One in Four Major Apps Still Block Users from Passkeys

The Gap in Passkey Adoption

Twenty-five percent of major internet platforms still do not offer passkey authentication to their users, according to data compiled by a new public accountability website launched this week. The figure, drawn from a survey of widely used apps and services, highlights a persistent gap between industry best practices and real-world deployment. Among the notable holdouts: Instagram, Netflix, and Spotify, all platforms with hundreds of millions of active users who remain locked into traditional password-based flows.

The discrepancy matters because passkeys are now widely regarded as the most robust consumer-grade authentication mechanism available. Generated locally on a user's device and cryptographically bound to both the hardware and the specific service, passkeys eliminate the memorability burden of passwords and sharply reduce the attack surface for credential theft. Unlike alphanumeric strings stored in browser caches or scrawled on sticky notes, passkeys leverage biometric gates such as Face ID or Touch ID, or can be anchored to physical security keys. They can sync across devices via password managers, but the private key never leaves the user's ecosystem, making remote phishing functionally impractical unless an attacker gains physical possession of the target's phone or laptop.

At DailyTechWire, we've tracked passkey rollouts across Asia-Pacific and North America since the FIDO Alliance formalized the WebAuthn standard in 2019. The technology has matured quickly. Apple, Google, and Microsoft all support passkeys across their operating systems and core services. Yet the adoption curve among third-party platforms has been uneven, and the new database, whynopasskeys.com, was designed to apply public pressure where regulatory mandates and user complaints have so far fallen short.

A List as Lever

Scott Helme, a security researcher with a long record of building transparency tools, launched the site with a straightforward thesis: visibility drives accountability. In a post accompanying the launch, Helme argued that no company wants to appear on a public roster of laggards, particularly when competitors have already shipped the feature. The site categorizes platforms into two columns: those that offer passkeys and those that do not. The simplicity is deliberate. There are no nuances, no asterisks for "coming soon" roadmaps. Either users can enable a passkey today, or they cannot.

The methodology is not exhaustive. The list focuses on high-traffic consumer services rather than enterprise software or niche verticals. But within that scope, the results are revealing. Instagram, for instance, technically permits passkey use, but only if the account is linked to a Facebook profile that already has a passkey configured. That conditional support places Instagram in the "does not offer" column, a classification that underscores how fragmented Meta's authentication strategy remains across its family of apps. Facebook and WhatsApp both support standalone passkey login; Instagram does not. Meta has not publicly explained the divergence, and the company did not respond to inquiries for this story.

Netflix and Spotify, both subscription services with strong incentives to reduce account takeovers and sharing abuse, likewise remain absent from the passkey-enabled list. Neither company provided comment on timing or technical roadblocks. The silence is notable. Passkey integration is not a moonshot engineering problem. The underlying APIs are stable, well-documented, and supported by every major browser and mobile OS. The question is not whether it can be done, but why it has not been prioritized.

Why Passkeys Matter in 2026

The argument for passkeys rests on two pillars: user experience and security posture. On the UX side, passkeys collapse the login flow. No need to recall a string of characters, no password reset emails, no SMS codes that arrive late or not at all. A fingerprint or face scan suffices. For platforms with large, non-technical user bases, that simplification can reduce support tickets and improve onboarding conversion. On the security side, the benefits are even clearer. Passkeys are resistant to phishing by design. Because the cryptographic handshake occurs only between the legitimate service and the user's device, an attacker spoofing the service's domain cannot intercept or replay credentials. Even if a user is tricked into visiting a fake login page, the passkey will not activate.

That resistance is especially valuable in regions where SIM-swap attacks and SMS interception remain prevalent. Across Southeast Asia, India, and parts of Latin America, telco security is uneven, and two-factor authentication via SMS offers only marginal protection. Passkeys, by contrast, are not routed through carrier infrastructure. They are device-local and service-specific, which makes them far harder to compromise at scale.

The technology also aligns with broader regulatory momentum. The European Union's Digital Operational Resilience Act and revised Payment Services Directive both emphasize strong customer authentication. In Singapore, the Monetary Authority has issued guidelines encouraging financial institutions to move beyond static passwords. Passkeys are not mandated by name, but they are the most straightforward path to compliance. For platforms operating in multiple jurisdictions, a unified passkey strategy simplifies regulatory overhead and reduces the risk of enforcement action.

The Adoption Friction

If the case for passkeys is so strong, why have a quarter of major platforms not yet deployed them? The reasons vary. Some companies face legacy authentication architectures that are costly to refactor. Others worry about user confusion during the transition, particularly among older demographics less familiar with biometric login. There is also the challenge of cross-platform sync. While Apple's Keychain, Google Password Manager, and third-party tools like 1Password all support passkey storage, the user experience is not yet seamless across all device combinations. A passkey created on an iPhone may not be immediately accessible on a Windows desktop unless the user has configured a compatible password manager. That friction can lead to lockouts, support escalations, and negative sentiment.

Another factor is organizational inertia. Authentication is foundational infrastructure, and changes carry risk. A botched rollout can lock users out en masse, generate headlines, and erode trust. Engineering teams are understandably cautious. But caution has costs. Every month that a platform delays passkey support is another month its users remain exposed to credential stuffing, phishing, and account takeover. The threat landscape has not paused. Breached password databases continue to circulate on underground forums, and automated tools make it trivial to test millions of username-password combinations against login endpoints.

Meta's Inconsistency

Meta's fragmented approach is particularly puzzling. Facebook and WhatsApp both support passkeys. Instagram does not, except through the workaround of linking to a Facebook account. The inconsistency suggests that passkey rollout within Meta is handled at the product level rather than as a company-wide platform initiative. That siloed approach may reflect the company's organizational structure, where Instagram, WhatsApp, and Facebook maintain separate engineering teams and roadmaps despite shared ownership.

From a user perspective, the inconsistency is frustrating. Someone who secures their Facebook account with a passkey might reasonably expect the same option on Instagram. The absence signals either technical debt or de-prioritization. Either way, it leaves Instagram users with fewer security options than their Facebook counterparts, despite both platforms being high-value targets for attackers.

The conditional support also complicates the narrative around Meta's commitment to user safety. The company has invested heavily in content moderation, two-factor authentication prompts, and anomaly detection. But if passkeys, the current gold standard for authentication, are not available across all flagship products, the security posture remains uneven.

What Comes Next

The launch of whynopasskeys.com is unlikely to trigger overnight change, but it does shift the conversation. Until now, passkey adoption has been largely invisible to end users. Most people do not know whether their favorite app supports the technology, and there has been no easy way to compare platforms. The new site provides that comparison, and in doing so, it creates a public accountability mechanism.

Whether that pressure translates into faster adoption depends on several variables. User demand is one. If customers begin asking why Instagram or Netflix lacks passkey support, product teams may escalate the feature on internal roadmaps. Media attention is another. Security researchers and privacy advocates have long championed passkeys, but mainstream coverage has been limited. A public list of holdouts could change that, particularly if it gains traction on social platforms or in tech communities.

Regulatory scrutiny is a third lever. Policymakers in the EU, UK, and parts of Asia are increasingly focused on digital identity and authentication standards. A database that highlights which companies lag behind industry norms could inform enforcement priorities or shape future legislation. In markets where data protection authorities have broad investigative powers, the list might even prompt formal inquiries into whether platforms are doing enough to protect user accounts.

The Broader Stakes

Authentication is infrastructure, but it is also a bellwether. The speed at which platforms adopt passkeys reflects their broader posture toward security, user autonomy, and technical debt. Companies that move quickly signal that they are willing to invest in foundational improvements even when the immediate ROI is unclear. Companies that delay signal other priorities, whether that is feature velocity, cost control, or risk aversion.

For users, the stakes are concrete. A compromised account can mean lost data, financial fraud, harassment, or reputational damage. Passwords are the weakest link in that chain, and passkeys are the most effective replacement available today. The fact that one in four major platforms has not yet deployed them is not a technical inevitability. It is a choice, and choices can change.

The question now is how long the list will remain static. Public pressure, regulatory momentum, and competitive dynamics all point toward broader adoption. But the gap between possibility and reality remains wide, and closing it will require more than good intentions. It will require engineering effort, organizational commitment, and a willingness to prioritize user security over short-term convenience.

At DailyTechWire, we'll continue to monitor which platforms move off the list and which remain. The data will tell its own story, and that story will shape how we think about accountability, security, and the infrastructure we build our digital lives on.