Enterprise Passkey Adoption Survey

Passkey Experience, Trust & Ecosystem

Large-scale passkey adoption depends on the parts of the journey users feel directly: cross-device authentication, recovery, native app behavior, browser capabilities, compliance expectations and ecosystem gaps that remain hard to control.

Questions covered

14 Cross-Device Authentication UX 15 Passkey Account Recovery 16 Passkey Technical Capabilities 17 Native App vs Web Passkeys 18 Regulatory & Compliance Story 19 Ecosystem Challenges

UX, fallbacks & friction

Cross-Device Authentication UX

Main response theme: CDA offered

Survey question

Are you supporting CDA flow?

Why this matters

Cross-device authentication sits at the awkward edge of the passkey journey: teams want it visible enough to drive adoption, but not so intrusive that it feels like an extra step. This question matters because it shows how confidently teams promote passkeys while keeping a conventional fallback available when the cross-device path does not engage.

Response Pattern

CDA offered 100%

Completion tracked 77%

How To Read This

Read the distribution as a maturity curve rather than a binary decision. Where teams have this working, they usually know whether the prompt is surfaced and roughly instrumented, but the exact trigger state and completion rate often remain areas to tune.

Only answers that survey participants actually gave are shown. “I don’t know” and unsupported responses are excluded. Most questions are multi-select, so percentages describe theme prevalence and do not need to add up to 100%.

UX, fallbacks & friction

Passkey Account Recovery

Main response theme: Password fallback

Survey question

What is your account recovery story for users who lose all their passkeys, and how does that interact with phishing-resistance goals?

Why this matters

Recovery is where passkey rollouts usually stop being theoretical. The recurring pattern combines conventional fallback credentials, support-assisted recovery and a smaller set of backup-passkey approaches that try to preserve phishing resistance.

Response Pattern

Password fallback 69%

MFA fallback 47%

Helpdesk recovery 35%

Backup passkeys 33%

How To Read This

Read the distribution as a sign of how much of the old authentication stack still carries the burden when users lose access. Password and MFA-style fallbacks usually indicate a pragmatic bridge, while backup-passkey or support-led recovery points to a more deliberate attempt to keep the model phishing-resistant.

Technical & ecosystem

Passkey Technical Capabilities

Main response theme: Conditional UI

Survey question

Are you using conditional UI, conditional create and hybrid transport? Which moved the needle and which caused problems?

Why this matters

This question captures which newer WebAuthn capabilities are doing real work in production, not just appearing in roadmap language. Conditional UI and conditional create tend to signal practical web gains, while hybrid transport shows how far teams are pushing cross-device support.

Response Pattern

Conditional UI 76%

Conditional create 56%

Hybrid transport 21%

How To Read This

A concentration on Conditional UI should be read as evidence of immediate user-experience gains where login needs fewer clicks and less friction. A broader spread that includes hybrid transport usually means teams are still working through platform edge cases rather than settling on a single mature pattern.

Technical & ecosystem

Native App vs Web Passkeys

Main response theme: Native + web (omnichannel)

Survey question

How are you handling native app authentication vs. web?

Why this matters

This question shows whether passkey strategy stops at the browser or extends into the app surface. The distinction matters because web-first and omnichannel (native + web) programs differ in ownership, rollout sequencing and user experience.

Response Pattern

Native + web (omnichannel) 65%

Web-first 44%

No native scope 6%

How To Read This

Read web-first results as a staged rollout in which the browser becomes the first reliable home for passkeys. Omnichannel results (passkeys covering both native apps and web) suggest a shared identity layer across surfaces, while "no native scope" usually means native is explicitly out of the program today.

Compliance, security & emerging topics

Regulatory & Compliance Story

Main response theme: Phishing resistance

Survey question

How do passkeys fit into your regulatory story?

Why this matters

This question asks whether passkeys are being justified as a security improvement, a compliance control or both. The strongest signals usually cluster around phishing resistance, strong customer authentication, assurance requirements and internal security policy.

Response Pattern

Phishing resistance 91%

Internal audit / security policy 70%

SCA / PSD2 23%

NIST / assurance 13%

How To Read This

A phishing-resistance-heavy distribution means passkeys are being framed mainly as stronger authentication with compliance benefits attached. More explicit regulatory or audit language points to a formal governance story, while quieter responses usually mean the regulatory angle was not central to the conversation.

Compliance, security & emerging topics

Ecosystem Challenges

Main response theme: Platform consistency

Survey question

What is the single biggest unsolved problem you would like FIDO or the wider ecosystem to address in the next 12 months?

Why this matters

This question surfaces the ecosystem gap teams still want solved after the core passkey flow is in place. The recurring themes are platform consistency, enterprise controls, smoother cross-device user experience and better user education.

Response Pattern

Platform consistency 97%

Enterprise controls 28%

CDA UX 10%

User education 5%

How To Read This

Read platform-consistency responses as a sign that the hardest problem is uneven behavior across browsers, operating systems and device handoffs. When enterprise controls, cross-device experience or education come through instead, the bottleneck is less about protocol support and more about rollout confidence and day-to-day usability.