---
url: 'https://www.corbado.com/blog/hardware-bound-passkeys-consumer-race'
title: 'Hardware-Bound Passkeys: The Real Race Is Adoption'
description: 'Who wins the consumer race to hardware-bound passkeys? Compare security keys, smart cards and OS secure elements, and why adoption beats hardware alone.'
lang: 'en'
author: 'Vincent Delitz'
date: '2026-05-05T15:16:44.803Z'
lastModified: '2026-05-05T19:48:26.369Z'
keywords: 'hardware-bound passkeys, hardware key vs passkey, best hardware passkeys, yubikey consumer passkeys, arculus smart card passkeys, fido2 smart card banking, synced vs device-bound passkeys,'
category: 'Passkeys Strategy'
---

# Hardware-Bound Passkeys: The Real Race Is Adoption

## Key Facts

- Hardware-bound passkeys reach
  [NIST AAL3](https://pages.nist.gov/800-63-3/sp800-63b.html). Synced passkeys cap at
  AAL2 because cloud sync makes keys exportable.
- iOS and Android hold over 99 percent of mobile share, per
  [StatCounter](https://gs.statcounter.com/os-market-share/mobile/worldwide). Both bury
  hardware authenticators 1 to 3 clicks below synced credentials.
- Yubico has shipped over 30 million YubiKeys since 2008. CompoSecure ships over 100
  million metal cards a year. IDEMIA produces over 3 billion secure elements annually.
- Hardware-bound passkey activation in consumer banking sits below 5 percent months
  after launch, per the
  [FIDO Alliance Authentication Barometer 2024](https://fidoalliance.org/content/research/).
- Ledger has shipped over 7 million wallets. Trezor over 2 million. Crypto self-custody
  is the only consumer category where users buy hardware on their own.
- The race will not be won by the strongest hardware. It will be won by the player who
  pairs hardware with adoption engineering and passkey observability.

## 1. Introduction: who wins the Consumer Race?

Hardware-bound passkeys are the most secure way to log in, but almost nobody uses them.
Security key manufacturers and smart card manufacturers have pushed the form factor for
years, and the underlying secure-element supply chain produces over 3 billion chips
annually per [secure-element market reports](https://www.idemia.com/). Even so, the
[FIDO Alliance Authentication Barometer 2024](https://fidoalliance.org/content/research/)
shows hardware-bound passkey activation in consumer banking still sits below 5 percent
in 2025.

The reason is simple. Apple and Google control over 99 percent of mobile share per
[StatCounter](https://gs.statcounter.com/os-market-share/mobile/worldwide), and they
decide which passkey type the user sees first. So the consumer race will not be won by
the company with the strongest key. It will be won by the company that combines
hardware with software, data and distribution.

### 1.1 Terminology: Hardware-Bound vs. Synced Passkeys

Hardware-bound passkeys are [FIDO2](https://www.corbado.com/glossary/fido2) credentials whose private key
stays locked inside a physical secure element. The key never leaves the device. [Synced
passkeys](https://www.corbado.com/blog/device-bound-synced-passkeys) use the same FIDO2 cryptography but copy
the key across your devices through iCloud Keychain, Google Password Manager or a
third-party manager. The [W3C WebAuthn Level 3 specification](https://www.w3.org/TR/webauthn-3/)
treats both as the same credential type with a different storage policy. The industry
also calls hardware-bound passkeys "device-bound passkeys" or "hardware-bound WebAuthn
credentials." This article uses all three as synonyms.

That single difference - whether the key can leave the hardware - drives almost every
downstream property, from NIST assurance level to recovery flow. The diagram below
summarizes the contrast.

[NIST SP 800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html) places hardware-bound
passkeys at [AAL3](https://www.corbado.com/blog/nist-passkeys), the highest level, while synced passkeys are
capped at AAL2. That one-step gap matters to regulators who require possession-factor
binding, including [PSD2](https://www.corbado.com/blog/psd2-passkeys), [PSD3](https://www.corbado.com/blog/psd3-psr-passkeys),
[NYDFS Part 500](https://www.dfs.ny.gov/industry_guidance/cybersecurity), RBI 2024 and
APRA CPS 234.

### 1.2 Why synced Passkeys won the Default Slot

Synced passkeys took the default slot because Apple and Google shipped them preferrably and
they control the prompt. Apple added iCloud Keychain passkey support in 2021. Google
Password Manager followed in 2022. Both used WebAuthn Conditional UI to show synced
credentials right inside the autofill bar. A hardware authenticator sits one to three
clicks deeper in every default flow.

iOS and Android together hold nearly 99.9 percent of global mobile share per
[StatCounter](https://gs.statcounter.com/os-market-share/mobile/worldwide). Chrome and
Safari account for around 92 percent of
[mobile browser usage](https://gs.statcounter.com/browser-market-share/mobile/worldwide).
In other words, Apple and Google control the default WebAuthn prompt for the
overwhelming majority of consumer mobile logins worldwide.

The
[FIDO Alliance Online Authentication Barometer 2024](https://fidoalliance.org/content/research/)
reports that 64 percent of consumers globally have noticed passkeys and 53 percent have
enabled passkeys on at least one account. Almost all of those enrollments are synced.

### 1.3 Where the Consumer Race actually plays out

In this article, "consumer" means CIAM. We are talking about external customers logging
into a bank, a crypto exchange, a government wallet or a creator platform. We are not
talking about workforce login, where hardware-bound passkeys already dominate. The
interesting question is which consumer journeys open up next and which player gets
there first.

The race covers three form factors and three distribution paths.

- **Form factors**: USB or NFC security keys, FIDO2
  [smart cards](https://www.corbado.com/blog/best-fido2-smartcards) built into payment cards and OS secure
  elements like
  [Apple Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/web)
  or [Android StrongBox](https://source.android.com/docs/security/features/keystore).
- **Distribution paths**: direct sales to consumers, devices shipped by banks or
  governments to their users and credentials bundled inside every phone or laptop.

### 1.4 Thesis of this Article

Good hardware is necessary, but it is no longer enough. The vendor with the strongest
chip will not automatically win consumer adoption. The real bottlenecks sit above the
silicon: browser prompts, NFC stacks on different Android phones, recovery design and
consumer distribution. The winner will be the company that pairs hardware with adoption
engineering and [passkey observability](https://www.corbado.com/blog/hardware-passkey-adoption-observability).

> "Passkeys have become the gateway to a passwordless future, but the journey from
> deployment to adoption is what separates winners from also-rans." Andrew Shikiar,
> Executive Director, FIDO Alliance, in his 2024
> [State of Passkeys keynote](https://fidoalliance.org/content/event/2024-authenticate-conference/).

The rest of this article walks through the history, the players, the blockers, the
real-world use cases and a practical playbook for any company that wants to break out
of enterprise and into consumer.

## 2. How did Hardware Authenticators get here?

Hardware-bound credentials are nothing new. They are about 30 years older than FIDO. PKI
smart cards arrived in government in the 1990s, codified by the
[NIST FIPS 201 PIV standard](https://csrc.nist.gov/publications/detail/fips/201/3/final).
RSA SecurID tokens followed in enterprise VPN. EMV chip-and-PIN cards reached payments
in 2002. [EMVCo](https://www.emvco.com/about/) reports over 12 billion EMV cards in
circulation today, which makes the chip on a payment card the largest deployed
hardware-cryptography platform in history.

The same secure-element supply chain, run by IDEMIA, Thales and Infineon at over 3
billion chips a year, now produces the silicon inside FIDO2 smart cards. The three
industry shifts that brought hardware authenticators into FIDO2 happened in just four
years, between 2014 and 2018.

### 2.1 From U2F to FIDO2 (2014 to 2018)

The FIDO Alliance launched FIDO U2F in 2014, with the first hardware tokens shipped by
several security key vendors. Google rolled U2F keys out to over 89,000 employees by
2017 and reported zero phishing-related account takeovers in the following year, per
[Krebs on Security](https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/).
But U2F was only a second factor. Users still had a password, and the hardware tap was
just an extra step on top. The form factor stayed enterprise: a small USB key for
Google staff, government agencies and a handful of crypto exchanges.

[FIDO2](https://fidoalliance.org/specifications/) and
[WebAuthn](https://www.w3.org/TR/webauthn-3/) changed that in 2018 by turning U2F into a
full passwordless framework. The same secure element that used to back a second factor
could now back the primary login credential.

### 2.2 Passkey Branding Shift (2022)

In May 2022, Apple, Google, Microsoft and the FIDO Alliance jointly launched the
"passkey" brand at the
[FIDO Alliance Authenticate conference](https://fidoalliance.org/expanded-support-for-fido-authentication-in-ios-and-macos/).
The idea was a single, simple word that consumers could understand for both synced and
device-bound FIDO2 credentials.

Apple rolled out iCloud Keychain passkey sync in iOS 16 in September 2022, per
[Apple's developer release notes](https://developer.apple.com/passkeys/). Google
followed in October 2022 on Android 9 and above, per its
[Identity blog](https://blog.google/technology/safety-security/passkeys-google-account/).

[Microsoft](https://www.microsoft.com/) was the laggard of the three. Windows Hello had
shipped TPM-bound, device-bound credentials since 2015, per the
[Windows Hello documentation](https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/),
but consumer accounts could not sync passkeys across devices for years. Microsoft only
added passkey support for consumer Microsoft accounts in May 2024, and synced passkeys
in [Microsoft Edge Password Manager](https://learn.microsoft.com/en-us/deployedge/microsoft-edge-passkeys)
arrived even later, in 2025. So while Apple and Google had a two-to-three year head start
on synced consumer passkeys, Microsoft is still catching up on cross-device sync inside
its own browser.

Hardware vendors expected this big rebrand from four major players to lift demand for
security keys and smart cards. It did not. Synced passkeys absorbed nearly all of the
new consumer enrollments, per the
[FIDO Alliance Barometer](https://fidoalliance.org/content/research/).

### 2.3 Split into 2 Tracks

Within 18 months, the ecosystem split into two clear tracks. The consumer track was
dominated by synced passkeys, where Apple and Google built the default flow around
their own managers and reached over 99 percent of mobile users per
[StatCounter](https://gs.statcounter.com/os-market-share/mobile/worldwide). The
enterprise track was dominated by hardware-bound passkeys, where IT departments buy
security keys or [FIDO2 smart cards](https://www.corbado.com/blog/best-fido2-smartcards) for workforce
identity. The [FIDO Alliance](https://fidoalliance.org/) values that enterprise market
at over 1 billion USD in annual hardware authenticator spend.

The hardware vendors never gave up on consumer. The real question is whether they
still have a credible path, or whether the OS layer has locked them out for good.

## 3. Who is competing in the Consumer Race?

Three form factors compete for space in your wallet or pocket. Security keys lead in
direct sales to enthusiasts and enterprises. Smart cards have the largest distribution
channel through banks: over 1.5 billion EMV cards are issued every year per
[EMVCo statistics](https://www.emvco.com/about/). OS secure elements ship inside every
device sold, but consumers do not see them.

The competing vendors fall into two camps. Security key manufacturers sell USB or NFC
keys directly to end users and to enterprises. Smart card and secure element
manufacturers build the chips and cards that banks issue. Each camp faces a different
unit-cost problem, and none of these vendors has solved the consumer distribution gap
on its own.

### 3.1 Who leads the Security Key Form Factor?

Several security key manufacturers compete in this segment. Modern security keys
typically support FIDO2, FIDO U2F, smart-card PIV, OpenPGP and OTP across USB-A, USB-C,
NFC and Lightning, and some add an on-device fingerprint sensor on top. The table below
gives an overview of the most relevant vendors in the consumer and enterprise market.

| **Vendor** | **HQ** | **Notable products** | **Connectors** | **Notable angle** |
| --- | --- | --- | --- | --- |
| [Yubico](https://www.yubico.com/) | Sweden / USA | YubiKey 5, YubiKey Bio, Security Key | USB-A, USB-C, NFC, Lightning | Largest direct-to-consumer brand, broad protocol support |
| [Feitian](https://www.ftsafe.com/) | China | ePass, BioPass, MultiPass | USB-A, USB-C, NFC, BLE | Largest competitor by global unit volume, OEM for Google Titan |
| [Token2](https://www.token2.com/) | Switzerland | T2F2, Bio3 | USB-A, USB-C, NFC | Affordable, PIN+ and biometric variants |
| [Google](https://cloud.google.com/titan-security-key) | USA | Titan Security Key | USB-C, NFC | Anchors Google Advanced Protection, manufactured by Feitian |
| [OneSpan](https://www.onespan.com/) | USA | DIGIPASS FX1 BIO | USB-A, USB-C, NFC, BLE | Banking-focused, optional fingerprint sensor |
| [Identiv](https://www.identiv.com/) | USA | uTrust FIDO2 | USB-A, USB-C, NFC | Enterprise and government smart-card heritage |
| [Kensington](https://www.kensington.com/) | USA | VeriMark Guard | USB-A, USB-C | Biometric fingerprint readers, mainstream-retail distribution |

The economics are tough at consumer scale. A single device costs 40 to 80 USD per
manufacturer pricing pages. The user has to carry the key around. NFC support is uneven
across Android phones. And losing the key forces a recovery flow that needs a backup.
In an enterprise setting these issues are manageable. At consumer scale they kill
adoption.

### 3.2 Who leads the Smart Card Form Factor?

Smart card manufacturers compete in the bank-issued FIDO2 segment. The vendor landscape
splits into card makers and chip suppliers. Card makers such as
[CompoSecure](https://www.compositionusa.com/) (which ships its
[Arculus](https://www.arculus.co/) FIDO2 product), [IDEMIA](https://www.idemia.com/),
NagraID, [Feitian](https://www.ftsafe.com/) and TrustSEC produce the FIDO2 cards
themselves. Chip suppliers, the three secure-element giants
[IDEMIA](https://www.idemia.com/), [Thales](https://www.thalesgroup.com/) and
[Infineon](https://www.infineon.com/), manufacture the secure elements inside most
cards. [IDEX Biometrics](https://www.idexbiometrics.com/) supplies the on-card
fingerprint sensor that turns a smart card into a
[biometric smart card](https://www.corbado.com/blog/best-fido2-smartcards).

Distribution into card issuers is already solved through the existing payment-card
supply chain. The challenge is convincing issuers to absorb the unit-cost premium and
ensuring the NFC tap works reliably across devices.

A FIDO2 smart card adds 2 to 5 USD on top of the 5 to 15 USD baseline cost of a metal
or biometric card body. According to
[Juniper Research 2024](https://www.juniperresearch.com/), biometric payment cards will
exceed 140 million units shipped globally by 2027.

### 3.3 What about Hybrid and adjacent Plays?

A few other products compete for the same use case without fitting cleanly into either
form factor. [Ledger](https://www.ledger.com/) has shipped over 7 million Nano wallets,
and [Trezor](https://trezor.io/) over 2 million. Both expose FIDO2 as a secondary
feature on top of crypto storage. Phone secure elements like
[Apple Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/web)
and
[Android StrongBox](https://source.android.com/docs/security/features/keystore) host
hardware-bound credentials too, but the OS hides them behind a regular platform
passkey. Wearable authenticators like [Token Ring](https://www.tokenring.com/) and Mojo
Vision rings have stayed below 100,000 units shipped, per public statements.

In other words, the consumer race is really a three-way contest between security keys,
smart cards and OS secure elements. Crypto wallets are a fourth vertical, and wearables
are a sub-1 percent footnote.

## 4. What blocks Consumer Adoption?

Four structural headwinds block hardware-bound passkey adoption in consumer markets.

First, Apple and Google bury the hardware option in browser prompts on devices that
hold over 99 percent of mobile share per
[StatCounter](https://gs.statcounter.com/os-market-share/mobile/worldwide). Second,
Android NFC stacks behave differently across the roughly 24,000 device models tracked
by [OpenSignal](https://www.opensignal.com/). Issues opened in 2024 on the
[Android Issue Tracker](https://issuetracker.google.com/) document broken third-party
passkey provider flows on Samsung and Xiaomi builds. Third, recovery after losing the
device is much harder than for synced credentials. Fourth, direct-to-consumer hardware
costs 40 to 80 USD per unit per public manufacturer pricing pages.

None of these four problems can be fixed by a hardware vendor alone.

### 4.1 OS and Browser Hierarchy

Apple's
[AuthenticationServices](https://developer.apple.com/documentation/authenticationservices)
defaults to iCloud Keychain. Even when a relying party sets `authenticatorAttachment` to
`cross-platform`, the user still has to dismiss the platform sheet first. Google's
[Credential Manager](https://developer.android.com/identity/sign-in/credential-manager)
does the same on Android with Google Password Manager.
[Safari and Chrome together hold around 84 percent of mobile browser share](https://gs.statcounter.com/browser-market-share/mobile/worldwide)
per StatCounter, so two vendors effectively set the prompt UX for the entire consumer
web.

Browsers also under-invest in hardware-key UX because over 99 percent of consumers do
not own a dedicated security key, based on aggregated security key shipment data
compared with global mobile share on
[StatCounter](https://gs.statcounter.com/os-market-share/mobile/worldwide). That
creates a feedback loop. Poor UX leads to low adoption. Low adoption means no
investment. No investment leads to even worse UX.

### 4.2 NFC Fragmentation on Android

NFC behavior on Android varies a lot between manufacturers.
[Samsung](https://developer.samsung.com/), [Xiaomi](https://www.mi.com/global/),
[Oppo](https://www.oppo.com/) and
[Google Pixel](https://store.google.com/category/phones) all ship different NFC stacks
on top of [Android Open Source](https://source.android.com/). Some Android 14 builds
even broke third-party passkey provider support for several months in 2024, per the
[Android Issue Tracker](https://issuetracker.google.com/). A FIDO2 smart card that taps
fine on a Pixel 8 may fail on a Galaxy S23 Ultra and behave differently again on a
Xiaomi 14. And no central testing program from the
[Google Android Compatibility Program](https://source.android.com/docs/compatibility/overview)
catches these regressions before they reach consumers.

### 4.3 Recovery and Loss

Synced passkeys recover automatically when a user signs in on a new device. Hardware
credentials do not. A user who loses a security key or breaks a smart card has to fall
back to an email magic link, an SMS code or in-person verification. The
[Verizon 2024 Data Breach Investigations Report](https://www.verizon.com/business/resources/reports/dbir/)
finds that 68 percent of breaches involve a non-malicious human element, including
credential recovery abuse. [NIST SP 800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html)
also warns explicitly that account recovery is a common path to authentication
compromise. So the hardware binding is only as strong as the recovery channel, which
means the relying party carries as much of the security burden as the silicon vendor.

### 4.4 Distribution and Cost

A consumer-grade security key retails at 40 to 80 USD per manufacturer pricing pages.
A consumer who does not think their account is at risk will simply not pay. Banks and
crypto exchanges that absorb the cost can give devices away for free, but then they own
the support burden. Smart cards bundled with a credit card add 2 to 5 USD on top of the
5 to 15 USD baseline cost per card, per public smart card vendor disclosures including
[CompoSecure investor materials](https://ir.compositionusa.com/).

These four headwinds together explain why hardware-bound activation in consumer
banking sits below 5 percent, per the
[FIDO Alliance Authentication Barometer 2024](https://fidoalliance.org/content/research/).
The same report shows that synced passkeys account for over 95 percent of consumer
enrollment in financial services, even when hardware is offered as an option.

## 5. Where do Hardware-Bound Passkeys actually win?

Three consumer categories give people a real reason to carry dedicated hardware:
banking and payments, crypto self-custody and high-value accounts. Each one combines
a strong driver, a credible distribution path and consequences serious enough to
justify the friction. The diagram below maps the three winning segments side by side.

The next three subsections walk through each segment in detail. Outside of them,
synced passkeys win on convenience every time.

### 5.1 Banking and Payments

Banks are the most natural distribution channel. They already ship physical cards to
customers. They also operate under [PSD2](https://www.corbado.com/blog/psd2-passkeys),
[PSD3](https://www.corbado.com/blog/psd3-psr-passkeys), the
[EBA Opinion on SCA](https://www.eba.europa.eu/regulation-and-policy/payment-services-and-electronic-money),
RBI 2FA, [NYDFS Part 500](https://www.dfs.ny.gov/industry_guidance/cybersecurity) and
APRA CPS 234. Many of those rules require a cryptographic possession factor that synced
passkeys do not clearly satisfy.

The "smart card as credit card" thesis works because the card already exists. A bank
issuing a metal card pays 5 to 15 USD per card, per the
[CompoSecure 10-K](https://ir.compositionusa.com/sec-filings). Adding FIDO2 brings that
to 7 to 20 USD, per
[Juniper Research](https://www.juniperresearch.com/) biometric-card cost analysis. That
single card then handles chip-and-PIN, NFC tap-to-pay, ATM withdrawals, online banking
login and high-value [3DS transaction confirmation](https://www.corbado.com/blog/3ds-webauthn).

Several smart card vendors and payment networks, including
[CompoSecure](https://www.compositionusa.com/), [IDEMIA](https://www.idemia.com/) and
[Visa's payment passkey program](https://corporate.visa.com/en/sites/visa-perspectives/innovation/visa-payment-passkey-service.html),
are running pilots along these lines. The consumer is never asked "do you want a
hardware authenticator?" The card simply arrives in the mail.

### 5.2 Crypto and Self-Custody

Crypto users already accept the idea of carrying hardware.
[Ledger](https://www.ledger.com/) has shipped over 7 million Nano devices and reported
over 4 billion USD in cumulative hardware revenue, per its
[corporate page](https://www.ledger.com/about). [Trezor](https://trezor.io/) has shipped
over 2 million units. Security keys also have a long-running position in
crypto-exchange MFA, with
[Coinbase](https://help.coinbase.com/en/coinbase/getting-started/general-faq/2-step-verification),
[Kraken](https://www.kraken.com/security) and
[Binance](https://www.binance.com/en/support/faq/360032470091) all supporting FIDO2
keys.

Adding FIDO2 to a hardware wallet is incremental engineering work. A 100 USD device
that protects a 50,000 USD portfolio is obviously worth carrying. Crypto remains the
only consumer category where users buy hardware on their own initiative.

### 5.3 High-Value Consumer Accounts

A smaller group of consumers protects accounts where takeover is irreversible. The
typical examples are primary email, government identity wallets, creator accounts on
[YouTube](https://www.youtube.com/) or [Twitch](https://www.twitch.tv/) and journalism
credentials. Google's
[Advanced Protection Program](https://landing.google.com/advancedprotection/) describes
this cohort as "high-risk users such as journalists, human-rights workers and political
campaign staff."

Cisco's
[2024 Cybersecurity Readiness Index](https://newsroom.cisco.com/c/r/newsroom/en/us/a/y2024/m03/cybersecurity-readiness-index-shows-only-3-percent-of-organizations-globally-have-the-mature-level-of-readiness-needed-to-be-resilient-against-modern-cybersecurity-risks.html)
also finds that only 3 percent of organizations have a mature security posture. The
[GAO 2024 cybersecurity report](https://www.gao.gov/cybersecurity) flags account
takeover as one of the top five federal cybersecurity risks, which expands the pool of
consumers who need this protection well beyond the original journalism niche.

## 6. Why Hardware alone will not win

Owning the best hardware does not guarantee consumer market share. There are five gaps
between a hardware vendor and an end-to-end consumer product: distribution, onboarding,
recovery, cross-device journeys and measurement. Each gap needs skills that sit
outside silicon design.

1. **Distribution**: hardware companies do not have a direct relationship with
   consumers. Banks, telcos, retailers and OS vendors do. A hardware vendor at consumer
   scale needs a partner, a white-label deal or an acquirer.
2. **Onboarding**: every step the consumer has to take to set up a passkey costs you
   users. Real-world banking deployments report drop-off rates of 30 to 60 percent
   across the enrollment funnel, in line with the
   [Baymard Institute checkout abandonment benchmarks](https://baymard.com/lists/cart-abandonment-rate).
3. **Recovery**: a consumer product without a recovery story is broken. Recovery needs
   account-level signals, identity verification and risk scoring, all of which live
   inside the relying party.
4. **Cross-device journeys**: one user signs in on a phone, a laptop, a smart TV and a
   car. The hardware-bound credential lives on only one device. So you need smart
   routing between hardware and synced credentials to avoid dead ends.
5. **Measurement**: hardware vendors usually ship and forget. They count units sold and
   licenses activated. They do not see the WebAuthn ceremony fail or the user abandon
   the tap. Without measurement, none of the other four gaps can be closed.

Vendors that solve these five gaps inside their own product become end-to-end
authentication platforms. Vendors that do not stay in the components business and sell
into someone else's platform.

## 7. What is the real Lever? Adoption Engineering

Adoption engineering means pairing hardware-bound passkeys with software that drives
enrollment, measures every ceremony and routes around broken paths. None of these
activities is about hardware. All four are required to win in consumer markets, and
they only work as a closed loop. The diagram below shows how the four activities
feed into each other.

The
[FIDO Alliance Authentication Barometer 2024](https://fidoalliance.org/content/research/)
reports that 53 percent of consumers have enabled passkeys on at least one account, but
hardware-bound activation in regulated journeys still sits below 5 percent. That is a
10x gap, and adoption engineering is what closes it. The
[W3C WebAuthn working group](https://www.w3.org/Webauthn/) treats this gap as a
deployment problem, not a specification problem.

### 7.1 Funnel-Level Telemetry

At the funnel level, [passkey observability](https://www.corbado.com/blog/hardware-passkey-adoption-observability)
measures every single step, from "user clicks sign in" to "session token issued."
Without that instrumentation, a team cannot tell the difference between "user did not
see the hardware option," "user saw it, tapped and the NFC failed" and "user completed
the ceremony but the relying party rejected the result."

Funnel telemetry gives you the metrics that actually matter: hardware-passkey
activation rate, hardware-passkey success rate by device, time to complete and
abandonment by step. The
[W3C WebAuthn Level 3 specification](https://www.w3.org/TR/webauthn-3/) defines 14
distinct error codes that a ceremony can return, but most production deployments
instrument fewer than five of them, per
[FIDO Alliance Authenticate 2024 deployment talks](https://fidoalliance.org/content/event/2024-authenticate-conference/).

### 7.2 Session-Level Diagnostics

When a single authentication fails, support teams need to see exactly what happened.
Session-level diagnostics capture the transport (NFC, USB or BLE), the CTAP error
code, the browser, the OS version, the device manufacturer and the timing of each step
in the ceremony. The
[FIDO CTAP 2.1 specification](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html)
defines over 20 error codes that authenticators can return, and these are mapped to
specific user recovery actions in the
[W3C WebAuthn Level 3 spec](https://www.w3.org/TR/webauthn-3/).

Without this telemetry, the support agent sees only "login failed" and sends a
password-reset link, which defeats the whole point of deploying hardware. Real-world
banking [deployments](https://www.corbado.com/blog/passkey-deployment-mistakes-banks) show resolution time
drops from weeks to minutes once session diagnostics are in place.

### 7.3 Device-Intelligent Routing

Some device and OS combinations consistently break. Real-world data from large banking
deployments shows abort rates of 40 to 90 percent on individual broken pairs, with the
common patterns documented in the
[Android Issue Tracker](https://issuetracker.google.com/) and the
[FIDO Alliance Authenticate 2024 talks](https://fidoalliance.org/content/event/2024-authenticate-conference/).

Routing logic that hides the hardware option on known-broken combinations and falls
back to the next-best path keeps users out of the failure case. But you can only make
those routing decisions after observability data has identified the broken pairs
across the roughly 24,000 distinct Android device models tracked by the
[OpenSignal device database](https://www.opensignal.com/).

### 7.4 Continuous Iteration with Issuers

Banks and fintechs typically run pilots and full deployments on 6 to 12 month cycles,
per
[Gartner research on identity programs](https://www.gartner.com/en/information-technology/insights/identity-and-access-management).
The platform that wins turns observability data into weekly release notes, bug fixes
and steadily improving success rates. Static deployment with quarterly reviews loses
to continuous iteration. A hardware vendor that runs all four activities end-to-end
becomes a platform. A hardware vendor that does not stays a component supplier.

> "We see 60 to 80 percent uplift in passkey activation when teams instrument the
> funnel and act on the data within the same release cycle." Vincent Delitz,
> Co-Founder, [Corbado](/).

## 8. So who actually wins the Consumer Race?

No pure-play hardware vendor wins the consumer race. Three archetypes compete for the
role of consumer authentication platform: banks and issuers, hardware vendors that
build software layers and OS platforms. Banks lead today because they own physical
distribution and have regulatory cover from
[PSD2](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32015L2366) and
[NYDFS Part 500](https://www.dfs.ny.gov/industry_guidance/cybersecurity). The OS
platforms could redefine the category at any time, since
[Apple](https://www.apple.com/) and [Google](https://www.google.com/) already ship
hardware-bound credentials in the Secure Enclave and StrongBox on every device sold in
the past five years.

### 8.1 Why Banks lead today

Banks lead the consumer hardware-bound passkey market today. Four advantages stack in
their favor. They already issue physical cards. They have regulatory cover from
[PSD2](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32015L2366), PSD3,
[NYDFS Part 500](https://www.dfs.ny.gov/industry_guidance/cybersecurity), RBI and
[APRA CPS 234](https://www.apra.gov.au/information-security). They own consumer trust.
And they can absorb the 2 to 5 USD unit-cost premium across their portfolio, per
public smart card vendor disclosures.

Banks that pair these four advantages with adoption engineering lock in multi-year
retention from passkey-enabled customers. Banks that buy a hardware product and assume
the work ends there end up with the same single-digit activation rates the industry has
been reporting for the last two years.

### 8.2 What about Hardware Vendors that build Software?

The second archetype is the hardware vendor that also builds a real software layer.
Several security key and smart card manufacturers have started this transition with
concrete products on the market today.

- [Yubico](https://www.yubico.com/) has built the most complete platform of any
  security key vendor. Its
  [YubiKey as a Service](https://www.yubico.com/products/yubienterprise-subscription/)
  subscription combines per-user licensing (Base tier from 15 USD per user per year),
  a Customer Portal for fleet management, FIDO Pre-reg, an Enroll app and SDK and
  global delivery. The service is integrated with Okta, Microsoft Entra ID, Ping
  Identity and Versasec.
- [Thales](https://cpl.thalesgroup.com/access-management) pairs its SafeNet eToken and
  smart card hardware with
  [SafeNet Trusted Access](https://cpl.thalesgroup.com/access-management/safenet-trusted-access),
  a cloud Identity-as-a-Service platform with adaptive authentication and SSO.
- [OneSpan](https://www.onespan.com/) bundles its DIGIPASS hardware with the
  [OneSpan Cloud Authentication](https://www.onespan.com/products/cloud-authentication)
  platform and Intelligent Adaptive Authentication, focused on banking and fintech.
- [HID Global](https://www.hidglobal.com/) ships its Crescendo smart cards alongside
  the [HID Authentication Service](https://www.hidglobal.com/services/hid-authentication-service)
  and the HID Approve mobile authenticator.
- [CompoSecure](https://www.compositionusa.com/) extends its
  [Arculus](https://www.arculus.co/) FIDO2 smart card with a companion wallet app and
  a developer SDK for issuers.

So far, most of these vendors still earn the majority of their revenue from hardware.
Vendors that complete the journey from selling devices to running an authentication
platform get to play in both layers. Vendors that do not stay locked inside enterprise.

### 8.3 What about OS Platforms?

[Apple](https://www.apple.com/), [Google](https://www.google.com/) and
[Microsoft](https://www.microsoft.com/) already ship hardware-bound credentials inside
every device they sell. The
[Apple Secure Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/web),
[Android StrongBox](https://source.android.com/docs/security/features/keystore) and the
[Pluton chip](https://learn.microsoft.com/en-us/windows/security/hardware-security/pluton/microsoft-pluton-security-processor)
in Windows 11 are all hardware-bound, even though users never see them as separate
hardware.

These three OS platforms could redefine the category by exposing platform-bound,
non-syncing passkeys with the same polished UX as synced passkeys. If they do,
dedicated security keys and smart cards shrink to a niche of compliance-driven
enterprise and self-custody crypto, around 5 to 10 percent of the total identity
market by analyst estimates.

### 8.4 What does the real Race look like?

The real race is not "security key versus smart card." The real question is who builds the
consumer authentication platform that combines hardware where it matters with
software, data and adoption engineering everywhere else. Based on the
[FIDO Alliance Authenticate 2024 keynote](https://fidoalliance.org/content/event/2024-authenticate-conference/),
the likely winners over the next three to five years are:

- Three to five large banks and payment networks that turn FIDO2 smart cards into the
  default consumer experience.
- One or two hardware vendors that successfully transition into authentication
  platforms.
- The three OS platforms, if they invest in non-synced platform credentials with the
  same UX polish as synced ones.

Pure hardware companies that stay pure are unlikely to win the consumer race. They
end up as silicon suppliers inside someone else's platform. That is a healthy business
and a real moat in enterprise, but it is not consumer dominance.

## 9. What should Banks, Issuers and Product Teams do next?

Three actions matter for any product team evaluating hardware-bound passkeys in the
next 12 months, based on the
[FIDO Alliance deployment playbook](https://fidoalliance.org/content/research/) and
[Gartner identity guidance](https://www.gartner.com/en/information-technology/insights/identity-and-access-management).
Pick the use case where hardware actually wins. Pair every hardware deployment with
adoption engineering. And build the data feedback loop from day one.

1. **Pick the right use case**: high-value
   [transaction confirmation](https://www.corbado.com/blog/3ds-webauthn), step-up authentication on regulated
   journeys and account recovery for high-risk segments. Do not push hardware into
   general consumer login.
2. **Pair hardware with adoption engineering**: instrumentation, native app
   [error handling](https://www.corbado.com/blog/native-app-passkey-errors), device-intelligent routing and
   explicit measurement against a synced passkey baseline.
3. **Build the data loop early**: ship funnel telemetry with the first pilot, not
   after rollout. Teams that see which Android manufacturer, which iOS version and
   which browser combination kills tap success can iterate in weeks. Teams that do not
   are reduced to anecdotes and have to wait for support tickets.

For hardware vendors the message is even sharper. Decide whether the company stays a
component supplier or builds a platform. Both are viable. Trying to do both without
fully committing leaves the platform investment underfunded and the silicon roadmap
distracted.

## 10. Conclusion

Hardware-bound passkeys are still the only consumer credential type that reaches
[NIST AAL3](https://pages.nist.gov/800-63-3/sp800-63b.html), survives a cloud-account
compromise and clearly satisfies the strictest reading of
[PSD2](https://www.corbado.com/blog/psd2-passkeys), [PSD3](https://www.corbado.com/blog/psd3-psr-passkeys) and similar regulations.
The technology is sound. The silicon is strong. The standards are mature.

What the technology cannot do on its own is win consumer adoption. Apple and Google
control the OS and browser layer. Banks and issuers control consumer distribution.
Hardware vendors control silicon. The consumer race is won by the player that combines
all three through a software platform that drives adoption, measures every ceremony
and routes around the gaps.

The winning recipe is hardware plus
[passkey observability](https://www.corbado.com/blog/hardware-passkey-adoption-observability) plus continuous
adoption engineering. The vendor or issuer that ships all three writes the consumer
playbook for the next decade. Everyone else just sells components into someone else's
platform.

## Frequently Asked Questions

### What is the difference between hardware-bound passkeys and synced passkeys for consumers?

Hardware-bound passkeys keep the private key inside a physical secure element such as
a security key, a FIDO2 smart card or a built-in TPM chip. The key never leaves that
hardware. Synced passkeys live in
iCloud Keychain, Google Password Manager or a third-party manager, and they copy
across your devices through the cloud. Hardware-bound passkeys reach
[NIST AAL3](https://pages.nist.gov/800-63-3/sp800-63b.html) because the private key
cannot be exported. Synced passkeys cap at AAL2 because the cloud sync path makes the
key recoverable. That one-step gap in assurance matters a lot to regulators in
banking, government and healthcare.

### Why have hardware security keys not gone mainstream with consumers despite passkey adoption?

Apple and Google control the OS and browsers used by over 99 percent of consumers, per
[StatCounter](https://gs.statcounter.com/os-market-share/mobile/worldwide). Both
prioritize their own synced credential managers in WebAuthn prompts. Hardware
authenticators sit one to three clicks deeper in every default flow, per
[Apple AuthenticationServices](https://developer.apple.com/documentation/authenticationservices)
and the
[Android Credential Manager docs](https://developer.android.com/identity/sign-in/credential-manager).
NFC behavior on Android is fragmented across phone manufacturers, and Conditional UI
defaults to synced credentials. On top of that, most consumers will not pay 40 to 80
USD for a separate authenticator unless a service forces them to.

### Which use cases justify a hardware-bound passkey for consumers?

Three categories give consumers enough motivation. The first is banking and payments,
where [PSD2](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32015L2366),
PSD3, RBI in India and
[APRA CPS 234](https://www.apra.gov.au/information-security) in Australia all require
strong customer authentication. The second is crypto and self-custody, where losing a
key means losing the funds, and where [Ledger](https://www.ledger.com/) and
[Trezor](https://trezor.io/) have already shipped over 9 million devices. The third is
high-value accounts, including primary email, government identity wallets and creator
accounts, where takeover is irreversible. Google's
[Advanced Protection Program](https://landing.google.com/advancedprotection/) is
aimed at exactly this cohort. Outside these three categories, synced passkeys usually
win.

### How do FIDO2 smart cards fit into the consumer hardware passkey race?

Smart card manufacturers like [CompoSecure](https://www.compositionusa.com/) (which
ships over 100 million metal payment cards a year per its
[10-K filing](https://ir.compositionusa.com/sec-filings) and offers
[Arculus](https://www.arculus.co/) as its FIDO2 product) and
[IDEMIA](https://www.idemia.com/) build NFC smart cards with secure elements that can
host FIDO2 credentials. Consumers already carry a credit card, so adding a
hardware-bound passkey to that card removes the need for a separate device. Banks,
neobanks and crypto custodians can then fold authentication, payment and step-up into
one form factor. The hard parts are making the NFC tap reliable across iOS and Android
browsers and convincing issuers to absorb the 2 to 5 USD cost premium per card.

### What does it take to actually win the consumer hardware-bound passkey market?

Good hardware is necessary, but it is not enough. The winner pairs a credible hardware
form factor with an adoption platform that measures every step of enrollment and
authentication, routes around broken device and OS combinations and proves to issuers
that fraud and support costs are dropping. Without funnel-level passkey observability,
vendors and banks cannot tell that 60 percent of users abandon the NFC tap, a pattern
documented in
[FIDO Alliance Authenticate 2024 deployment talks](https://fidoalliance.org/content/event/2024-authenticate-conference/),
or that Conditional UI silently swallowed the prompt, per the
[W3C WebAuthn Level 3 spec](https://www.w3.org/TR/webauthn-3/). The race will be
decided by data and software, not by which key has the strongest titanium shell.