Website calls out companies that don't offer passkeys to users

When it comes to securing accounts against hackers, passkeys are now widely considered the gold standard. And yet they are still not offered by one in four major apps and services on the internet, including Instagram, Netflix, and Spotify. Those stats come from a new website that names and shames companies that still don’t give users the option to use passkeys to log in to their apps and services.

Passkeys are more secure than passwords because they are generated by a user’s device and tied to that phone or computer and the website they are created for. They can rely on biometrics such as Face ID, Touch ID, or a physical security key; and can be stored automatically in someone’s password manager. Passkeys’ crucial advantage is that the user doesn’t have to remember anything — unlike a password — and they are much harder to steal or phish by a hacker unless they get physical control of the target’s devices.

Scott Helme, the longtime security researcher who created the website whynopasskeys.com , wrote in a blog post that the motivation behind the site is to push companies to enable passkeys and give users the chance to adopt them. “A list is a surprisingly effective motivator. Nobody wants to be on the list,” wrote Helme.

Major companies such as Apple, Google, and Microsoft are on the good side of the list and do offer passkeys to users. Meta did not immediately respond to TechCrunch’s request for comment as to why some of its products, like Facebook and WhatsApp, offer passkeys, but Instagram does not. TechCrunch also reached out to Netflix and Spotify.

This article will be updated if any of these companies provide a comment. The existence of this website highlights a critical issue in the tech industry: the slow adoption of passkeys. As the digital world becomes increasingly vulnerable to cyber threats, the need for more secure authentication methods has never been more pressing.

Companies that fail to implement passkeys are leaving their users exposed to unnecessary risks. For developers, this means prioritizing security features that can make a tangible difference in user safety. For businesses, it means reevaluating their security protocols to stay competitive and trustworthy.

And for consumers, it means expecting more from the services they use – a fundamental shift in the way we think about digital security. As the list of companies without passkeys continues to grow, one question remains: what will it take for the laggards to catch up?