General 12 min read

5 Billion Passkeys Later: Holding a Key Is Not the Same as Owning It

MMNMNOTE
passkeyspasswordlessdata-ownershipportabilityprivacylocal-first

You may already hold a private key you cannot move, copy out, or easily take to another provider. It signs you into your bank. It guards your email. And on most phones it lives inside a vault you do not control. The 5-billion-passkey milestone is a real security win, and it quietly exposes an older question: what does it mean to own a key?

How many passkeys are in use in 2026?

On World Passkey Day 2026 (May 7), the FIDO Alliance estimated that 5 billion passkeys are now in use worldwide.1 It is an estimate, not a hard count — "calculated by the FIDO Alliance from a combination of publicly available data and its own internal passkey deployment data."2 The curve is steep, and not only consumer-side.

The numbers come from research spanning "11,000 consumers and 1,400 enterprise decision-makers across ten countries."3 90% of people are now aware of passkeys, 75% have enabled a passkey on at least one account, and 49% use passkeys regularly when available.4 Andrew Shikiar, the FIDO Alliance's Executive Director and CEO, frames the appeal plainly: passkeys deliver "authentication that is both more secure and easier to use."5

Passwords fail because they are shared secrets: you know one, a server stores a copy, and an attacker only has to grab either end. The cost is not theoretical. In FIDO's 2026 research, one in three people (33%) experienced an account compromise or breach notification in the past year.6 A passkey removes the shared secret, which is the point.

Enterprises feel the same pull. 68% of organizations have deployed or are actively deploying passkeys for employee sign-ins, and 82% say fully passwordless authentication is an ultimate goal within the workforce, with 28% having achieved this goal.7

Microsoft reports that across consumer services like OneDrive, Xbox, and Copilot, "hundreds of millions of users sign in with passkeys every day," and that it has rolled out phishing-resistant authentication "covering 99.6% of users and devices" in its own environment.8 The direction is settled. The interesting part is what kind of thing you now hold.

What a passkey actually is

A passkey is a key pair. Microsoft describes it cleanly: instead of "vulnerable secrets or potentially identifiable personal information, a passkey uses a private key stored safely on the user's device. It only works on the website or app for which the user created it, and only if that same user unlocks it with their biometrics or PIN."9

Apple is equally direct about the asymmetry: "The other key is private, and is what is needed to actually sign in. The server never learns what the private key is."10 "These keys are generated by the device, securely and uniquely, for every account," Apple adds.11

That is the architecturally beautiful part, and it is true. The secret never leaves your hardware, never sits in a breachable server table, and never has to be remembered. At the cryptographic level, you are holding something only you can use. The question is whether holding it is the same as owning it.

The catch: you hold the key, but who holds the vault?

Here is where possession and ownership come apart. In most consumer deployments your passkeys do not live on bare metal you administer — they live inside iCloud Keychain, Google Password Manager, or Windows Hello. Apple is careful and honest about its end: "iCloud Keychain is end-to-end encrypted with strong cryptographic keys not known to Apple."12

It goes further: iCloud Keychain "escrows a user's keychain data with Apple without allowing Apple to read the passwords and other data it contains."12 Read that clause twice. Apple genuinely cannot read your keys, and your keys are still escrowed with Apple. The privacy guarantee is real; the dependency is also real.

Practitioners say it more bluntly. "All the big implementations are locked into some big player. Like Ms, Apple, Google," one developer wrote in a widely read Hacker News thread on passkeys.13 Another: "I'm not interested in being locked into an ecosystem I don't control," and "You need to be in control of the auth method or you can be controlled through it, plain and simple."14 These are not anti-passkey complaints. They are ownership complaints.

Possession is not ownership — portability is

The tell is in the plumbing. If passkeys were truly yours, moving them between providers would be trivial. Historically it was not, which is why in October 2024 the FIDO Alliance began building a standard format to make passkeys and other credentials exportable across providers.15 You do not standardize the export of something people already own.

That distinction is the entire argument. Possession is having the key in your hand right now. Ownership is being able to walk out the door with it — to a new device, a new platform, a new provider — without asking permission. By that test, a passkey you cannot export is closer to a very secure rental.

The cryptography is yours; the freedom of movement is not, at least not yet. The same gap shows up everywhere your digital life is held by someone else, which is why a legal right to leave and a practiced export drill matter as much as encryption does.

The same test, applied to your notes

What is true of credentials is true of everything you create. A note encrypted on a server you cannot leave is safe and captive at once. The ownership question is not "can someone else read it?" — it is "can I take it with me?"

Obsidian's Steph Ango put the durable version of this years ago: "the files you create are more important than the tools you use to create them. Apps are ephemeral, but your files have a chance to last."16

That is the standard worth applying to anything you keep. Are your notes plain, open files you can read without the original app? Do they leave on your terms, in a format the next tool understands? Encryption answers who can see it. Portability answers who controls it.

A plain-text file you can open anywhere passes the second test the way an exportable passkey is only beginning to. Passwordless got the cryptography right. The unfinished work — for keys and for notes alike — is making possession mean ownership.

Frequently asked questions

How many passkeys are in use in 2026?

The FIDO Alliance estimates 5 billion passkeys are in use worldwide as of World Passkey Day 2026 (May 7).1 It is an estimate the Alliance calculates from "publicly available data and its own internal passkey deployment data,"2 not an audited count — so treat it as a directional milestone rather than a precise tally.

Are passwords dead yet?

Not dead, but clearly declining. One in three people (33%) still experienced an account compromise or breach notice in the past year,6 and while 82% of organizations target fully passwordless sign-in, only 28% have achieved it.7 Passwords are being designed out, not yet gone.

Do I really own my passkeys?

You own the private key cryptographically — "the server never learns what the private key is."10 But in most consumer setups that key lives inside iCloud Keychain, Google Password Manager, or Windows Hello, vaults you do not administer.13 You possess the key; you do not fully control the container.

Can I export passkeys to another provider?

Historically this was hard, which is why in October 2024 the FIDO Alliance started building a standard format to move passkeys and other credentials across providers.15 Portability is improving, but it is newer than the keys themselves — check whether your current provider supports credential export before you rely on it.

Where is a passkey actually stored?

On your device, then typically synced through a platform keychain. Apple notes the keys "are generated by the device, securely and uniquely, for every account"11 and that iCloud Keychain syncs them "end-to-end encrypted with strong cryptographic keys not known to Apple."12 The secret stays on-device; the sync runs through the platform.

Is end-to-end encryption the same as owning my data?

No — they answer different questions. Encryption controls who can read your data; ownership controls whether you can leave with it. A passkey can be both unreadable to the platform and hard to export, which is exactly why portability is a separate test from privacy.


Holding a key only you can use is a real achievement. Being able to take it with you is the achievement that turns possession into ownership — and that is the line worth holding to, for your credentials and your notes alike.

Building with that line in mind is the whole idea behind mnmnote.com: local-first notes in open Markdown that leave when you do.

Footnotes

  1. FIDO Alliance, "FIDO Alliance Reports Accelerating Global Passkey Adoption on World Passkey Day 2026," May 7, 2026. https://fidoalliance.org/fido-alliance-reports-accelerating-global-passkey-adoption-on-world-passkey-day-2026/ 2

  2. FIDO Alliance, World Passkey Day 2026 report (methodology note), May 7, 2026. https://fidoalliance.org/fido-alliance-reports-accelerating-global-passkey-adoption-on-world-passkey-day-2026/ 2

  3. FIDO Alliance, World Passkey Day 2026 report (research scope), May 7, 2026. https://fidoalliance.org/fido-alliance-reports-accelerating-global-passkey-adoption-on-world-passkey-day-2026/

  4. FIDO Alliance / Sapio Research (April 2026 survey), reported May 7, 2026. https://fidoalliance.org/fido-alliance-reports-accelerating-global-passkey-adoption-on-world-passkey-day-2026/

  5. Andrew Shikiar, Executive Director and CEO, FIDO Alliance, quoted in the World Passkey Day 2026 report, May 7, 2026. https://fidoalliance.org/fido-alliance-reports-accelerating-global-passkey-adoption-on-world-passkey-day-2026/

  6. FIDO Alliance, World Passkey Day 2026 report, May 7, 2026. https://fidoalliance.org/fido-alliance-reports-accelerating-global-passkey-adoption-on-world-passkey-day-2026/ 2

  7. FIDO Alliance, World Passkey Day 2026 report (enterprise findings), May 7, 2026. https://fidoalliance.org/fido-alliance-reports-accelerating-global-passkey-adoption-on-world-passkey-day-2026/ 2

  8. Microsoft Security Blog, "World Passkey Day: advancing passwordless authentication," May 7, 2026. https://www.microsoft.com/en-us/security/blog/2026/05/07/world-passkey-day-advancing-passwordless-authentication/

  9. Microsoft (Digital Defense Report), quoted in the Microsoft Security Blog, May 7, 2026. https://www.microsoft.com/en-us/security/blog/2026/05/07/world-passkey-day-advancing-passwordless-authentication/

  10. Apple, "About the security of passkeys," accessed June 2026. https://support.apple.com/en-us/102195 2

  11. Apple, "About the security of passkeys," accessed June 2026. https://support.apple.com/en-us/102195 2

  12. Apple, "About the security of passkeys" (iCloud Keychain section), accessed June 2026. https://support.apple.com/en-us/102195 2 3

  13. Hacker News commenters (wkat4242; kbelder), passkey discussion thread 42442639, December 2024. https://news.ycombinator.com/item?id=42442639 2

  14. Hacker News commenter (trinsic2), passkey discussion thread 42442639, December 2024. https://news.ycombinator.com/item?id=42442639

  15. The Hacker News, "Microsoft Sets Passkeys Default for New Accounts" (reporting the FIDO Alliance's October 2024 credential-exchange work), May 2025. https://thehackernews.com/2025/05/microsoft-sets-passkeys-default-for-new.html 2

  16. Steph Ango, "File over app," accessed June 2026. https://stephango.com/file-over-app