Hardware-Bound Passkeys: The Real Race Is Adoption

1. Introduction: who wins the Consumer Race?#

Hardware-bound passkeys are the most secure way to log in, but almost nobody uses them. Security key manufacturers and smart card manufacturers have pushed the form factor for years, and the underlying secure-element supply chain produces over 3 billion chips annually per secure-element market reports. Even so, the FIDO Alliance Authentication Barometer 2024 shows hardware-bound passkey activation in consumer banking still sits below 5 percent in 2025.

The reason is simple. Apple and Google control over 99 percent of mobile share per StatCounter, and they decide which passkey type the user sees first. So the consumer race will not be won by the company with the strongest key. It will be won by the company that combines hardware with software, data and distribution.

1.1 Terminology: Hardware-Bound vs. Synced Passkeys#

Hardware-bound passkeys are FIDO2 credentials whose private key stays locked inside a physical secure element. The key never leaves the device. Synced passkeys use the same FIDO2 cryptography but copy the key across your devices through iCloud Keychain, Google Password Manager or a third-party manager. The W3C WebAuthn Level 3 specification treats both as the same credential type with a different storage policy. The industry also calls hardware-bound passkeys "device-bound passkeys" or "hardware-bound WebAuthn credentials." This article uses all three as synonyms.

That single difference - whether the key can leave the hardware - drives almost every downstream property, from NIST assurance level to recovery flow. The diagram below summarizes the contrast.

NIST SP 800-63B places hardware-bound passkeys at AAL3, the highest level, while synced passkeys are capped at AAL2. That one-step gap matters to regulators who require possession-factor binding, including PSD2, PSD3, NYDFS Part 500, RBI 2024 and APRA CPS 234.

1.2 Why synced Passkeys won the Default Slot#

Synced passkeys took the default slot because Apple and Google shipped them preferrably and they control the prompt. Apple added iCloud Keychain passkey support in 2021. Google Password Manager followed in 2022. Both used WebAuthn Conditional UI to show synced credentials right inside the autofill bar. A hardware authenticator sits one to three clicks deeper in every default flow.

iOS and Android together hold nearly 99.9 percent of global mobile share per StatCounter. Chrome and Safari account for around 92 percent of mobile browser usage. In other words, Apple and Google control the default WebAuthn prompt for the overwhelming majority of consumer mobile logins worldwide.

The FIDO Alliance Online Authentication Barometer 2024 reports that 64 percent of consumers globally have noticed passkeys and 53 percent have enabled passkeys on at least one account. Almost all of those enrollments are synced.

1.3 Where the Consumer Race actually plays out#

In this article, "consumer" means CIAM. We are talking about external customers logging into a bank, a crypto exchange, a government wallet or a creator platform. We are not talking about workforce login, where hardware-bound passkeys already dominate. The interesting question is which consumer journeys open up next and which player gets there first.

The race covers three form factors and three distribution paths.

• Form factors: USB or NFC security keys, FIDO2 smart cards built into payment cards and OS secure elements like Apple Secure Enclave or Android StrongBox.
• Distribution paths: direct sales to consumers, devices shipped by banks or governments to their users and credentials bundled inside every phone or laptop.

1.4 Thesis of this Article#

Good hardware is necessary, but it is no longer enough. The vendor with the strongest chip will not automatically win consumer adoption. The real bottlenecks sit above the silicon: browser prompts, NFC stacks on different Android phones, recovery design and consumer distribution. The winner will be the company that pairs hardware with adoption engineering and passkey observability.

The rest of this article walks through the history, the players, the blockers, the real-world use cases and a practical playbook for any company that wants to break out of enterprise and into consumer.

2. How did Hardware Authenticators get here?#

Hardware-bound credentials are nothing new. They are about 30 years older than FIDO. PKI smart cards arrived in government in the 1990s, codified by the NIST FIPS 201 PIV standard. RSA SecurID tokens followed in enterprise VPN. EMV chip-and-PIN cards reached payments in 2002. EMVCo reports over 12 billion EMV cards in circulation today, which makes the chip on a payment card the largest deployed hardware-cryptography platform in history.

The same secure-element supply chain, run by IDEMIA, Thales and Infineon at over 3 billion chips a year, now produces the silicon inside FIDO2 smart cards. The three industry shifts that brought hardware authenticators into FIDO2 happened in just four years, between 2014 and 2018.

2.1 From U2F to FIDO2 (2014 to 2018)#

The FIDO Alliance launched FIDO U2F in 2014, with the first hardware tokens shipped by several security key vendors. Google rolled U2F keys out to over 89,000 employees by 2017 and reported zero phishing-related account takeovers in the following year, per Krebs on Security. But U2F was only a second factor. Users still had a password, and the hardware tap was just an extra step on top. The form factor stayed enterprise: a small USB key for Google staff, government agencies and a handful of crypto exchanges.

FIDO2 and WebAuthn changed that in 2018 by turning U2F into a full passwordless framework. The same secure element that used to back a second factor could now back the primary login credential.

2.2 Passkey Branding Shift (2022)#

In May 2022, Apple, Google, Microsoft and the FIDO Alliance jointly launched the "passkey" brand at the FIDO Alliance Authenticate conference. The idea was a single, simple word that consumers could understand for both synced and device-bound FIDO2 credentials.

Apple rolled out iCloud Keychain passkey sync in iOS 16 in September 2022, per Apple's developer release notes. Google followed in October 2022 on Android 9 and above, per its Identity blog.

Microsoft was the laggard of the three. Windows Hello had shipped TPM-bound, device-bound credentials since 2015, per the Windows Hello documentation, but consumer accounts could not sync passkeys across devices for years. Microsoft only added passkey support for consumer Microsoft accounts in May 2024, and synced passkeys in Microsoft Edge Password Manager arrived even later, in 2025. So while Apple and Google had a two-to-three year head start on synced consumer passkeys, Microsoft is still catching up on cross-device sync inside its own browser.

Hardware vendors expected this big rebrand from four major players to lift demand for security keys and smart cards. It did not. Synced passkeys absorbed nearly all of the new consumer enrollments, per the FIDO Alliance Barometer.

2.3 Split into 2 Tracks#

Within 18 months, the ecosystem split into two clear tracks. The consumer track was dominated by synced passkeys, where Apple and Google built the default flow around their own managers and reached over 99 percent of mobile users per StatCounter. The enterprise track was dominated by hardware-bound passkeys, where IT departments buy security keys or FIDO2 smart cards for workforce identity. The FIDO Alliance values that enterprise market at over 1 billion USD in annual hardware authenticator spend.

The hardware vendors never gave up on consumer. The real question is whether they still have a credible path, or whether the OS layer has locked them out for good.

3. Who is competing in the Consumer Race?#

Three form factors compete for space in your wallet or pocket. Security keys lead in direct sales to enthusiasts and enterprises. Smart cards have the largest distribution channel through banks: over 1.5 billion EMV cards are issued every year per EMVCo statistics. OS secure elements ship inside every device sold, but consumers do not see them.

The competing vendors fall into two camps. Security key manufacturers sell USB or NFC keys directly to end users and to enterprises. Smart card and secure element manufacturers build the chips and cards that banks issue. Each camp faces a different unit-cost problem, and none of these vendors has solved the consumer distribution gap on its own.

3.1 Who leads the Security Key Form Factor?#

Several security key manufacturers compete in this segment. Modern security keys typically support FIDO2, FIDO U2F, smart-card PIV, OpenPGP and OTP across USB-A, USB-C, NFC and Lightning, and some add an on-device fingerprint sensor on top. The table below gives an overview of the most relevant vendors in the consumer and enterprise market.

The economics are tough at consumer scale. A single device costs 40 to 80 USD per manufacturer pricing pages. The user has to carry the key around. NFC support is uneven across Android phones. And losing the key forces a recovery flow that needs a backup. In an enterprise setting these issues are manageable. At consumer scale they kill adoption.

3.2 Who leads the Smart Card Form Factor?#

Smart card manufacturers compete in the bank-issued FIDO2 segment. The vendor landscape splits into card makers and chip suppliers. Card makers such as CompoSecure (which ships its Arculus FIDO2 product), IDEMIA, NagraID, Feitian and TrustSEC produce the FIDO2 cards themselves. Chip suppliers, the three secure-element giants IDEMIA, Thales and Infineon, manufacture the secure elements inside most cards. IDEX Biometrics supplies the on-card fingerprint sensor that turns a smart card into a biometric smart card.

Distribution into card issuers is already solved through the existing payment-card supply chain. The challenge is convincing issuers to absorb the unit-cost premium and ensuring the NFC tap works reliably across devices.

A FIDO2 smart card adds 2 to 5 USD on top of the 5 to 15 USD baseline cost of a metal or biometric card body. According to Juniper Research 2024, biometric payment cards will exceed 140 million units shipped globally by 2027.

3.3 What about Hybrid and adjacent Plays?#

A few other products compete for the same use case without fitting cleanly into either form factor. Ledger has shipped over 7 million Nano wallets, and Trezor over 2 million. Both expose FIDO2 as a secondary feature on top of crypto storage. Phone secure elements like Apple Secure Enclave and Android StrongBox host hardware-bound credentials too, but the OS hides them behind a regular platform passkey. Wearable authenticators like Token Ring and Mojo Vision rings have stayed below 100,000 units shipped, per public statements.

In other words, the consumer race is really a three-way contest between security keys, smart cards and OS secure elements. Crypto wallets are a fourth vertical, and wearables are a sub-1 percent footnote.

4. What blocks Consumer Adoption?#

Four structural headwinds block hardware-bound passkey adoption in consumer markets.

First, Apple and Google bury the hardware option in browser prompts on devices that hold over 99 percent of mobile share per StatCounter. Second, Android NFC stacks behave differently across the roughly 24,000 device models tracked by OpenSignal. Issues opened in 2024 on the Android Issue Tracker document broken third-party passkey provider flows on Samsung and Xiaomi builds. Third, recovery after losing the device is much harder than for synced credentials. Fourth, direct-to-consumer hardware costs 40 to 80 USD per unit per public manufacturer pricing pages.

None of these four problems can be fixed by a hardware vendor alone.

4.1 OS and Browser Hierarchy#

Apple's AuthenticationServices defaults to iCloud Keychain. Even when a relying party sets authenticatorAttachment to cross-platform, the user still has to dismiss the platform sheet first. Google's Credential Manager does the same on Android with Google Password Manager. Safari and Chrome together hold around 84 percent of mobile browser share per StatCounter, so two vendors effectively set the prompt UX for the entire consumer web.

Browsers also under-invest in hardware-key UX because over 99 percent of consumers do not own a dedicated security key, based on aggregated security key shipment data compared with global mobile share on StatCounter. That creates a feedback loop. Poor UX leads to low adoption. Low adoption means no investment. No investment leads to even worse UX.

4.2 NFC Fragmentation on Android#

NFC behavior on Android varies a lot between manufacturers. Samsung, Xiaomi, Oppo and Google Pixel all ship different NFC stacks on top of Android Open Source. Some Android 14 builds even broke third-party passkey provider support for several months in 2024, per the Android Issue Tracker. A FIDO2 smart card that taps fine on a Pixel 8 may fail on a Galaxy S23 Ultra and behave differently again on a Xiaomi 14. And no central testing program from the Google Android Compatibility Program catches these regressions before they reach consumers.

4.3 Recovery and Loss#

Synced passkeys recover automatically when a user signs in on a new device. Hardware credentials do not. A user who loses a security key or breaks a smart card has to fall back to an email magic link, an SMS code or in-person verification. The Verizon 2024 Data Breach Investigations Report finds that 68 percent of breaches involve a non-malicious human element, including credential recovery abuse. NIST SP 800-63B also warns explicitly that account recovery is a common path to authentication compromise. So the hardware binding is only as strong as the recovery channel, which means the relying party carries as much of the security burden as the silicon vendor.

4.4 Distribution and Cost#

A consumer-grade security key retails at 40 to 80 USD per manufacturer pricing pages. A consumer who does not think their account is at risk will simply not pay. Banks and crypto exchanges that absorb the cost can give devices away for free, but then they own the support burden. Smart cards bundled with a credit card add 2 to 5 USD on top of the 5 to 15 USD baseline cost per card, per public smart card vendor disclosures including CompoSecure investor materials.

These four headwinds together explain why hardware-bound activation in consumer banking sits below 5 percent, per the FIDO Alliance Authentication Barometer 2024. The same report shows that synced passkeys account for over 95 percent of consumer enrollment in financial services, even when hardware is offered as an option.

5. Where do Hardware-Bound Passkeys actually win?#

Three consumer categories give people a real reason to carry dedicated hardware: banking and payments, crypto self-custody and high-value accounts. Each one combines a strong driver, a credible distribution path and consequences serious enough to justify the friction. The diagram below maps the three winning segments side by side.

The next three subsections walk through each segment in detail. Outside of them, synced passkeys win on convenience every time.

5.1 Banking and Payments#

Banks are the most natural distribution channel. They already ship physical cards to customers. They also operate under PSD2, PSD3, the EBA Opinion on SCA, RBI 2FA, NYDFS Part 500 and APRA CPS 234. Many of those rules require a cryptographic possession factor that synced passkeys do not clearly satisfy.

The "smart card as credit card" thesis works because the card already exists. A bank issuing a metal card pays 5 to 15 USD per card, per the CompoSecure 10-K. Adding FIDO2 brings that to 7 to 20 USD, per Juniper Research biometric-card cost analysis. That single card then handles chip-and-PIN, NFC tap-to-pay, ATM withdrawals, online banking login and high-value 3DS transaction confirmation.

Several smart card vendors and payment networks, including CompoSecure, IDEMIA and Visa's payment passkey program, are running pilots along these lines. The consumer is never asked "do you want a hardware authenticator?" The card simply arrives in the mail.

5.2 Crypto and Self-Custody#

Crypto users already accept the idea of carrying hardware. Ledger has shipped over 7 million Nano devices and reported over 4 billion USD in cumulative hardware revenue, per its corporate page. Trezor has shipped over 2 million units. Security keys also have a long-running position in crypto-exchange MFA, with Coinbase, Kraken and Binance all supporting FIDO2 keys.

Adding FIDO2 to a hardware wallet is incremental engineering work. A 100 USD device that protects a 50,000 USD portfolio is obviously worth carrying. Crypto remains the only consumer category where users buy hardware on their own initiative.

5.3 High-Value Consumer Accounts#

A smaller group of consumers protects accounts where takeover is irreversible. The typical examples are primary email, government identity wallets, creator accounts on YouTube or Twitch and journalism credentials. Google's Advanced Protection Program describes this cohort as "high-risk users such as journalists, human-rights workers and political campaign staff."

Cisco's 2024 Cybersecurity Readiness Index also finds that only 3 percent of organizations have a mature security posture. The GAO 2024 cybersecurity report flags account takeover as one of the top five federal cybersecurity risks, which expands the pool of consumers who need this protection well beyond the original journalism niche.

6. Why Hardware alone will not win#

Owning the best hardware does not guarantee consumer market share. There are five gaps between a hardware vendor and an end-to-end consumer product: distribution, onboarding, recovery, cross-device journeys and measurement. Each gap needs skills that sit outside silicon design.

1. Distribution: hardware companies do not have a direct relationship with consumers. Banks, telcos, retailers and OS vendors do. A hardware vendor at consumer scale needs a partner, a white-label deal or an acquirer.
2. Onboarding: every step the consumer has to take to set up a passkey costs you users. Real-world banking deployments report drop-off rates of 30 to 60 percent across the enrollment funnel, in line with the Baymard Institute checkout abandonment benchmarks.
3. Recovery: a consumer product without a recovery story is broken. Recovery needs account-level signals, identity verification and risk scoring, all of which live inside the relying party.
4. Cross-device journeys: one user signs in on a phone, a laptop, a smart TV and a car. The hardware-bound credential lives on only one device. So you need smart routing between hardware and synced credentials to avoid dead ends.
5. Measurement: hardware vendors usually ship and forget. They count units sold and licenses activated. They do not see the WebAuthn ceremony fail or the user abandon the tap. Without measurement, none of the other four gaps can be closed.

Vendors that solve these five gaps inside their own product become end-to-end authentication platforms. Vendors that do not stay in the components business and sell into someone else's platform.

7. What is the real Lever? Adoption Engineering#

Adoption engineering means pairing hardware-bound passkeys with software that drives enrollment, measures every ceremony and routes around broken paths. None of these activities is about hardware. All four are required to win in consumer markets, and they only work as a closed loop. The diagram below shows how the four activities feed into each other.

The FIDO Alliance Authentication Barometer 2024 reports that 53 percent of consumers have enabled passkeys on at least one account, but hardware-bound activation in regulated journeys still sits below 5 percent. That is a 10x gap, and adoption engineering is what closes it. The W3C WebAuthn working group treats this gap as a deployment problem, not a specification problem.

7.1 Funnel-Level Telemetry#

At the funnel level, passkey observability measures every single step, from "user clicks sign in" to "session token issued." Without that instrumentation, a team cannot tell the difference between "user did not see the hardware option," "user saw it, tapped and the NFC failed" and "user completed the ceremony but the relying party rejected the result."

Funnel telemetry gives you the metrics that actually matter: hardware-passkey activation rate, hardware-passkey success rate by device, time to complete and abandonment by step. The W3C WebAuthn Level 3 specification defines 14 distinct error codes that a ceremony can return, but most production deployments instrument fewer than five of them, per FIDO Alliance Authenticate 2024 deployment talks.

7.2 Session-Level Diagnostics#

When a single authentication fails, support teams need to see exactly what happened. Session-level diagnostics capture the transport (NFC, USB or BLE), the CTAP error code, the browser, the OS version, the device manufacturer and the timing of each step in the ceremony. The FIDO CTAP 2.1 specification defines over 20 error codes that authenticators can return, and these are mapped to specific user recovery actions in the W3C WebAuthn Level 3 spec.

Without this telemetry, the support agent sees only "login failed" and sends a password-reset link, which defeats the whole point of deploying hardware. Real-world banking deployments show resolution time drops from weeks to minutes once session diagnostics are in place.

7.3 Device-Intelligent Routing#

Some device and OS combinations consistently break. Real-world data from large banking deployments shows abort rates of 40 to 90 percent on individual broken pairs, with the common patterns documented in the Android Issue Tracker and the FIDO Alliance Authenticate 2024 talks.

Routing logic that hides the hardware option on known-broken combinations and falls back to the next-best path keeps users out of the failure case. But you can only make those routing decisions after observability data has identified the broken pairs across the roughly 24,000 distinct Android device models tracked by the OpenSignal device database.

7.4 Continuous Iteration with Issuers#

Banks and fintechs typically run pilots and full deployments on 6 to 12 month cycles, per Gartner research on identity programs. The platform that wins turns observability data into weekly release notes, bug fixes and steadily improving success rates. Static deployment with quarterly reviews loses to continuous iteration. A hardware vendor that runs all four activities end-to-end becomes a platform. A hardware vendor that does not stays a component supplier.

8. So who actually wins the Consumer Race?#

No pure-play hardware vendor wins the consumer race. Three archetypes compete for the role of consumer authentication platform: banks and issuers, hardware vendors that build software layers and OS platforms. Banks lead today because they own physical distribution and have regulatory cover from PSD2 and NYDFS Part 500. The OS platforms could redefine the category at any time, since Apple and Google already ship hardware-bound credentials in the Secure Enclave and StrongBox on every device sold in the past five years.

8.1 Why Banks lead today#

Banks lead the consumer hardware-bound passkey market today. Four advantages stack in their favor. They already issue physical cards. They have regulatory cover from PSD2, PSD3, NYDFS Part 500, RBI and APRA CPS 234. They own consumer trust. And they can absorb the 2 to 5 USD unit-cost premium across their portfolio, per public smart card vendor disclosures.

Banks that pair these four advantages with adoption engineering lock in multi-year retention from passkey-enabled customers. Banks that buy a hardware product and assume the work ends there end up with the same single-digit activation rates the industry has been reporting for the last two years.

8.2 What about Hardware Vendors that build Software?#

The second archetype is the hardware vendor that also builds a real software layer. Several security key and smart card manufacturers have started this transition with concrete products on the market today.

• Yubico has built the most complete platform of any security key vendor. Its YubiKey as a Service subscription combines per-user licensing (Base tier from 15 USD per user per year), a Customer Portal for fleet management, FIDO Pre-reg, an Enroll app and SDK and global delivery. The service is integrated with Okta, Microsoft Entra ID, Ping Identity and Versasec.
• Thales pairs its SafeNet eToken and smart card hardware with SafeNet Trusted Access, a cloud Identity-as-a-Service platform with adaptive authentication and SSO.
• OneSpan bundles its DIGIPASS hardware with the OneSpan Cloud Authentication platform and Intelligent Adaptive Authentication, focused on banking and fintech.
• HID Global ships its Crescendo smart cards alongside the HID Authentication Service and the HID Approve mobile authenticator.
• CompoSecure extends its Arculus FIDO2 smart card with a companion wallet app and a developer SDK for issuers.

So far, most of these vendors still earn the majority of their revenue from hardware. Vendors that complete the journey from selling devices to running an authentication platform get to play in both layers. Vendors that do not stay locked inside enterprise.

8.3 What about OS Platforms?#

Apple, Google and Microsoft already ship hardware-bound credentials inside every device they sell. The Apple Secure Enclave, Android StrongBox and the Pluton chip in Windows 11 are all hardware-bound, even though users never see them as separate hardware.

These three OS platforms could redefine the category by exposing platform-bound, non-syncing passkeys with the same polished UX as synced passkeys. If they do, dedicated security keys and smart cards shrink to a niche of compliance-driven enterprise and self-custody crypto, around 5 to 10 percent of the total identity market by analyst estimates.

8.4 What does the real Race look like?#

The real race is not "security key versus smart card." The real question is who builds the consumer authentication platform that combines hardware where it matters with software, data and adoption engineering everywhere else. Based on the FIDO Alliance Authenticate 2024 keynote, the likely winners over the next three to five years are:

• Three to five large banks and payment networks that turn FIDO2 smart cards into the default consumer experience.
• One or two hardware vendors that successfully transition into authentication platforms.
• The three OS platforms, if they invest in non-synced platform credentials with the same UX polish as synced ones.

Pure hardware companies that stay pure are unlikely to win the consumer race. They end up as silicon suppliers inside someone else's platform. That is a healthy business and a real moat in enterprise, but it is not consumer dominance.

9. What should Banks, Issuers and Product Teams do next?#

Three actions matter for any product team evaluating hardware-bound passkeys in the next 12 months, based on the FIDO Alliance deployment playbook and Gartner identity guidance. Pick the use case where hardware actually wins. Pair every hardware deployment with adoption engineering. And build the data feedback loop from day one.

1. Pick the right use case: high-value transaction confirmation, step-up authentication on regulated journeys and account recovery for high-risk segments. Do not push hardware into general consumer login.
2. Pair hardware with adoption engineering: instrumentation, native app error handling, device-intelligent routing and explicit measurement against a synced passkey baseline.
3. Build the data loop early: ship funnel telemetry with the first pilot, not after rollout. Teams that see which Android manufacturer, which iOS version and which browser combination kills tap success can iterate in weeks. Teams that do not are reduced to anecdotes and have to wait for support tickets.

For hardware vendors the message is even sharper. Decide whether the company stays a component supplier or builds a platform. Both are viable. Trying to do both without fully committing leaves the platform investment underfunded and the silicon roadmap distracted.

10. Conclusion#

Hardware-bound passkeys are still the only consumer credential type that reaches NIST AAL3, survives a cloud-account compromise and clearly satisfies the strictest reading of PSD2, PSD3 and similar regulations. The technology is sound. The silicon is strong. The standards are mature.

What the technology cannot do on its own is win consumer adoption. Apple and Google control the OS and browser layer. Banks and issuers control consumer distribution. Hardware vendors control silicon. The consumer race is won by the player that combines all three through a software platform that drives adoption, measures every ceremony and routes around the gaps.

The winning recipe is hardware plus passkey observability plus continuous adoption engineering. The vendor or issuer that ships all three writes the consumer playbook for the next decade. Everyone else just sells components into someone else's platform.

Frequently Asked Questions#

What is the difference between hardware-bound passkeys and synced passkeys for consumers?#

Hardware-bound passkeys keep the private key inside a physical secure element such as a security key, a FIDO2 smart card or a built-in TPM chip. The key never leaves that hardware. Synced passkeys live in iCloud Keychain, Google Password Manager or a third-party manager, and they copy across your devices through the cloud. Hardware-bound passkeys reach NIST AAL3 because the private key cannot be exported. Synced passkeys cap at AAL2 because the cloud sync path makes the key recoverable. That one-step gap in assurance matters a lot to regulators in banking, government and healthcare.

Why have hardware security keys not gone mainstream with consumers despite passkey adoption?#

Apple and Google control the OS and browsers used by over 99 percent of consumers, per StatCounter. Both prioritize their own synced credential managers in WebAuthn prompts. Hardware authenticators sit one to three clicks deeper in every default flow, per Apple AuthenticationServices and the Android Credential Manager docs. NFC behavior on Android is fragmented across phone manufacturers, and Conditional UI defaults to synced credentials. On top of that, most consumers will not pay 40 to 80 USD for a separate authenticator unless a service forces them to.

Which use cases justify a hardware-bound passkey for consumers?#

Three categories give consumers enough motivation. The first is banking and payments, where PSD2, PSD3, RBI in India and APRA CPS 234 in Australia all require strong customer authentication. The second is crypto and self-custody, where losing a key means losing the funds, and where Ledger and Trezor have already shipped over 9 million devices. The third is high-value accounts, including primary email, government identity wallets and creator accounts, where takeover is irreversible. Google's Advanced Protection Program is aimed at exactly this cohort. Outside these three categories, synced passkeys usually win.

How do FIDO2 smart cards fit into the consumer hardware passkey race?#

Smart card manufacturers like CompoSecure (which ships over 100 million metal payment cards a year per its 10-K filing and offers Arculus as its FIDO2 product) and IDEMIA build NFC smart cards with secure elements that can host FIDO2 credentials. Consumers already carry a credit card, so adding a hardware-bound passkey to that card removes the need for a separate device. Banks, neobanks and crypto custodians can then fold authentication, payment and step-up into one form factor. The hard parts are making the NFC tap reliable across iOS and Android browsers and convincing issuers to absorb the 2 to 5 USD cost premium per card.

What does it take to actually win the consumer hardware-bound passkey market?#

Good hardware is necessary, but it is not enough. The winner pairs a credible hardware form factor with an adoption platform that measures every step of enrollment and authentication, routes around broken device and OS combinations and proves to issuers that fraud and support costs are dropping. Without funnel-level passkey observability, vendors and banks cannot tell that 60 percent of users abandon the NFC tap, a pattern documented in FIDO Alliance Authenticate 2024 deployment talks, or that Conditional UI silently swallowed the prompt, per the W3C WebAuthn Level 3 spec. The race will be decided by data and software, not by which key has the strongest titanium shell.