TechReaderDaily.com
TechReaderDaily
Live
Security · Identity

Passkeys Become Default for Enterprise as Post-Password Era Arrives

With 5 billion passkeys now in use and Microsoft making them the default for enterprise customers, the post-password era has arrived, but a quarter of major web services still do not support the standard and account recovery remains the hardest unsolved problem.

In this article
  1. Enterprise Adoption and the Portability Problem

On July 13, 2026, Microsoft published a blog post that will reshape how tens of millions of workers sign in to their corporate accounts each morning. Starting September 1, 2026, passkeys will become the default authentication method in Microsoft Entra ID, the identity platform that underpins access to Office 365, Azure, and thousands of third-party enterprise applications. The announcement, published on the company's Security Blog, marks the single largest enterprise-mandated shift away from passwords in the history of corporate IT. For Microsoft's customers, the password is no longer the first option presented to a user. It is the fallback, buried one menu deeper than it was the day before.

The Microsoft announcement did not arrive in isolation. In May 2026, the FIDO Alliance, the industry consortium that maintains the WebAuthn standard on which passkeys are built, announced that an estimated 5 billion passkeys were now in use worldwide. Three days earlier, on World Passkey Day, the Alliance had released its State of Passkeys 2026 report, finding near-universal consumer awareness of the technology and high adoption rates across both consumer and enterprise segments. On July 10, Google disclosed that more than 800 million accounts now sign in with passkeys rather than passwords. The post-password era has a new default, and it is arriving faster than most security forecasts predicted.

Passkeys replace a shared secret, the typed password, with public-key cryptography. When a user creates a passkey, their device generates a key pair. The private key remains on the device, guarded by the same biometric or PIN unlock that protects the phone or laptop. The public key is sent to the service. During authentication, the service challenges the device to prove it holds the private key, without the private key ever leaving the device. The protocol, WebAuthn, binds each credential to the domain that created it. A passkey made for login.microsoftonline.com will not authenticate to a lookalike domain, no matter how convincing the phishing page appears. That is the structural guarantee, and it is enforced by the browser, not by the user's ability to spot a suspicious URL.

That domain-binding property is the feature that makes passkeys resistant to phishing. It is also the feature that separates them from every authentication technology that came before. Multi-factor authentication, in its most common form, sends a one-time code that a user types into a login page. That code can be intercepted by an adversary-in-the-middle proxy, a technique that has been industrialized over the past three years. In May 2026, Microsoft disclosed a phishing campaign that had targeted over 35,000 users across 13,000 organizations in 26 countries, using fake internal compliance emails and adversary-in-the-middle infrastructure to capture both passwords and MFA tokens. The same month, the FBI warned that a criminal subscription service called Kali365 was hijacking Microsoft 365 accounts at scale without touching a password, by intercepting session tokens after users completed an MFA challenge. Passkeys close the interception window. There is no code to relay, no shared secret to exfiltrate, no session token floating through a proxy server.

The gap between what passkeys can do and where they have been deployed remains wide. On June 24, 2026, TechCrunch reported on a new website that tracks which major online services support passkeys. According to the site, 24 percent of the most popular websites in the world do not offer passkey support at all. Lorenzo Franceschi-Bicchierai, reporting for TechCrunch, noted that the tracking site was built to apply public pressure, naming and shaming companies that have not adopted what is now widely considered the gold standard for account security. The list of services that have not adopted passkeys includes companies with massive consumer footprints, among them Instagram, Netflix, and Spotify. Each of these services handles millions of daily logins that could be protected by public-key cryptography but are not.

The pattern is uneven. Technology platforms that operate identity-as-a-service, Google, Apple, and Microsoft, have been the fastest to ship passkey support. Their incentives are clear: each passkey created on their platform deepens a user's integration with that ecosystem. Consumer services with large addressable markets but thinner identity engineering teams have lagged. The FIDO Alliance's 2026 data shows adoption clustering around financial services, government digital identity programs, and enterprise SaaS. Retail, media, and social platforms are moving more slowly. The distinction matters because those are precisely the services where credential-stuffing and phishing attacks remain most common, and where a compromised account often grants access to stored payment methods and personal data.

The persistence of passwords on a quarter of the web's most popular sites is not purely a matter of engineering indifference. For some services, the business case for passkey deployment competes with other security priorities, including fraud detection, payment security, and content moderation. For others, the concern is fragmentation. A service that deploys passkeys must still support passwords for users on older devices or browsers that lack WebAuthn support. Maintaining two authentication paths, one cryptographic and one based on a shared secret, increases the attack surface in the short term, even if the long-term trajectory is toward a passwordless default. Security architects describe this as the transitional risk, a period during which both paths must be hardened simultaneously.

Enterprise Adoption and the Portability Problem

Enterprise adoption follows a different trajectory, driven by compliance mandates, cyber insurance requirements, and the operational cost of password resets rather than consumer convenience. Microsoft's move to make passkeys the default in Entra ID is the culmination of a multi-year rollout. In April 2026, the company began deploying passkey support for Entra ID on Windows devices, enabling phishing-resistant authentication across corporate, personal, and shared systems, as reported by BleepingComputer. The September 1 default switch means that any organization using Entra ID that has not actively opted out will present new users with a passkey creation flow first. Passwords remain available as a fallback authentication method, but the architecture has been inverted. The phishing-resistant method is now the primary path.

The enterprise case for passkeys is not only about stopping breaches. It is also about reducing the operational cost of password resets, which remains one of the largest line items in a corporate help desk budget. Every major identity provider has been working toward this shift for years. What changed in 2026 was the availability of cross-platform passkey portability. The FIDO Alliance finalized its Credential Exchange protocol, which allows passkeys to be securely transferred between password managers and platform providers without exposing the private key material. In February 2026, Dashlane became the first password manager to implement the standard on Android, replacing insecure CSV exports with encrypted direct transfers between applications. The protocol is the first credible answer to a question that has dogged passkey deployment since the beginning: what happens when a user switches platforms.

Portability solves one of the sharpest criticisms leveled at passkeys during their early deployment: the fear of vendor lock-in. A user who created passkeys inside Apple's iCloud Keychain could not easily move them to a different ecosystem without starting over, effectively re-enrolling every service. The Credential Exchange protocol changes that, though implementation remains uneven across vendors. The standard supports both same-provider transfers and cross-provider migration, but the cross-provider path requires active cooperation between the sending and receiving platforms. As of mid-2026, that cooperation is not universal. Google and Apple have announced support. Other platform vendors have not yet committed to timelines, and the absence of a regulatory mandate means the pace of adoption is voluntary.

Account recovery remains the harder problem, and it is one that passkeys do not solve on their own. When a user loses the device that holds their private key, they need a recovery path. Every service that deploys passkeys must still maintain a fallback authentication mechanism, which means the password, the SMS code, or the email magic link persists somewhere in the architecture. An attacker who can compromise that recovery path does not need to break the passkey. They can simply request a reset. The systemic security of a passkey deployment is therefore bounded by the strength of its recovery flow, a fact that security architects point to when warned against treating passkeys as a complete solution. A passkey deployment is only as strong as its weakest recovery channel.

Government digital identity programs have become an important test bed for passkey deployment at population scale. Singapore's SingPass, the national digital identity system used by more than 4 million residents, shifted to passkeys as part of a broader modernization effort. TechRepublic reported in July 2026 that the migration had revealed structural challenges familiar to any large enterprise: legacy backend systems that could not consume WebAuthn assertions, uneven device support across an aging population, and the persistent need to maintain password-based fallback for users who had not yet upgraded their devices. The lessons from Singapore apply broadly. Passkey adoption is not a switch that can be flipped in a single quarter. It is a multi-year infrastructure project that touches device procurement, help desk training, and backend identity plumbing.

The FIDO Alliance's 2026 report also surfaced an uncomfortable finding about consumer behavior. Awareness of passkeys was near-universal among survey respondents, but actual daily use lagged behind awareness by a significant margin. Many users had created a passkey for at least one service but continued to sign in with a password out of habit, because the service still presented the password field first, or because they did not trust the new method to work consistently across their devices. The behavior gap suggests that making passkeys available is not the same as making them the default. Default enrollment, of the kind Microsoft is now deploying for Entra ID, appears to be the most effective mechanism for closing the gap, because it removes the user's decision point entirely. You do not choose a passkey. You are given one.

The post-password landscape is not a world without passwords. It is a world where passwords move to the periphery, a fallback that is still present but rarely exercised. The infrastructure that supports that shift includes WebAuthn, the FIDO2 standard, the Credential Exchange protocol, and the platform-level integrations built by Apple, Google, and Microsoft. It also includes the less visible work of enterprise identity teams, who are now rewiring authentication flows that have been password-first for decades. A system that was designed around a username field, a password field, and a submit button must be rebuilt around a cryptographic challenge and a biometric prompt. That is not a configuration change. It is a re-architecture of the authentication stack, and it touches every service that consumes identity assertions downstream.

What to watch in the second half of 2026: the September 1 Microsoft deadline and whether organizations actively opt out of the passkey default; the rate at which the 24 percent of top websites still without passkey support adopt the standard, and whether public pressure campaigns accelerate that timeline; and the progress of cross-provider Credential Exchange adoption among the major platform vendors, which will determine whether passkey portability becomes a reality or a specification that exists only on paper. The post-password era has definition now. It has a standard, a deployment baseline, a measurable adoption gap, and a set of unsolved problems around recovery and portability. The story of the next year is not whether passkeys work. It is whether the services that still rely on shared secrets can be persuaded, or compelled, into retiring them.

Read next

Progress 0% ≈ 9 min left
Subscribe Daily Brief

Get the Daily Brief
before your first meeting.

Five stories. Four minutes. Zero hot takes. Sent at 7:00 a.m. local time, every weekday.

No spam. Unsubscribe anytime · Privacy.