Going Passwordless in 2026: What Actually Works, and What Still Doesn't

Passkeys are no longer a future-tense conversation. 800 million Google accounts now use them. Amazon enabled passkeys for 175 million customers and says login is six times faster than typing a password. Microsoft made passkeys the default sign-in method for all new accounts in May 2025. The FIDO Alliance reports 1.3 billion passkey authentications per month — double what it was a year ago. The numbers are real.

Whether you can actually ditch passwords today depends on something the adoption headlines don't cover: where your passkeys live, and what happens when things go wrong.

Where Adoption Actually Stands

About 48% of the top 100 websites now support passkeys — more than double the figure from 2022, and representative of meaningful mainstream momentum. Google, Apple, Microsoft, Amazon, GitHub, PayPal, and most major financial platforms have all rolled out support. The crypto sector moved aggressively: Gemini required all users to create a passkey in May 2025 and saw a 269% increase in authentications as a result.

That 48% number sounds encouraging until you consider it's the top 100. The vast majority of sites and services people use every day — forums, niche tools, smaller retailers, workplace apps, local government portals — are still password-only. The full passwordless life is not available yet. What is available is a meaningfully passwordless life for your highest-value accounts, which is where the security payoff is largest anyway.

The Problem Nobody Leads With

The most underreported friction in going passwordless is ecosystem lock-in, and it matters more than most coverage acknowledges.

When you create a passkey on an iPhone, Apple stores it in iCloud Keychain by default. When you create one in Chrome, Google offers to save it to Google Password Manager. Microsoft pushes passkeys to its Authenticator app. Each of these systems works well within its own walls. The moment you step outside — an iPhone user logging into a site on a Windows PC, someone switching from Android to iPhone — the experience degrades fast.

The QR-code cross-device flow exists for exactly this scenario: you scan a code on your phone to authenticate on a desktop browser. It works. It is also noticeably more friction than just typing a password, which undercuts the "passkeys are simpler" argument for users who regularly move between devices and ecosystems. And if you ever switch platforms entirely — Android to iPhone, iCloud to something else — your passkeys don't travel with you cleanly.

The right answer to this is to store passkeys in a dedicated password manager rather than in the platform keychain. Bitwarden and 1Password both handle passkeys across platforms, and since November 2025, Windows 11 natively supports both as passkey providers via a new API in the OS settings. If you are already using a cross-platform password manager — and you should be — this is where your passkeys belong, not in iCloud or Google's system.

Portability Just Got a Real Fix

The portability problem has a new answer: the Credential Exchange Protocol, a standard developed by the FIDO Alliance specifically for secure, encrypted passkey migration between platforms. Bitwarden was among the first to support it, and it launched on Apple's platform in late 2025. In practical terms, this means you can move passkeys from iCloud Keychain to Bitwarden — or between any two supporting managers — without your credentials ever being exposed in plaintext during the transfer.

This matters because the alternative has been ugly: no passkeys are exportable through standard flows, so switching managers meant deleting and recreating every passkey individually. CXP solves that. It won't be supported everywhere immediately, but it signals that passkey portability is now being treated as a solved problem rather than a permanent limitation.

How to Actually Start

If you have a password manager already set up, the starting point is straightforward. Enable passkey support in your manager's settings, then work through your highest-value accounts: Google, Apple ID, Microsoft, GitHub, your primary email, your bank. These accounts are the most attractive targets for credential theft and the ones where a single breach does the most damage. Getting those off passwords and onto passkeys is the majority of the security improvement, even if you never touch the rest of your account list.

For each account, the process is the same: go to the security or account settings, look for "passkey" or "security key" under sign-in options, and follow the setup flow. Your password manager will intercept the creation and offer to save the passkey. Once saved, test it immediately — sign out and sign back in using the passkey before you assume it's working.

Keep the password on the account for now. You don't need to delete it. Passkeys take priority when available, so the password stays as a fallback for sites, devices, or situations where passkey auth isn't available yet. The goal at this stage is layering passkeys onto your existing setup, not making a binary switch.

What to Do About Everything Else

For accounts that don't support passkeys yet, the approach hasn't changed from prior years: use a password manager to generate a unique, long, random password for each one, enable two-factor authentication using an authenticator app rather than SMS, and move on. SMS-based 2FA remains vulnerable to SIM-swapping attacks and is being phased out in regulated sectors for exactly that reason — the UAE Central Bank mandated that all licensed financial institutions drop SMS and email OTPs by March 2026. For personal accounts, an authenticator app is the realistic alternative while you wait for passkey support to arrive.

The accounts that worry security researchers most are the ones with weak, reused passwords and no second factor at all. Getting those to unique passwords with app-based 2FA is more impactful than spending time perfecting your passkey setup on the accounts that are already in reasonable shape.

The Honest Assessment

2025 was the year passkeys went mainstream at the platform level. 2026 is the year they become a practical default for individuals — not because every website supports them, but because the infrastructure around them finally does. Password managers handle passkeys across platforms. Windows natively supports third-party passkey providers. Portability between ecosystems has a working standard. The rough edges that made early adopters complain are genuinely smoother now.

Full passwordless — every account, every site, no passwords anywhere — is still a few years away, tied to how quickly the long tail of websites adopts the standard. What's achievable today is a setup where your most important accounts use passkeys, your remaining accounts use unique strong passwords managed by software, and the overall attack surface is dramatically smaller than it was when you were reusing passwords and relying on SMS codes.

That's worth doing. The technical overhead in 2026 is low enough that there's no good reason not to.

If you want the technical foundation for how passkeys work — the public-key cryptography, WebAuthn, and why they're phishing-resistant by design — that's covered in Passkey Authentication: The Future of Secure Login. For a comparison of which password manager fits your setup, the full breakdown is here.