshold—90% awareness is rare for any security concept.
Yet the most useful way to read the moment is as a shift in where trust lives. Passkeys make the login prompt harder to exploit. They do not automatically secure the rest of the identity system: recovery, device enrollment, and legacy sign-in options.
The broader lesson is one the security industry relearns every few years. Technology can remove an entire class of attacks—and attackers will still find people, processes, and fallback routes.
Five billion passkeys is not the end of passwords everywhere. It’s the beginning of a world where we can finally stop pretending passwords were workable—and start doing the harder work of building recovery and enrollment systems worthy of modern authentication.
Yet the most useful way to read the moment is as a shift in where trust lives. Passkeys make the login prompt harder to exploit. They do not automatically secure the rest of the identity system: recovery, device enrollment, and legacy sign-in options.
The broader lesson is one the security industry relearns every few years. Technology can remove an entire class of attacks—and attackers will still find people, processes, and fallback routes.
Five billion passkeys is not the end of passwords everywhere. It’s the beginning of a world where we can finally stop pretending passwords were workable—and start doing the harder work of building recovery and enrollment systems worthy of modern authentication.
T
About the Author
TheMurrow Editorial is a writer for TheMurrow covering technology.
Frequently Asked Questions
Does “5 billion passkeys in active use” mean 5 billion people are passwordless?
No. The FIDO Alliance’s May 7, 2026 announcement is an estimate of passkeys in active use, not a one-to-one count of people. One person can have multiple passkeys across services and devices. Many accounts also retain passwords and recovery factors even after a passkey is added.
Are passkeys actually phishing-proof?
Passkeys are designed to be phishing-resistant because of origin binding: a passkey created for one site can’t be used to authenticate to a lookalike domain. That said, attackers can still target recovery processes or legacy sign-in methods that remain enabled. “Phishing” can shift from stealing credentials to tricking enrollment and recovery flows.
What’s the difference between a synced passkey and a device-bound passkey?
A synced (multi-device) passkey is backup-eligible and may be backed up and restored across devices via a credential manager. A device-bound passkey is typically tied to a single device or a hardware security key and is not backup-eligible. Synced passkeys prioritize convenience; device-bound passkeys can reduce exposure if a sync account is compromised.
If I add a passkey to my account, can I delete my password?
Sometimes, but not always. Some services treat passkeys as an additional sign-in method while keeping passwords and other recovery options available. Google’s guidance, for example, states that adding a passkey does not remove existing authentication or recovery factors. Check your account’s security settings to see what can be disabled.
Why do standards allow passkeys to be backed up at all?
Because adoption depends on recoverability. The W3C WebAuthn Level 3 specification explicitly anticipates backup and sync, even defining Backup Eligibility (BE) and Backup State (BS) signals. Without backup, many users would get locked out after losing a device—an adoption-killing outcome for mainstream services.
What should organizations focus on after deploying passkeys?
Two areas: recovery and device enrollment. FIDO’s report shows 68% of organizations are deploying/piloting/rolling out passkeys, and 28% claim to be fully passwordless—but hybrid environments are common. Security leaders should reduce or harden legacy fallbacks, monitor recovery events, and set policy for when synced versus device-bound credentials are appropriate.
