State of Passkey Authentication in the Wild: A Census of the Top 100K sites

• URL: http://arxiv.org/abs/2602.15135v1
• Date: Mon, 16 Feb 2026 19:28:55 GMT
• Title: State of Passkey Authentication in the Wild: A Census of the Top 100K sites
• Authors: Prince Bhardwaj, Nishanth Sastry,
• Abstract summary: Passkeys are discoverable WebAuthn credentials synchronised across devices.<n>Major vendors have integrated passkeys into operating systems and browsers.<n>Yet the true extent of adoption across the broader web remains unknown.
• Score: 1.5822425915135876
• License: http://creativecommons.org/licenses/by-sa/4.0/
• Abstract: Passkeys -- discoverable WebAuthn credentials synchronised across devices are widely promoted as the future of passwordless authentication. Built on the FIDO2 standard, they eliminate shared secrets and resist phishing while offering usability through platform credential managers. Since their introduction in 2022, major vendors have integrated passkeys into operating systems and browsers, and prominent websites have announced support. Yet the true extent of adoption across the broader web remains unknown. Measuring this is challenging because websites implement passkeys in heterogeneous ways. Some expose explicit ``Sign in with passkey'' buttons, others hide options under multi-step flows or rely on conditional mediation, and many adopt external mechanisms such as JavaScript libraries or OAuth-based identity providers. There is no standardised discovery endpoint, and dynamic, JavaScript-heavy pages complicate automated detection. This paper makes two contributions. First, we present Fidentikit, a browser-based crawler implementing 43 heuristics across five categories -- UI elements, DOM structures, WebAuthn API calls, network patterns, and library detection developed through iterative refinement over manual examination of 1,500 sites. Second, we apply Fidentikit to the top 100,000 Tranco-ranked domains, producing the first large-scale census of passkey adoption. Our results show adoption strongly correlates with site popularity and often depends on external identity providers rather than native implementations.

Related papers

• Nested Browser-Use Learning for Agentic Information Seeking [60.775556172513014]
  Information-seeking (IS) agents have achieved strong performance across a range of wide and deep search tasks, yet their tool use remains largely restricted to API-level snippet retrieval and URL-based page fetching.<n>We propose Nested Browser-Use Learning (NestBrowse), which introduces a minimal and complete browser-action framework that decouples interaction control from page exploration through a nested structure.
  arXiv  Detail & Related papers  (2025-12-29T17:59:14Z)
• Verifiable Passkey: The Decentralized Authentication Standard [0.18416014644193066]
  FIDO2 Passkeys, is one of the most-widely adopted standards of passwordless authentication.<n>This paper introduces a novel standard 'Verifiable Passkey' that allows the user to use Passkeys created for a Verifiable Credential issuer across any platform without risking privacy or user tracking.
  arXiv  Detail & Related papers  (2025-12-25T13:06:52Z)
• Characterizing Phishing Pages by JavaScript Capabilities [77.64740286751834]
  This paper aims to aid researchers and analysts by automatically differentiating groups of phishing pages based on the underlying kit.<n>For kit detection, our system has an accuracy of 97% on a ground-truth dataset of 548 kit families deployed across 4,562 phishing URLs.<n>We find that UI interactivity and basic fingerprinting are universal techniques, present in 90% and 80% of the clusters.
  arXiv  Detail & Related papers  (2025-09-16T15:39:23Z)
• Automated Testing of Broken Authentication Vulnerabilities in Web APIs with AuthREST [4.709101341936703]
  We present AuthREST, an open-source security testing tool targeting broken authentication.<n>AuthREST automatically tests web APIs for credential stuffing, password brute forcing, and unchecked token authenticity.
  arXiv  Detail & Related papers  (2025-09-12T15:00:58Z)
• VPI-Bench: Visual Prompt Injection Attacks for Computer-Use Agents [74.6761188527948]
  Computer-Use Agents (CUAs) with full system access pose significant security and privacy risks.<n>We investigate Visual Prompt Injection (VPI) attacks, where malicious instructions are visually embedded within rendered user interfaces.<n>Our empirical study shows that current CUAs and BUAs can be deceived at rates of up to 51% and 100%, respectively, on certain platforms.
  arXiv  Detail & Related papers  (2025-06-03T05:21:50Z)
• Beyond Browsing: API-Based Web Agents [58.39129004543844]
  API-Based Agents outperform web Browsing Agents in experiments on WebArena.<n>Hybrid Agents out-perform both others nearly uniformly across tasks.<n>Results strongly suggest that when APIs are available, they present an attractive alternative to relying on web browsing alone.
  arXiv  Detail & Related papers  (2024-10-21T19:46:06Z)
• Assessing Web Fingerprinting Risk [2.144574168644798]
  Browser fingerprints are device-specific identifiers that enable covert tracking of users even when cookies are disabled. Previous research has established entropy, a measure of information, as the key metric for quantifying fingerprinting risk. We provide the first study of browser fingerprinting which addresses the limitations of prior work.
  arXiv  Detail & Related papers  (2024-03-22T20:34:41Z)
• mPSAuth: Privacy-Preserving and Scalable Authentication for Mobile Web Applications [0.0]
  mPSAuth is an approach for continuously tracking various data sources reflecting user behavior and estimating the likelihood of the current user being legitimate. We show that mPSAuth can provide high accuracy with low encryption and communication overhead, while the effort for the inference is increased to a tolerable extent.
  arXiv  Detail & Related papers  (2022-10-07T12:49:34Z)
• Uncovering Fingerprinting Networks. An Analysis of In-Browser Tracking using a Behavior-based Approach [0.0]
  This thesis explores the current state of browser fingerprinting on the internet. We implement FPNET to identify fingerprinting scripts on large sets of websites by observing their behavior. We track down companies like Google, Yandex, Maxmind, Sift, or FingerprintJS.
  arXiv  Detail & Related papers  (2022-08-15T18:06:25Z)
• TypeNet: Deep Learning Keystroke Biometrics [77.80092630558305]
  We introduce TypeNet, a Recurrent Neural Network trained with a moderate number of keystrokes per identity. With 5 gallery sequences and test sequences of length 50, TypeNet achieves state-of-the-art keystroke biometric authentication performance. Our experiments demonstrate a moderate increase in error with up to 100,000 subjects, demonstrating the potential of TypeNet to operate at an Internet scale.
  arXiv  Detail & Related papers  (2021-01-14T12:49:09Z)
• Keystroke Biometrics in Response to Fake News Propagation in a Global Pandemic [77.79066811371978]
  This work proposes and analyzes the use of keystroke biometrics for content de-anonymization. Fake news have become a powerful tool to manipulate public opinion, especially during major events.
  arXiv  Detail & Related papers  (2020-05-15T17:56:11Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.