On this page
concept

Passkeys (WebAuthn)

Created 2026-06-21 40 connections

Passkeys (WebAuthn)

A passkey is a FIDO2/WebAuthn public-private key pair generated and stored on the user's device. At login, the server sends a cryptographic challenge; the device signs it with the private key after biometric or PIN verification; the server checks the signature against the stored public key. The shared secret never leaves the device and never travels over the network. Because each passkey is cryptographically bound to a specific origin (domain), it cannot be submitted to a fake login page or forwarded by a real-time phishing proxy such as Evilginx — eliminating Credential Stuffing and phishing as attack vectors for accounts that use them.


How passkeys work

A FIDO2 passkey consists of a private key (stored on the device, never exported in the standard flow) and a public key (stored server-side). Authentication is a challenge-response: the server sends a random challenge, the device signs it after the user presents a biometric (Face ID, Touch ID, Windows Hello) or PIN, and the server validates the signature. The private key is per-device and per-origin — a passkey for shop.example.com cannot authenticate to phishing-example.com. [1]

The Shopify Engineering post is dated March 2023 — the initial Shop Pay rollout. The described WebAuthn mechanics are stable (W3C standard), but Shopify platform details (Conditional UI state, merchant-facing rollout) may have evolved. No 2025/2026 Shopify source was found. See Gaps.

Two credential types:

  • Synced passkeys — private key backed up to a cloud keychain (iCloud Keychain, Google Password Manager, 1Password, Bitwarden). Sync across devices but the cloud account recovery chain reintroduces some attack surface. Consumer ecommerce deployments almost universally favour synced passkeys. [2]
  • Device-bound passkeys — key stays on one device (hardware token or platform TPM; never exported). Highest security but loses cross-device accessibility — impractical for most consumer ecommerce.

Shopify's implementation choices: Shopify specified authenticator_selection: "platform" and require_resident_key: true (discoverable credential) to ensure a biometric/passkey prompt rather than a hardware key prompt. (Shopify Engineering, 2023-03-24)


What passkeys prevent (and don't prevent)

What they prevent

  • Credential stuffing — passkeys eliminate the shared secret. There is no username/password pair to steal from one breached service and replay on another. FIDO Alliance case studies with Air New Zealand and Mercoin reported 0% credential stuffing in fully passwordless environments. [3]
  • Phishing — passkeys are origin-bound and cannot be submitted to spoofed login pages or forwarded by adversary-in-the-middle proxy toolkits.
  • Password-based brute force — no password to guess.

What they do NOT prevent

Critical limitation: infostealer malware and session hijacking bypass passkeys entirely.

Passkeys operate at the authentication stage. Once a session is established, an attacker with a stolen session cookie can replay the authenticated session without ever triggering a new authentication challenge.

  • SpyCloud recaptured 8.6 billion stolen session cookies in 2025; each bypasses MFA and passkeys without touching a password. [4] (as-of 2026-06-17)
  • A 2025 Microsoft analysis found 80% of MFA-bypass incidents involved session token abuse rather than stolen passwords. [4]
  • Infostealer malware stole 1.8 billion credentials from 5.8 million infected devices in 2025 — an 800% surge over prior years — with stolen passwords and session cookies appearing in 86% of all breaches. [5] (as-of 2026-06-14)
  • Over 70% of infostealer-infected devices are personal (BYOD) machines outside corporate endpoint controls. (Shattered.io citing Check Point, 2026-06-14)

This means passkeys solve the credential layer attack surface (stuffing, phishing) but not the post-authentication attack surface (Session Hijacking, Infostealer Malware). Both layers must be defended independently. See Behavioural Biometrics and Device Fingerprinting for post-auth session anomaly detection.

Additionally:

  • WebAuthn is not a bot-uniqueness attestation. A security practitioner noted: "WebAuthn doesn't tell you anything about how trustworthy the client is, nor is it a uniqueness attestation — an attacker can mint an arbitrary number of different identities at basically no cost." [6] Passkeys should not be treated as a Bot Management substitute.

Ecommerce retail adoption (as-of 2026-03-25)

Of 46 major ecommerce brands audited by Corbado (2026-01-19, updated 2026-03-25), fewer than half support passkeys:

Confirmed adopters (as-of 2026-03-25): Amazon, eBay, Apple Store, Walmart, Target, Best Buy, Costco, Home Depot, Lululemon, Mercado Libre, Uber Eats, Allegro (Poland), Sephora (iOS app only), Coupang (Taiwan rollout in progress). [2]

Confirmed non-adopters (as-of 2026-03-25): Nike, ASOS, Zalando, H&M, Zara, Nordstrom, Macy's, Shein, Temu, Farfetch, Net-a-Porter, Gymshark, Decathlon, Wayfair, Uniqlo. [2]

Traffic share: Retail and ecommerce account for nearly half of all passkey authentications globally; Amazon alone represents 39.9% of all passkey auth traffic measured. [7] (as-of 2025-10)

Overall passkey adoption: Passkey authentications more than doubled in one year, reaching 1.3 million per month, with 40% of users storing at least one passkey as of late 2025. [8] (as-of 2025)

Microsoft milestone (as-of 2025-05): Microsoft made passkeys the default sign-in for all new Microsoft accounts in May 2025, driving a 120% increase in passkey authentications. (1Password Community, 2025)


Device and browser readiness (as-of 2026-04-29)

WebAuthn readiness is 100% across all major OS/browser combinations. Passkey-readiness (platform authenticator support + synced credential storage): Windows 90%, macOS 91%, iOS 94%, Android 97%. [9] (as-of 2026-04-29)

iOS 26 update: iOS passkeys became exportable with iOS 26 (released September 2025) via the new FIDO Credential Exchange Format (FIDO CXF) standard, enabling portability across password managers. (1Password Community, 2025)


Performance and conversion data

  • Authentication speed: Google data shows passkey authentication takes 14.9 seconds vs 30.4 seconds for passwords — approximately 2× faster. [10] (as-of 2025)
  • Login time vs MFA: FIDO Alliance 2025 Passkey Index reports a 73% decrease in login time compared to traditional MFA. (Corbado citing FIDO Alliance, 2025-12-18)
  • eBay: Auto-triggered biometric prompt produced a 102% increase in passkey adoption rate. [11]
  • Uber: 90%+ of passkey enrollments completed via in-line nudges. [12]
  • KAYAK: 50% reduction in sign-in time. (Corbado, 2025)
  • MojoAuth ecommerce customer: 28% reduction in checkout abandonment after implementing passkeys. (Authsignal, 2025)
  • Air New Zealand: 50% reduction in login abandonment. (Authsignal, 2025)
  • VicRoads (Australian government, via Corbado Connect): 80% passkey activation on mobile; 30% passkey login rate within weeks of launch; reduced SMS OTP costs and support tickets. [13]

[!unverified] The 28% checkout abandonment reduction and 50% login abandonment reduction figures appear in vendor content (MojoAuth, Authsignal, Corbado) without disclosed A/B test methodology or sample sizes. Treat as directional only.


UX trade-offs

Account recovery — the structural weak point

Account recovery is consistently identified as the weakest link in passkey deployments. Losing every enrolled device falls back to email verification or backup codes, and that recovery path can itself be phished or social-engineered. Designing a secure, low-friction, social-engineering-resistant recovery flow is harder than passkey enrollment itself. [14]

A security practitioner observation: "An attacker won't try to break the WebAuthn cryptography; they will simply click 'I lost my device' and initiate a SIM-swap attack." The account recovery fallback is the weakest link. [15]

CVE-2024-9956 (as-of 2024-10): A documented WebAuthn logic flaw on mobile browsers allows account takeover by hijacking the WebAuthn API via malicious browser extensions or XSS injection. (SecurityWeek, 2024-10)

Practical UX concern: Passwords have a zero-technology backup option (a printed vault in a fire safe) legible to heirs. Passkey export is only available in Bitwarden and KeePassXC; no cross-manager import works. Death/emergency account access is unresolved. [16]

Cross-device friction

The most common friction point is credential availability when users switch phones, wipe laptops, or arrive on a device without synced keys. Without cross-device passkey use (QR code via Bluetooth to phone), the experience devolves into legacy password fallbacks. [17]

Apple ecosystem offers near-instant sync and seamless biometrics. Windows/Linux users experience single-device passkeys by default, sync failures, and cumbersome QR-code cross-device flows. The experience gap drives inconsistent adoption across platforms. (XDA Developers, 2024)

Conditional UI (passkey autofill in login fields): Shopify's engineering team flagged in 2023 that browser Conditional UI carries risk of confusing users on desktop who do not yet have a passkey enrolled. (Shopify Engineering, 2023-03-24) Note: browser Conditional UI has likely improved since 2023.

Inconsistent platform implementation

PayPal supports passkeys only in Safari or Chrome and blocks more than one enrolled token; Firefox + YubiKey users cannot enroll. [6] This is a representative example of inconsistent passkey scoping across ecommerce sites.

Parallel stack maintenance during transition

A practitioner reported: "10% chance or so Bitwarden will be checked for a passkey and otherwise it's randomly either the browser or phone." Without reliable passkey autofill, users still set up password + OTP as backup — making passkeys feel like additional overhead rather than replacement. During a transition period, ecommerce sites must maintain both stacks. [16]

Adoption barriers in 2025–2026: The biggest barriers are no longer technical readiness or browser support but operational friction, desktop user experience, and persistent misconceptions inside enterprise security teams. [18]


Contradictions

Synced passkeys: secure enough or not? Corbado, MojoAuth, and FIDO Alliance frame synced passkeys (iCloud Keychain, Google Password Manager) as effectively eliminating credential-based ATO and phishing. [2] VS Security practitioners argue synced passkeys are "just fancy login/password pairs that can be exfiltrated by scanning RAM of the passkey manager" — the private key must at some point be in cleartext in memory. Counter-position in the same thread: synced passkeys still block all credential-stuffing, phishing, and reuse attacks, making them a large net win over passwords even if theoretically exfiltrable. [19] Resolution: these are different threat models (sophisticated/targeted attacker vs commodity credential stuffing at scale). Both positions are defensible for different attacker profiles.

Passkeys stop ATO vs. session hijacking bypasses passkeys: Corbado, FIDO Alliance, and passkey vendor content frame passkeys as eliminating ATO. [2] VS SpyCloud (2026-06-17) reports 8.6 billion stolen session cookies in 2025 — all bypassing passkeys post-authentication. [4] Resolution: not logically contradictory — passkeys operate at the authentication stage; infostealer/session hijacking operates at the post-authentication stage. Different attack phases require different defences.

Attestation: Apple's removal is privacy protection or security gap? Apple removed attestation from iOS passkeys to protect consumer privacy and prevent big-platform provider lock-out — framed as a net benefit for the open web. (Hacker News, WorldMaker, 2025-07) VS Enterprise security practitioners argue required attestation with FIPS-compliant TPMs is the only way to make passkeys genuinely phishing-resistant at the policy level, and Apple removed it out of platform advantage rather than altruism. Without attestation, "I can't call passkeys phishing-resistant unless I can lock them down into unexportable passkey providers only." [19]


Vendor landscape (as-of 2026)

VendorRole
FIDO AllianceStandards body; publishes WebAuthn spec via W3C; Passkey Index annual report
CorbadoSpecialist passkey vendor; Corbado Connect (managed passkey layer over existing IDPs), Corbado Observe (analytics), Corbado Benchmark; maintains state-of-passkeys.io
Shopify (Shop Pay)Platform passkey implementation since Dec 2022; covers Shop Pay/Shop App auth
1PasswordPassword manager with synced passkey support
Bitwarden / KeePassXCOpen-source managers; only ones currently supporting passkey export
Google Password ManagerAndroid default passkey sync; 97% passkey-readiness on Android
iCloud KeychainiOS/macOS default passkey sync; 94% passkey-readiness on iOS

What practitioners report

  • Practitioners building on passkeys describe three adoption phases: (1) add passkeys alongside passwords as an optional second factor; (2) promote passkeys as the preferred path; (3) deprecate passwords for returning users. Most ecommerce sites are at phase 1. (Corbado, 2025-12-18)
  • Retailers winning against ATO in 2026 are reported to stack four layers: phishing-resistant passkeys (credential layer) + adaptive MFA on risky signals + device intelligence + behavioural biometrics for session anomalies. [20]
  • Practitioner frustration: passkey UX is unreliable enough to require maintaining the old stack in parallel — creating a transition tax rather than replacement. Most practitioners see 3–5 years before meaningful ecommerce adoption for non-adopter cohort. (Hacker News, 2025-08)

Key terms

TermMeaning
FIDO2Fast IDentity Online 2 — the framework combining WebAuthn and CTAP2
WebAuthnW3C Web Authentication API — the browser-side interface for FIDO2
PasskeyA FIDO2 discoverable credential; user-facing term for synced or device-bound WebAuthn keys
Relying partyThe website/app requesting authentication
Discoverable credentialA passkey stored locally that the browser can surface without needing a username
Conditional UIBrowser passkey autofill UX where stored passkeys appear in login form autofill
Synced passkeyPrivate key backed up to a cloud keychain (iCloud Keychain, Google, 1Password)
Device-bound passkeyPrivate key stored on one device only; not exportable under normal operation
AttestationCryptographic proof of the authenticator's make/model; stripped from iOS consumer passkeys
FIDO CXFCredential Exchange Format — new FIDO standard enabling passkey portability across managers

Benchmarks (as-of 2026-04-29)

MetricValueSource
WebAuthn browser readiness100% (all major browsers/OS)State of Passkeys, 2026-04-29
iOS passkey-readiness94%State of Passkeys, 2026-04-29
Android passkey-readiness97%State of Passkeys, 2026-04-29
Windows passkey-readiness90%State of Passkeys, 2026-04-29
macOS passkey-readiness91%State of Passkeys, 2026-04-29
Global monthly passkey auths1.3M/month (2025)1Password Community, 2025
Users with ≥1 passkey enrolled40% (2025)1Password Community, 2025
Amazon's share of all passkey auth traffic39.9%HelpNetSecurity, 2025-10
Passkey auth time (Google data)14.9s vs 30.4s passwordCorbado citing Google, 2025
FIDO Alliance: login time reduction vs MFA73%Corbado citing FIDO Alliance, 2025
ecommerce session cookies stolen in 20258.6 billionSpyCloud, 2026-06-17
Infostealer-stolen credentials in 20251.8 billion from 5.8M devicesShattered.io, 2026-06-14

References

  1. Shopify Engineering, 2023-03-24 — shopify.engineering/supporting-passkeys-in-shop-authentication-flows
  2. Corbado, 2026-01-19 — www.corbado.com/faq/ecommerce-passkeys
  3. Descope citing FIDO Alliance 2025 Passkey Index — www.descope.com/blog/post/2025-fido-report
  4. SpyCloud, 2026-06-17 — spycloud.com/glossary/session-hijacking
  5. Shattered.io citing DeepStrike and Flashpoint, 2026-06-14 — shattered.io/infostealer-malware-1-8b-credentials
  6. Hacker News, jsnell, 2024-12 — news.ycombinator.com/item?id=42359067
  7. HelpNetSecurity, 2025-10-31 — www.helpnetsecurity.com/2025/10/31/passkey-adoption-trends-2025
  8. 1Password Community, 2025 — www.1password.community/blog/random-but-memorable/the-state-of-passkeys-in-2025/163464
  9. State of Passkeys, 2026-04-29 — state-of-passkeys.io
  10. Corbado citing Google, 2025-12-18 — www.corbado.com/blog/ecommerce-authentication
  11. Corbado citing Authenticate 2025 conference — www.corbado.com/blog/passkey-adoption-case-studies-authenticate-2025
  12. Authsignal, 2025 — www.authsignal.com/blog/articles/world-passkey-day-the-state-of-passkeys-in-2025
  13. FIDO Alliance primary case study — fidoalliance.org/case-study-vicroads
  14. Backend Developers Substack, 2026 — thebackenddevelopers.substack.com/p/passkeys-in-2026-ux-security-and
  15. CVE-2024-9956 documentation + SecurityWeek, 2024-10 — www.securityweek.com/passkey-login-bypassed-via-webauthn-process-manipulation
  16. Hacker News, secabeen, 2025-08 — news.ycombinator.com/item?id=44790385
  17. Medium/real-world passkeys, 2025 — motasemhamdan.medium.com/passkeys-in-the-real-world-how-passwordless-actually-performs-in-2025-59b4ace29754
  18. IDTechWire, 2025–2026 — idtechwire.com/benchmark-report-highlights-operational-hurdles-as-passkey-adoption-matures
  19. Hacker News, cyberax vs lxgr, 2025-07 — news.ycombinator.com/item?id=44329658
  20. SecurityBoulevard, 2026-05 — securityboulevard.com/2026/05/account-takeover-protection-for-online-retailers-a-2026-defense-playbook
Research agent · 2026-06-21