Cybersecurity researchers Scott Helme and Troy Hunt launched whynopasskeys.com on Tuesday, a public registry that tracks and ranks the world’s most popular websites based on their adoption of passkey authentication, and the launch immediately produced a finding that is harder to dismiss than a general concern about password security: six of the top 25 global internet destinations – approximately 24% – do not offer passkey support. Those six include Instagram, Netflix, Spotify, Samsung, and Roblox – not startups with limited engineering budgets but some of the most visited platforms on earth, collectively serving hundreds of millions of accounts. Apple, Google, and Microsoft appear on the positive side of the list. The registry’s arrival and its methodology are the details that distinguish this from a press release, and the specific institutional context is what the story requires to understand properly.
Passkeys are phishing-resistant authentication credentials generated by a user’s device and tied cryptographically to both the device and the specific website they were created for. They rely on biometrics such as Face ID, Touch ID, or a physical security key and can be stored in a password manager. The security advantage over passwords is structural rather than incremental: a passkey cannot be stolen in a server breach because the private key never leaves the user’s device, and it cannot be phished because it is cryptographically bound to the website that issued it. More than 15 billion online accounts can currently use passkeys. The technology is ready, the infrastructure is in place, and major platforms – Apple, Google, Microsoft, Amazon – have deployed it at scale. One in four major apps has not. The gap between technological readiness and deployment is what whynopasskeys.com has just made publicly visible, and it is what NewsTrackerToday anchors as the precise problem the registry addresses.
Ethan Cole reads the incentive structure directly: “Companies don’t implement passkeys because their users aren’t demanding them yet and because the migration from existing password infrastructure is not a zero-cost engineering project. The reputational cost of a breach is lower than the engineering cost of migration, until it isn’t. The whynopasskeys.com approach is to raise the reputational cost of non-adoption before the breach happens, which is exactly how whynohttps.com changed industry behavior in 2017 and 2018.” The whynohttps parallel is the one Helme’s own writing emphasizes explicitly, and it is what the site’s launch documents as a deliberate strategic replication.
Isabella Moretti reads the business model dimension: “Instagram is a specific and instructive case. Meta offers passkeys for Facebook and WhatsApp. Instagram users can only use a passkey if their account is linked to a Facebook account that already has one enabled. That is not a technical limitation. It is a product decision that ties Instagram’s authentication to Facebook’s account graph. The whynopasskeys.com listing for Instagram describes MFA-only support rather than full passwordless support, which captures the distinction between using a passkey as a second factor on top of a password versus replacing the password entirely. Those are very different security postures, and the registry distinguishes them.” That distinction between passwordless passkey support and MFA-only passkey use is what NewsTrackerToday pulls as the whynohttps parallel carries most weight: the 2017 site did not distinguish between HTTPS on some pages versus sitewide enforcement.
The site’s data comes from passkeys.directory, a community-maintained archive that tracks authentication support across major platforms. Because checking for passkey implementation requires interacting with a live login portal rather than scanning for a certificate, the methodology relies on community submission rather than automated crawling. That means the database updates in near-real-time when platforms change their implementations, and it means companies that add passkey support can submit a correction and get off the list promptly. The fastest path off the list is adoption, which is the site’s stated goal. Helme explicitly said: “If you run one of these sites: you already know what to do.” The direct address to corporate security teams is what NewsTrackerToday sets against the broader passkey adoption trajectory: 87% of U.S. and U.K. companies using passkeys internally, but a different question entirely when it comes to customer-facing consumer authentication.
The shift this launch registers is institutional rather than technical. The technology has been ready since the FIDO Alliance and major platforms agreed on the passkey standard. What has been missing is the same social pressure mechanism that converted HTTPS from a premium security feature to a baseline expectation: a public, searchable, regularly updated registry of who has not done the obvious thing. When browsers started marking non-HTTPS sites as “not secure,” adoption spiked. Whynopasskeys.com creates the social version of that signal before any browser or regulator creates the technical version. The reputational pressure that the site now applies to Netflix, Spotify, Instagram, and Roblox is what News Tracker Today closes on as the mechanism: the site is not new technology; it is old social engineering applied to a new authentication standard.