Next Article in Journal
Fuzzy System for the Quality Assessment of Educational Multimedia Edition Design
Previous Article in Journal
Edge-Guided Dual-Stream U-Net for Secure Image Steganography
Previous Article in Special Issue
Research on the Credulity of Spear-Phishing Attacks for Lithuanian Education Institutions’ Employees
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Review

Challenges and Potential Improvements for Passkey Adoption—A Literature Review with a User-Centric Perspective

Section of Cybersecurity Engineering, Department of Applied Mathematics and Computer Science, Technical University of Denmark (DTU), 2800 Kongens Lyngby, Denmark
*
Author to whom correspondence should be addressed.
Appl. Sci. 2025, 15(8), 4414; https://doi.org/10.3390/app15084414
Submission received: 20 March 2025 / Revised: 12 April 2025 / Accepted: 14 April 2025 / Published: 17 April 2025

Abstract

:
This paper provides a comprehensive review of the recent literature on passkeys, a more secure and phishing-resistant authentication method compared to traditional passwords. Despite their clear advantages, passkeys have not yet replaced the de facto standard of password authentication. This literature survey aims to outline a holistic picture of the related research, focusing on technical aspects as well as user-centric perspectives on usability and perception. The main challenges hindering passkey adoption are misaligned user perception and technical issues regarding account recovery, sharing, and delegation. Research suggests that improved user education and awareness could address these challenges. Existing studies have also analyzed and contributed to enhancing the usability of passkeys. However, the current literature highlights a clear gap for more academic research focusing on effective strategies to improve the user perception of passkeys, as the existing work primarily concentrates on technical and usability aspects. Addressing this research gap may lead to increased passkey adoption among end users, ultimately improving the overall security of authentication systems.

1. Introduction

In today’s highly connected online world, the secure authentication of users is a crucial element to protect user data and confidential processes from unauthorized access [1]. Passwords have long been the standard authentication method in this area [2]. Numerous practical examples and academic research, however, show that passwords suffer from many problems like being re-used across services, being vulnerable to data breaches, suffering from low-complexity, and consequently, being easy to guess, etc. [3,4,5].
Passkeys, a more recent standard, are trying to address many of these problems with higher security during the authentication process and lower room for human error, as well as making the authentication process less interactive, and as a result, more user-friendly [6]. Despite their benefits, passkeys have still not replaced passwords as the standard, and they see a somewhat slow adoption among users [7].
Existing literature reviews like Ref. [8] or [9] have primarily focused on the technical and usability aspects of passkeys, with a high focus on analyzing existing implementations or proposing new protocols or implementations that try to address existing challenges. However, little research has focused solely on a user-centric perspective on the challenges and potential improvements for passkey adoption. Based on our review, we only found Refs. [10,11], which partly take a user-centric perspective regarding passkeys but only focus on individual problems and do not perform a literature review. While the technical and provider-side perspectives are crucial for passkeys to work and be secure, the end-user perspective is equally important, as the end user is the person who will decide whether passkeys become the new standard in online authentication by either adopting them or by continuing to use other forms of authentication [10]. Therefore, our literature review tries to close this gap by focusing on existing academic research with a user-centric perspective on the challenges and potential improvements to passkey adoption. This also allows us to highlight which areas are already well-researched and which need more user-centric improvement to achieve greater passkey adoption.

1.1. Scope and Research Questions

The scope of this literature review is all academic literature related to passkeys and end users, where end users can be users in a private or enterprise context. To highlight the challenges and potential improvements for passkey adoption with a user-centric perspective, we focus on the challenges and improvements existing academic research shows for such end users. This includes outlining underlying technical and protocol-level issues that are covered in the existing literature, since these topics are important for understanding user-centric challenges and improvements. However, not relevant in this context and therefore out of scope is everything related to the implementations of passkeys from the side of the provider or manufacturer, unless it also touches upon user-centric aspects.
To guide our work, we further specify the following three research questions, which we aim to answer with this literature review:
RQ1
What are the main challenges that hinder passkey adoption for end users?
RQ2
What are the main potential improvements to enhance passkey adoption among end users?
RQ3
Is it possible to derive a relative number regarding the adoption of passkeys among end users for online authentication, and if so, what is the adoption rate?

1.2. Key Contribution

This work’s key contribution is the systematic survey of the existing literature on passkeys. The focus is on the existing challenges and potential improvements, and the perspective is user-centric. This approach achieves a novel, critical perspective on the existing literature, highlighting key issues and beneficial developments for end users.
From this comprehensive review, the reader can extract the relevant and important aspects that require further attention or development to achieve higher passkey adoption. This serves as a valuable resource for researchers and practitioners, providing a structured and user-centric overview of the current state of passkey research and development.
Overall, this work’s key contribution lies in its ability to synthesize the current state of passkey research and development while emphasizing the user-centric considerations essential for driving broader adoption. This novel perspective is a valuable addition to the existing literature, especially since we are unaware of any existing literature that achieves this. Therefore, our work can potentially inform and guide future research and development efforts in the passkey domain.

1.3. Outline

To begin, we will outline and compare the existing surveys and illustrate where this survey benefits the academic society in Section 2. Then, we will outline the relevant technical background necessary for understanding passkeys and the underlying technology in Section 3. Following this, we will detail the methodology used for this literature review in Section 4, and we will provide a general overview of the identified literature in Section 5. Next, we will present a detailed and distilled analysis of the relevant literature, drawing insights from the general overview, in Section 6. This will be followed by an attempt to analyze the current relative adoption of passkeys among users, as well as a discussion of the key insights and lessons learned, in Section 7, and ending with a concluding Section 9.

2. Comparison with Existing Surveys

Much work in the area of passkeys focuses solely on specific technical challenges or potential solutions. While these provide great specific solutions, they do not address the larger picture or give an overview of the current challenges and potential improvements for passkey adoption.
Table 1 shows the related work closest to ours. We compare the related work to our contribution by focusing on the following five properties:
  • Literature survey: Is the respective work performing a literature survey?
  • Passkey focus: Is the respective work focusing specifically on passkeys? Not covering this aspect means that it covers passkeys but not as the primary content.
  • Technical focus: Does it have a focus on the technical aspects of passkeys?
  • Protocol focus: Does it have a focus on the protocol aspects of passkeys?
  • Usability focus: Does it have a focus on usability aspects of passkeys?
Table 1 clearly highlights the gap in our literature survey that covers challenges and potential improvements of passkeys from multiple angles, including a user-centric perspective alongside the technical and protocol focus.
The existing literature that comes closest to our work are Refs. [8,13,14]. We, however, note that they do not focus on the usability aspects of passkeys. Ref. [13] conducts a literature review regarding the present authentication systems, with one part specifically focusing on passkeys from a technical perspective. They conclude their literature review with suggestions for an optimal authentication system. They do, however, not go into detail regarding the protocol and usability aspects of passkeys. Ref. [14] focuses solely on a review of passwordless authentication schemes, outlining a review of the recent literature regarding this topic, including protocol aspects and the history of passkeys. They do conclude that there is a conflict for passwordless authentication schemes between security and usability but do not go into detail regarding this. Further, due to their focus on historical development, they also do not cover the technical aspects of passkeys. Ref. [8] conducts a literature review regarding FIDO protocols alone, and therefore, it focuses on passkeys from a technical and protocol perspective, highlighting that out of all FIDO protocols, FIDO2 is the most widely adopted protocol. It does, however, also fail to cover any of the usability aspects of passkeys in detail. The other related work focuses solely on the technical aspects of passkeys, analyzing or proposing passwordless-authentication protocols, without conducting a detailed literature review or focusing specifically on passkeys, etc.

3. Background

This chapter introduces the overall concept of authentication, including the three principal factors, and it describes the conventional authentication methods and their relation to these factors. It also briefly accounts for the different technologies encompassed in the FIDO specifications. Next, the terminology for user experience is determined in the current context of passkeys. Finally, the current challenges with conventional authentication methods are introduced.

3.1. Authentication

Authentication is the process of verifying the identity of one entity by another, where an entity can be a user (human), a system, or any other entity [19]. Most IT deployments often use user-server scenarios, where the user needs to authenticate themselves to the server to tailor experiences and to allow for additional security schemes such as authorization.
Authentication has the sole purpose of identifying a subject, unlike authorization, where the latter focuses on granting permissions to resources based on the authenticating subject’s rights, defined through, e.g., roles or access-control lists. Often, authentication and authorization are both referred to under the unifying term ‘Auth’, but it is essential to distinguish the difference.
Traditionally, digital authentication was based solely on username–password combinations, and in more advanced IT systems, digital certificates have also been utilized for digital authentication, often in corporate or governmental deployments. Today, the IT landscape is a bit different, with the use of multiple authentication options and even the combination of several authentication methods used to increase the security of the authentication process and therefore protect the underlying assets. Different authentication methods are often referred to as factors. Combining multiple authentication factors is known as multi-factor authentication. There are three principal factors of authentication as follows [20]:
  • Something you know (e.g., password).
  • Something you have (e.g,. a phone or security key).
  • Something you are (e.g., face, fingerprint, iris, etc.).
In today’s world, the consensus is that single-factor authentication is not secure enough in most cases, and most IT systems, therefore, allow, encourage, or require at least two factors for authentication. This is also to comply with laws, especially in high-risk sectors such as the financial sector, where regulations require the usage of multi-factor authentication [21].

3.2. Conventional Authentication Methods

Conventional authentication methods, such as password-based authentication, are the most widely used. However, as mentioned, there are three main types of authenticators, which we will describe in the following.
The category of authenticators “something you know” is based on some secret that the user needs to remember. This can be implemented in many variants, but it most commonly uses passwords/passphrases (e.g., a Facebook account) or numeric PINs (e.g., for using a credit card). Other forms include specific swiping patterns, pairs of a question and a corresponding secret answer, etc. This authentication category is generally vulnerable to man-in-the-middle attacks, observation attacks, brute force, etc. Furthermore, since the user often chooses the secret, it frequently suffers from low entropy and easily identifiable patterns, such as short passwords with simple-to-remember sequences, which are consequently easy to guess [13,19].
The category “something you have” is a physical authenticator that the user possesses. The most common form of such a physical authenticator is security keys, where the implementation is based on time-based One Time Passwords (TOTPs), sometimes also called One Time Passwords (OTPs) [13,19]. Other forms of physical authenticators are based on hardware keys, leveraging certificates or public–private key pairs, RFID cards, smart cards, etc. All of these physical authenticators are especially vulnerable to theft or accidental loss [18,22].
“Something you are” relies on biometric authentication, which could be the fingerprint authentication of a laptop, the facial recognition of a phone, or even an iris scan [19]. Unlike the other two authentication forms, this form does not require an authenticator’s knowledge or physical possession, and while biometric authentication is convenient, it also has a few drawbacks. Some biometric authentication implementations can easily be spoofed with, for example, a picture of a person or a rubber clone of the fingerprint shape of a person, etc. Furthermore, biometric authentication usually requires storing more extensive data (e.g., 3D shape of a person’s face for facial recognition, etc.), making the authentication system less scalable [23,24]. Furthermore, there is a big issue regarding the privacy of biometric authentication. Since the characteristics of a person like the facial structure or the fingerprint cannot be changed, a copy or clone of the person’s relevant characteristics, like a 3D mask or a fingerprint clone, poses a great danger to the security of the authentication process, since there is no way for the person to change the ‘authenticator’ (i.e., in this case, the fingerprint or the face, etc.). Therefore, when using biometric authentication, the privacy and secure storage of the relevant biometric data is paramount [25].

3.3. FIDO

The creation of the Fast Identity Online (FIDO) Alliance stems from a desire to eliminate the need for and reliance on password-based authentication mechanisms. Through years of experience and collaboration across industry leaders, authentication protocol standards have been developed to provide a phishing-resistant sign-in option. The two existing specifications are FIDO and FIDO2, which consist of different components. FIDO consists of the Universal Authentication Framework (UAF) and the Universal 2nd Factor (U2F) [8]. FIDO2 introduces the Web Authentication (WebAuthn) component developed with the World Wide Web Consortium (W3C) and a relaxed version of U2F, allowing mobile devices to be external authenticators [26].

3.3.1. UAF

Is part of the first FIDO specification. The protocol allows the user to choose a local authentication mechanism on their device, such as fingerprint, facial scan, or voice recognition, when they need to establish an authentication process while creating an account with a service. Through the local authentication mechanism, the user is authenticated, and they do not have to insert their passwords on said device in the future. UAF creates a key pair and stores the private key on the user’s device [8].

3.3.2. U2F

Is part of the first FIDO specification. The protocol introduces the possibility of a second-factor experience, which often uses a USB-compatible authenticator device that the user inserts into their computer when wanting to log in to their account. U2F attempts to target high-touch, low-tech users where it is possible to increase the security of one’s account even without extensive security knowledge [27]. When a user uses U2F during authentication with a service, it allows said service to simplify the password requirements without compromising security [28].

3.3.3. WebAuthn

Is a web API developed with the World Wide Web Consortium (W3C) [29]. WebAuthn allows users to authenticate themselves using their biometrics to a website securely. When the protocol is complete, the device has generated a key pair with the private key stored on the device [6].

3.3.4. Passkeys

Take advantage of the WebAuthn API and use asymmetric cryptography. When the user initiates the authentication flow during registration on a website or app, the service sends a nonce. Then, the nonce is signed on the local device using the private key, which is considered the passkey. Once a user logs in again, the service presents a new challenge nonce, which is then signed by the device with the private key on said device, and the service validates using the public key stored at the service [6].

3.3.5. CTAP2

Stands for client-to-authenticator protocol and is part of the FIDO2 specification, with the number ‘2’ indicating that this is the second version. CTAP is the new name for U2F but has the same specifications. CTAP2 is a more relaxed version of CTAP, allowing mobile devices to be used as an external authenticator device and allowing physical keys, as in CTAP [30]. CTAP is the state-of-the-art authentication mechanism complemented with the WebAuthn API standard [29]. During communication between the browser and the authenticator, the CTAP protocol is used [31].

3.4. User Experience

A central aspect of technology from a user-centric perspective is the term (UX) user experience. While there exist a variety of different approaches to defining this term, as can be seen in [32], for this literature review, we define usability in the sense of the ISO standard 9241-11:2018, meaning that usability is defined as the “extent to which a system, product or service can be used by specified users to achieve specified goals with effectiveness, efficiency, and satisfaction in a specified context of use” [33]. In this case, the specified users are all those who use or could potentially use passkeys, i.e., users who need to authenticate online. Their defined goal is to authenticate themselves to a provider or service, etc. Therefore, the specified context of use is online authentication.

3.5. Current Challenges with Conventional Authentication Methods

For later comparisons between the state of authentication today versus a proposed state of authentication tomorrow, the main challenges with conventional authentication methods, as described in Section 3.2, will be briefly introduced in this subchapter.

3.5.1. Social Engineering

In cybersecurity, security guarantees rely on the security of protocols and implementations of specific algorithms, but these technical aspects are not the only factor. A password authentication process might involve a secure protocol and a complex password. Still, if the user is tricked into giving away their password, then even the best protocol and password do not help. Even in authentication, a chain is only as strong as its weakest link, which is usually the human, and therefore, this remains the main target of social engineering. In itself it is not a complex attack, but more of a set of strategies or tools that an attacker can use to gain access or information to restricted data. A common example is email phishing, which is the most widespread type of social engineering [34]. This will be further detailed in Section 3.5.2.
Generally, social engineering can be defined as “social disguises […] and psychological tricks […] to assist hackers in illegal intrusion of computer systems and networks”. They therefore, aim at manipulating a victim into providing sensitive data or access to critical systems. The ‘ease’ of using social engineering over trying to crack passwords has made it the most common technique since 2007 [34].
Common countermeasures against social engineering attacks are enhancing protections such as email filtering and adapting 2FA authentication for verifying actions. These steps still do not fully prevent social engineering attacks; therefore, another huge countermeasure is increasing focus on educating users. While these things help and security measures improve, so do the attackers trying to intrude, resulting in increasingly better and more sophisticated social engineering attacks [28,34].

3.5.2. Phishing

Phishing is a social engineering attack where an attacker manipulates a victim to reveal sensitive information, such as login credentials and payment card information, to download and run malicious software or allow the attacker to gain unauthorized access to information or systems [35,36].
Phishing can be done in various settings such as SMS-based phishing (known as smishing) and voice call-based phishing (through voice calls, known as vishing). Additionally, there are more specific terms for phishing attacks, such as spear phishing, where the target is carefully selected based on reconnaissance, often using Open-Source Intelligence (OSINT) techniques. Another variant is whaling, which refers to spear phishing attacks targeting individuals with additional responsibilities, such as C-level executives in a corporation [35,36].
Phishing is the most common cyberattack and is often considered the origin of more severe cybersecurity incidents, such as ransomware or data leaks [37].
This is because most widespread phishing attacks are made using phishkits. This tool quickly resembles a widely-known, trusted website with data submissions being handed over to the attacker instead of the intended receiver, e.g., the widely known website. These phishkits allow even people with low technical skills to deploy a phishing website. Since finding information about people is easy, using leaked or public databases of phone numbers or emails, phishing attacks are widespread and relatively cheap to conduct [38].

3.5.3. Adoption of New Security Measures and Technologies

As with many new technologies in the IT landscape, the adoption of new security technologies or protocols is slow. As new technologies develop, older and less secure options stay in place. This phenomenon can be seen in multiple places around the security field, think from SSL 2.0 to TLS 1.3, where the current numbers from SSL Labs show 1.4% supporting SSL 3.0, 27.9% TLS 1.0, while only 70.1% support the newest version TLS 1.3, even though it has been out since 2018. This also applies to the new form of authentication with passkeys [39,40,41]. Therefore, in the following, we briefly look at the adoption process of new technologies.
Adopting a new technology can generally be defined as company adoption and user adoption. The first major hurdle to overcome when it comes to the adoption is the principle of the chicken and the egg, as companies prefer to wait to implement new technologies until the user base cares to start using the technology. However, users cannot use it unless companies implement it, so the technology ends up in limbo until the companies implement it. This is exactly what happened with FIDO—adoption only gained speed after large corporations like Microsoft and Google joined and set goals for adoption across their platforms. In doing that, they created a market and a user base for the technology, giving other companies a reason to implement it [42,43].
This is just one of the many challenges the adoption of new technologies faces. Another example is the integration of the Trusted Platform Module (TPM) 2.0, requiring a physical hardware integration to make it usable for the given user. Adoption was accelerated only after a ’push’ from Microsoft and IBM to include and require this new technology. The same problems can be observed with physical FIDO-keys, where the companies need to offer relevant keys and also provide support for authentication using this key while at the same time requiring a willing and large enough user base to utilize it. Furthermore, for successful adoption, a FIDO provider does not just have to convince big corporations to adopt the standard and offer support for the authentication process. It also has to build a user base on which they rely. In the case of FIDO, this user-dependent aspect can be slightly softened with the adaptation of password managers handling the keys [43,44,45].
Another important element is the user experience (UX). When users adapt to new technologies, their known usage patterns are disrupted, giving them less of a drive to try new and potentially less user-friendly but more secure methods. A good example of this is password resets, where users are notorious for creating easily memorizable patterns. These password resets come with the disadvantage of making passwords less secure, and therefore, weaker against cyberattacks. However, it is in its simplest form, user-friendly, making users more willing to use passwords, compared to technologies like passwordless authentication. For these new technologies, they would have to adapt and become used to a new form of authentication. So, the more difficult it becomes to access or log in to a site, the less willing users will be to adapt to this new technology. This will be further covered in the next section [46,47,48].

3.5.4. Human Aspect on Security

The saying “A chain is only as strong as its weakest link” is especially true in the context of cybersecurity, which can be seen when looking at social engineering attacks that target the human aspect, which is often the weakest link [49]. When authentication processes become too complex or require too much effort, people often try to cut corners and skip critical practices for maintaining high-security levels [50].
In a typical single-factor authentication with username–password combinations, users might find using the same username and password as convenient and natural as using other services [51]. This practice of reusing credentials creates a risk for the user’s accounts and data on that particular service if another service, where the user has used the same credentials, is compromised or if the credentials are collected in a phishing attack [52]. Despite the risk, recent research suggests that almost every third user reuses the same password across different services and that more than 80% of online users use passwords across very similar services [53]. While the exact numbers are only based on sample checks through academic studies, these numbers still indicate that many users do not follow the best-practice password guidelines.
Over the years, services have continuously enhanced security levels for single-factor authentication implementations. Strict password requirements have been put in place and vary from service to service, making a valid password in one service invalid in another, and much research has gone into guiding users into improving the strength of passwords [54,55,56,57]. Additionally, some services, especially in corporate environments, have a sunset period for the password’s validity, prompting the user to change the password occasionally [58]. Furthermore, as a common practice, databases containing leaked user credentials are being integrated with services to forbid the reuse of already compromised passwords [59]. Nevertheless, research suggests that even despite these improvements, the human is still the weakest link, and as already mentioned, phishing attacks are one of the most common and easiest attacks today [55,60,61].
At the same time, we see a general trend outside single-factor authentication, which is that users, especially non-technical ones, tend to be slow in adopting new security processes and technologies. This is a general problem that all new technology and processes need to consider when designing new solutions [62,63].

4. Methodology and Search Strategy

To ensure a systematic review of all the relevant literature, we used [64,65,66,67] as guidelines for structuring our literature review’s methodology. The papers were chosen due to their relevance as the key literature in the field, with a high amount of citations. By basing our approach on multiple key papers, we ensure the reproducibility and validity of our literature review. We outline our approach as follows: the search strategy, the criteria for including or excluding found papers, and the filtering process, which consists of the review process.

4.1. Search Strategy

Following the guidelines of the mentioned literature, search terms were defined during a brainstorming session as a first step. By documenting the search terms, we ensure the reproducibility of our search process. Note that the search was conducted in November 2024 and utilized the literature search engines Google Scholar (https://scholar.google.com (accessed on 1 March 2025)) and DTU Findit (https://findit.dtu.dk (accessed on 1 March 2025)), as well as the standard search engine Google (https://google.com (accessed on 1 March 2025)). Using these search engines enabled us to survey the literature across all academic domains, ensuring we did not limit our review to a narrow set of academic journals. To cover all relevant literature, combinations of multiple search terms were created. While this causes some redundancy in the search results, it also ensures that as much of the relevant literature in the field is covered as possible. Table A1 in Appendix A shows all defined search terms. To ensure the best results, multiple words were combined with the term AND, which tells the used search engines to look for the two words while not requiring them to appear in any specific order, i.e., not requiring that the two words appear directly together. As this literature review strives to cover all the relevant literature in the field, the search terms start as more generic and then become more specific, enabling us to find all the applicable literature [64,65].

4.2. Inclusion Criteria

To ensure that only the relevant and accessible literature is included in our review, we formalized the inclusion criteria that were applied during the search process, and only the literature fulfilling all requirements was included. Since some of the search terms returned vast literature data, the inclusion criteria were designed to allow decisions about the inclusion of a paper without having to read the entire paper. To be included, a paper had to fulfill the following criteria:
  • The paper’s content is related to the literature topic, i.e., related to passkeys with a focus on a user-centric topic.
  • The paper’s content is fully accessible through open access or covered by a DTU license.
  • The paper is written in English, Danish, or German.

4.3. Snowball Process

To ensure that we also included the literature that was not covered by our choice of search engines and our defined search terms, we applied the snowballing method [66]. Using the literature that we collected in the first step with all search terms, we identified the key literature for this literature review based on the titles and abstracts of the papers. Indicators for a paper being classified as key are the following:
  • The scope of the paper is closely related to the scope of this literature review.
  • The paper is either also a literature review or covers a key aspect from the perspective of this survey, like, for example, covering user challenges with passkeys, etc.
The key papers that were identified concerning these criteria are shown in Table 2.
Using the two reference search systems Litmaps (https://www.litmaps.com/ (accessed on 1 March 2025)) and Connectedpapers (https://www.connectedpapers.com/ (accessed on 1 March 2025)), we then searched through the references of these identified key papers, as well as through the papers that point to these identified papers. We then included further papers if they matched the inclusion criteria.

4.4. Filtering Process

To ensure that only papers of adequate quality and academic relevance were included in this literature review, we further formalized the exclusion criteria. If a paper fulfilled any of the exclusion criteria, it was removed from the literature collection. In addition to this filtering, all duplicate items were removed. Duplicate items were found due to the close relation of some of the search terms and because the search process was split into parts and executed in parallel by the authors. The defined exclusion criteria are the following:
  • The found item is a book, which is not a scientific medium.
  • The paper has an unclear methodology, or the methodology is not described in detail.
  • The paper contains too few references or too many claims without proof.
After removing all duplicates and filtering out the literature collection by scanning through the title, abstract, and, if needed, the paper’s content, we identified further key papers based on the already mentioned indicators. Table 3 lists the additional four identified key papers. Based on these, another snowball search round was conducted to ensure that any literature found complied with the inclusion and exclusion criteria.
Figure 1, inspired by [64], gives an overview of the search process described so far. Furthermore, it also shows the amount of the literature that was found and added or removed in each described step. In total, we ended up with 105 papers that were relevant to the scope of this literature review.
Based on the concluded systematic search process, we conducted a full-text review of all 10 key papers to obtain an overview, followed by a screening and a further full review of the rest of the collected literature. The extracted and distilled findings of these 105 papers will be presented in the following literature review. Note that not all collected 105 papers may appear in the bibliography of this paper, since some of the literature provides no new insights compared to the rest of the literature collection, and therefore, it may not be cited in the review. Note that in addition to this topic-related literature, we also collected, filtered, and analyzed papers for the relevant background theory parts, similar to the rest of the literature. In this case, the only difference was that we did not conduct a snowball search for this, as the background theory did not aim to conduct a literature review but rather to outline important concepts backed by academic research.

5. General Overview of Passkey Literature

We now provide a general overview of the literature collected for this survey. We analyze all 105 topic-relevant papers to conduct an enhanced analysis using the Latent Dirichlet Allocation (LDA) method. The purpose of this approach is to allow us to devise a systematic categorization of all papers, which can then be used to systematically outline and describe the challenges and improvements of passkeys from the current literature.
As the description of LDA is rather technical, we refer to [74] for a detailed and mathematical description of it. Briefly, the idea of LDA is to see each document as a mixture of topics and each topic as a mixture of words. Based on this, they can be detected across multiple documents, allowing for topic categorization. In this case, we extract the text from the collected papers, pre-process the text to remove any stop and filling words, and then run an LDA analysis. The respective code for this is made available on GitHub (https://github.com/art-r/Passkey-Survey (accessed on 1 March 2025)) To run the LDA, we use a popular python implementation from the Gensim (https://radimrehurek.com/gensim/models/ldamulticore.html (accessed on 1 March 2025)) package, which is based on [75]. Since the purpose of the LDA analysis is to gain a first overview of potential topic clusters, we do not conduct hyperparameter optimization but rather work with the default parameters (alpha = 1/number of topics, iterations = 50, decay = 0.5 , offset = 1.0 ) and only experiment with the number of assumed topics. By having conducted systematic literature collection, as described in Section 4, we minimize the risk of bias in the literature data, as this ensures we cover as much of the relevant literature as possible in the respective domain. There is a possibility of introducing a model bias since we did not perform hyperparameter optimization, except for when testing for different amounts of the assumed topics. This potential bias can, however, be neglected since we do not solely rely on the results of the LDA analysis but rather use it as a starting point for the analysis and synthesis process. Further, the amount of assumed topics, which is the most important hyperparameter, is tested with different values, thereby ensuring an optimal value selection. By generating a word cloud (as shown in Figure 2) using only the pre-processed text content, we can already observe a tendency for technical aspects to dominate the content based on the most frequently appearing words. Clearly, words like password, security, and user are represented, but apart from that, we have other technical words like system, chars, textual passwords, bcrypt, force attack, etc.
We conduct an exploratory analysis to test different values for the amounts of topics in the collected literature. Starting with an estimated amount of 10 cross-document topics, it can be seen that there are roughly three topic clusters. This is shown in Figure 3, where cluster one would be the top right field of the coordinate system, cluster two the top left, and cluster three the bottom left field of the coordinate system. These ten clusters give a coherence score of 0.290 . To identify meta-topics based on the LDA analysis, we continue with the assumptions that the collected literature can be roughly divided into three main topics. We derive this from the fact that the intertopic distance map shows roughly three areas, as described above.
Rerunning the LDA with just three assumed cross-document topics then gives a clear separation with a large distance between the clusters. This is shown in Figure 4. Theoretically, it would be possible to dive further into this and try to find an even better distribution and clustering of the cross-document topics. This is, however, sufficient for our case of giving a high-level overview and for the objective of aiding the analysis and synthesis of the collected literature. Therefore, we conclude that an amount of three topics appears to be a good estimate and representation of the major discussed topics in the collected literature, as can also be visually seen in Figure 4. The coherence score of three topics the LDA analysis also gives a similar score to the one with 10 assumed topics— 0.297 . This suggests that our hypothesis of three major topics in the literature is not wrong, as the coherence score is the same as for 10 assumed underlying topics. From analyzing the three topics clusters and the most salient terms per topic clusters, we estimate that the topic cluster 1 (bottom right; top 3 most relevant salient terms are “security”, “authentication”, and “password”) is related to technical aspects, cluster 2 (top left; top 3 most relevant salient terms are “security”, “user”, and “password”) is related to user-centric aspects, and cluster 3 (top right; top 3 most relevant salient terms are “security”, “authentication”, “user”) is also related to user-centric aspects, but with a slightly higher focus on technical or protocol aspects as well. We note that the LDA analysis does not highlight gaps in the literature, since it can only show the existing discussed topics but not the topics that are missing. This will, therefore, need to be addressed in further literature analysis.
Having applied this LDA topic modeling analysis to the collected papers allows us to gain a better understanding of the main topic clusters that exist in all the collected literature. While there exist multiple possibilities of grouping the literature, we found that grouping the material into three topics gives the best overview and matches the major discussed topics closely. This better understanding of the topic clusters allows us to synthesize the content more effectively, resulting in a better overview of discussed topics. We note that the collected literature covers multiple diverse topics, with some also investigating niche areas. Therefore, the topic coherence of the final three topic clusters sometimes shows outliers regarding which can also be observed in the diversity of the top 30 most salient terms. To prevent this topic clustering from biasing the literature analysis, we only keep these three estimated topic clusters as potential candidates in mind, but we still consider other additional topic clusters during the actual analysis. From the literature analysis, we then find that the topics in the collected papers can be divided into the following three categories: technical, usability, and user perception. This is in alignment with our LDA analysis, with one technical topic and two user-centric topics. Using these categories allows us to outline all the insights of the collected papers in a structured manner.
The category technical is rather obvious, since passkeys introduce many different technical changes to the authentication process. As a result, much academic research is focused on the technical aspects. Categories usability and user perception try to cover all other non-technical aspects, accounting for our user-centric focus in this literature review. We differentiate between usability and user perception since usability is related to passkeys and academic research focuses on the usability of passkeys. In contrast, user perception covers a more psychological aspect of passkeys’ perceived usability and security. This enables us to also account for things that are reflected in the current academic research regarding the user perception of passkeys, and which are not necessarily grounded in actual technical or usability aspects (e.g., a user might think that a passkey is not secure, even though from a technical aspect it is).
Through this structured format of looking at the challenges and improvements of passkeys, then, for each, laying out the insights in the three subcategories—technical, usability, and user perception—we can obtain insight into how many papers in the academic field focus on certain areas of passkey, highlighting where the academic field is missing valuable insights for future advancement. Regarding our classification, we note that papers that discuss both challenges and propose a possible improvement to said challenge will be mentioned in both main categories. Section 6 will go into further detail regarding the identified papers and will provide a synthesized and distilled overview of all the insights identified.

5.1. Table of Challenges

Table 4 shows the categorization of the identified research papers that concern themselves with challenges regarding passkey adoption. They are further categorized into the three subcategories—technical, usability, and user perception. If a paper covers more than one subcategory, it will be mentioned in both. For a paper to be categorized as technical, it needs to identify and highlight technical challenges when using passkeys, considering usability, the paper must identify or highlight challenges concerning the usability of passkey, and lastly, a paper categorized as user perception must identify or highlight challenges with the topic of user perception.
Looking at Table 4, it can be seen that there seems to be a general concern regarding the usability of passkeys. Moreover, the identified papers also seem to cover the technical aspect. We outline details, including overlaps and differences in academic research in Section 6. Generally, it can, however, be seen that much of the literature, like Refs. [11,17,42], etc., overlap in their insights on highlighting challenges in the setup and the ease of using passkeys.

5.2. Table of Improvements

Table 5 shows the categorization of the identified research papers that concern themselves with improvements in the field of passkeys. These are further categorized into the three subcategories—technical, usability, and user perception. If a paper covers more than one subcategory, it will be mentioned in both. For a paper to be categorized as technical, it must propose a rather technical improvement of passkey, considering usability the paper must propose an improvement of usability to the overall usage of passkey, and lastly, a paper categorized as user perception must propose an improvement on the topic of user perception.
In comparison to Table 4, it can be noted that most papers focus on technical aspects. Looking at how many papers the individual categories have in percentage compared to the total amount, one can see that the technical category in Table 5 has around 19.5% compared to Table 4, where almost 39% of the total identified papers are present. Looking at the usability category, Table 5 has only around 8.5%, whereas Table 4 has around 45.4% and the user perception for Table 5 is around 8.7%, with Table 4 having a number around 30.4%. This might suggest that the improvements lack a significant portion of the research required for the concerns and challenges to be fully addressed and show a generally higher focus on challenges than on improvements.
As with the challenges, we go into more detail regarding overlaps and differences in academic research in Section 6. Generally, we however note that there appear to be some differences in the literature regarding the current state of the complexity of passkeys for end users with some papers like Refs. [27,28,85], etc., concluding that they are still major usability obstacles, and other papers like Refs. [45,70,91,94], etc., concluding that the most important usability obstacles have already been addressed through their improvements and collaborations with the FIDO alliance and respective developers. We investigate this further in the subsequent respective chapter.

6. Limitations and Challenges in Passkeys

After examining a general overview of the collected literature and identifying the areas in which current academic research focuses the most, we now discuss each paper in more detail and present the insights in a condensed and distilled form. The insights presented here are further discussed and critically synthesized in Section 7. For the detailed insights in this chapter, we once again focus on the three subcategories, technical, usability, and user perception, because, as shown, they cover all the content categories of the analyzed papers.

6.1. Challenges

With the identified papers from Section 5, Section 5.1, and Table 4, this section will go into further details regarding each paper, highlighting the main takeaways concerning passkey challenges.

6.1.1. Technical Challenges

A significant part of the FIDO2 specification is that the private key is tied to a specific device when using passkeys. A concern that is shared across the papers covers the issue of the device storing the passkey becoming lost or damaged. In such a case, users may face difficulties accessing their accounts [6,26,71]. Traditional recovery mechanisms, such as security questions, do not align with FIDO2’s principles of privacy and unlinkability and can therefore create barriers when recovering [26]. Backup options like recovery codes can undermine security if not properly managed [79]. There exist some potential solutions, one of them proposed by [26], which is the concept of multi-device credentials where the keys would be synchronized across devices using encrypted cloud storage, as already implemented today, for example, in Apple’s iCloud passkeys. Another solution proposed by [6] is backup/fallback authenticators, which allow users to register multiple devices for redundancy. However, the lack of standardization concerning fallback authentication in case of, e.g., a lost or damaged device complicates the deployment, which is also one of the main usability concerns [73]. This is covered in more detail in Section 6.1.2. Despite the possible suggestions, efficient recovery mechanisms are yet to be standardized and are currently complex and costly [15].
Considering the smaller and older IT landscape, there are interoperability issues in heterogeneous environments, particularly in legacy systems [85]. Furthermore, some enterprise environments face difficulties in implementing secure configurations due to the need for hardware authenticators, which creates barriers in the authentication process [85].
Despite the ongoing effort for standardization to ensure compatibility across platforms, browsers, and devices, the lack of existing standardization makes uniform adoption across browsers, devices, and services significantly more difficult, where the compatibility efforts can cause integration issues and deployment challenges [73].
Furthermore, the problem is that integrating the existing authentication system adds another level of complexity [6]. From an adversary’s perspective, these inconsistencies can sometimes even be leveraged to bypass protections, compromising users’ security [29,80]. The inconsistent implementation of passkey functionality across different browsers, such as Chromium-based browsers allowing multiple authenticators to connect during registration, potentially enables attacks. Additionally, Safari’s mitigation against QR-based attacks highlights the fragmented nature in which various devices and browsers handle the FIDO2 protocols [30]. A critical timing attack on FIDO2 authenticators was discovered and mentioned by [29], where a vulnerability in key handle processing allows remote attackers to link user accounts across different services by exploiting time differences in key handle validation. Another report highlighted the potential for automated tools to assess server-side compliance with FIDO2 security goals, which could expose services to exploitation [77]. Overall, these findings underline the fact that there is a need for further standardization efforts to improve the technical security of passkeys.
Due to implementation complexity and misconfigurations, FIDO2 authentication implementations may pose significant risks to the security and privacy of the authentication process. Furthermore, developers may misunderstand protocol requirements, leading to vulnerable implementations, including improper session management and reliance on incomplete libraries [77]. The use of default attestation reveals device-specific information, such as the manufacturer and model, and metadata associated with public keys, such as key handles, which in turn can inadvertently aid in account linking attacks, especially if combined with timing or side-channel attacks [80]. However, developers often avoid requiring attestation due to privacy concerns, leading to reliance on less robust forms like self-attestation, which are more susceptible to certain attacks [81]. Mitigation suggestions emphasize limiting the use of attestation to scenarios where it is strictly necessary and anonymizing data wherever possible [80]. Without proper configuration, this can otherwise be exploited to track users across services. One paper highlighted that in modern operating systems and browsers, forensic data can give clues about the user’s authentication processes with FIDO2 passkeys, therefore compromising the user’s privacy [78]. More specifically, this forensic data may allow for detecting linked devices, which might inadvertently expose user accounts and authentication processes [29,80]. The paper also noted that additional artifacts are generated when external devices (e.g., smartphones) are used for the authentication process, leading to the distribution of digital traces across multiple locations. This is different from password-based authentication, where little to no traces are left behind in the authentication process [78].
Continuing on the note of privacy, certain privacy safeguards, such as Direct Anonymous Attestation (DAA), are not mandatory in the FIDO2 specification, leading to further inconsistent implementations [80]. If advanced privacy features like DAA were made mandatory, it would aid in ensuring consistent privacy protection across implementations and protect users’ privacy [80]. Addressing privacy issues requires both mandatory protocol changes and the widespread adoption of advanced privacy-preserving techniques. Here, formal verification emerges as a crucial tool for identifying and addressing such vulnerabilities [80]. These insights from academic literature suggest that while FIDO2 provides high-security guarantees, there are still existing issues that need to be addressed, like the above-mentioned incomplete standardization and issues regarding privacy protections due to inconsistent implementations.
Finally, although passkeys are resistant to phishing, they can still be exploited through sophisticated social engineering tactics targeting recovery mechanisms or user devices [6,79]. In addition, websites supporting FIDO2 authentication often allow fallback to weaker second-factor alternatives, e.g., OTPs, exposing users to real-time phishing attacks. Attackers can exploit this by relaying credentials and inducing users to input OTPs under the guise of additional security, effectively bypassing the stronger FIDO2 authentication [82].

6.1.2. Usability Challenges

Passkeys need to be usable from a user’s perspective to be viable and a feasible alternative or supplement to existing authentication methods [45]. Passkeys must, therefore, be accessible and adaptable (learning curve) [17]. Hence, to achieve satisfaction, user psychology must be considered.
From current academic research, we see the following key usability challenges:
  • Lack of user awareness [6,42,69,71,82];
  • Setup complexity [11,17,27,28,42,85];
  • Lack of portability and platform dependency concerns [6,69,87,88];
  • Account delegation [42,88];
  • Account recovery [6,13,79,84,85,86,88];
  • Account revocation [83];
  • Adoption in enterprise environments [69,83,85].

Lack of User Awareness

One of the main usability problems identified amongst the papers is the lack of understanding and awareness of FIDO2-based authentication in the first place. In a usability test conducted, only one respondent had preexisting knowledge of the technology, whilst all the other respondents did not [42,85].
Furthermore, the lack of user awareness of FIDO2 also reduces the pressure for applications to adopt FIDO2, since users believe current authentication options are sufficient—a circular effect for reducing demand and supply [6,69]. According to a survey from 2020, there were 23 websites in the 100 most visited sites that supported FIDO2 for multi-factor authentication, but with the recommendation to also have a less secure supplement for backup [82].

Setup Complexity

Throughout the different papers, the setup complexity of FIDO2 is disputed. One study found that users with a tech background found the process of setting up the FIDO2 authentication option on services like Google Accounts to be quite easy [11]. In contrast, other studies reported that users found the setup process more complex and frustrating [17,27,28,42]. In one survey, in particular, multiple respondents were found to have believed they had successfully set up the FIDO2 authentication method and then ended up locked out of their account [17].
Users with low technical fluency found setting up FIDO2 as an authentication option more challenging [11]. Papers also suggest that due to the surveys’ limited diversity among participants, different characteristics, such as age and socioeconomic status can potentially show different results [11,42].

Lack of Portability and Platform Dependency Concerns

Current implementations do not allow for export, which, in the context of local authenticators, will cause a repetition of the setup workflow for each account and device due to the lack of synchronization. This repetition will, especially in comparison to other authentication methods, be deemed exaggerated and infeasible [6,69,87].
In terms of cloud-based authenticators, the synchronization process will allow for multi-device use, with Apple and Google being dominant in this market. However, current implementations are tied to platforms, reducing the user’s flexibility and imposing a lack of control. Some individuals may prefer this, trusting the corporations protecting their data, and other individuals may want to preserve their responsibilities, control, and privacy [6].
There is also a consideration regarding incompatible devices such as shared devices, e.g., a library computer, or devices that lack support for FIDO2 authentication, especially older computers and mobile phones that lack Trusted Execution Environment (TEE) capabilities [88]. Whilst CTAP promises to address these concerns, the papers do not say anything regarding the respondents’ knowledge of CTAP.

Account Delegation

When an individual wants to share accounts or delegate access, passkeys pose a challenge. In a traditional password-based authentication system, the password is relatively easy to share despite the potential security implications this may raise. This approach works well when dealing with trusted actors. However, as passkeys are not exportable/portable, there is nothing to share, and users must find other ways to delegate access [42,88].
In settings such as streaming services, which are often shared with family members, participants found it less likely to use FIDO2/Passkeys authentication than other services, such as banking and social networking [88].

Account Recovery

FIDO2 currently lacks a default recovery sequence in case of a lost passkey. The FIDO Alliance’s official recommendation to achieve self-service recovery is to have multiple authenticators and keep one as a backup, imposing duplication in steps regarding the setup and management of passkeys on each account [85,88]. This approach is considered unintuitive and cumbersome by users [13,45,79,85]. On the other hand, adding alternative recovery methods, such as email- or SMS-based account recovery, can undermine the increased security benefits of FIDO2 by defaulting to the least secure authentication or recovery option [84].

Account Revocation

Since FIDO2 is based on decentralized authentication, if an authenticator is compromised, the user must manually and repeatedly disable all respective keys on each service [83]. There is, however, some academic work that is investigating a global key revocation standard, which would simplify these processes [83].

Adoption in Enterprise Environments

Enterprise environments inherit some of the same barriers but with an amplified impact, as additional unique barriers exist for such environments. The current challenges for passkey adoption in enterprise environments are, namely, account delegation, recovery, and revocation. Usually, in large-scale enterprises, Identity and Access Management (IAM) practices are present, and these systems act as a single source of truth for access control all over the organization. The lack of a standardized way of recovery, delegation, and revocation of accounts might deter integration efforts [69,83,85].
Additionally, the lack of standardization in user interfaces across different browsers and devices can lead to many pathways that the individual employee needs to navigate, requiring additional training [85]. A well-experienced Chief Information Security Officer (CISO) in a large non-governmental organization recommended a way to introduce such training through the gradual roll-out of security solutions like passkeys in a per-department setting with the corresponding onboarding of employees. He mentioned the onboarding should be done in very small groups to be able to tackle each suborganization’s requirements and challenges with the policy’s adoption [73].
Finally, server software running on Windows and Linux operating systems can be difficult to integrate with FIDO2, whilst enterprises rely greatly on them [85]. Furthermore, adopting passkeys might be more challenging in enterprise environments, as complexities arise with integrating the technology into legacy IT systems and accommodating shared workstations, which are common in these environments [85].

6.1.3. Perception Challenges

The users’ perception is a crucial challenge to mitigate before enabling widespread adoption. Even though FIDO2 provides strong security features and can limit phishing attack surfaces, its dependency on a user’s device creates potential barriers to confident adoption. If, for instance, one user wishes to switch from one ecosystem to another, there might be migration issues, or this might not be possible altogether. Furthermore, if a device is lost or damaged, it may create recovery challenges [7,14,84]. Using the known recovery mechanism, such as email-based recovery or backup codes, often undermines the security strength of FIDO2 and the absence of a clear recovery mechanism aids the concern for adopting the new authentication mechanism [7,14,48,73,79,88].
Despite an ecosystem often allowing for seamless transition across devices without additional setup, it is usually not the case with passkeys as they are device-bound [69]. Though Apple has provided a solution using their iCloud platform to, according to them, securely transfer the passkeys across their devices, excluding any non-Apple device [26].
Users also face difficulties navigating security settings and understanding technical instructions for setup on various platforms, where the interfaces are often different, creating a steeper learning curve [7,42]. Therefore, a simple and intuitive approach for migrating from password-based to passwordless setup is essential [90]. A study on German ID cards showed that users often still find the setup process of FIDO2 authenticators cumbersome, particularly when integrating devices like German ID cards or hardware tokens. This issue is exacerbated for non-technical users, who often struggle with software installation and understanding the required steps [11,90]. Privacy is also a concern among many users, where fears of tracking or data misuse created a substantial barrier to adoption, despite FIDO2 being designed to mitigate such risks [7].
As it is notoriously known, many people often mistrust change and new things. The same can be said for new technologies, where users frequently exhibit mistrust due to unfamiliarity. The transition from “something you know” (passwords) to “something you have” (passkeys) represents a paradigm shift that some find unsettling [7]. As passwords have been the primary authentication mechanism for decades, many users are accustomed to the text-based authentication mechanism and may struggle to grasp the conceptual differences between passwords and passkeys [27]. This may lead to viewing passkeys as more complex and thinking that the benefits are not significant enough to change, or users might tend to prefer methods they are already accustomed to, even if these are less secure [7,11,42,73,79,80,84,86,89,90].
Some users might find password managers sufficient to handle the ever-increasing number of passwords associated with different websites, further decreasing the perceived need for change [84]. The misalignment in recovery, usability across multiple devices, and how the authentication flow works may also make users hesitant to trust passkeys, fearing the loss of control over their authentication process [73,89].
Transitioning from password-based systems to passkeys also requires users to adapt to new workflows, such as managing authenticators and understanding device registration processes, which may be challenging for less tech-savvy individuals [11,48,82,88]. The initial setup process might also seem overly technical or cumbersome for non-technical users, leading to a disregard for change [14,89].
Users do not understand the general cryptographic safeguards of FIDO2 well, leading to skepticism about its efficacy [11,90]. As passkeys are relatively new to the public, many users often misunderstand the authentication flow. Despite FIDO2 providing strong security guarantees, some papers highlight that users think their private information is transmitted and stored off-device, with some users being unsure whether their private information is securely handled at all [11,48,73,88,90]. Another study highlighted that some users believe that the use of a FIDO2 token alone secures their account entirely, even when weaker fallback options are enabled. Unfortunately, this false sense of security can provide a new attack surface for sophisticated phishing attacks [16,73,82]. Users may also be susceptible to sophisticated phishing attacks that trick them into downgrading to a less secure authentication mechanism. That results in a complete disregard for the security that FIDO2 provides [82].
Raising awareness of the possibility of using a passwordless authentication mechanism is also one crucial approach to nudge users in a specific direction. One study shows that only 20% of the participants recognized the possibility of using FIDO2-based authentication on platforms like Microsoft and eBay [42]. Another study shows that many users are unaware of FIDO2 as a technology and its advantages, which hinders its faster adoption rate [11]. Leading companies try to nudge users toward more secure choices, but some users might perceive these nudges as coercive or intrusive, which can reduce trust in the system [89].
Differences in account types have proven to affect users’ willingness to adopt FIDO2, where, e.g., users were more inclined to use FIDO2 high-value accounts such as banking and more reluctant for lower-stakes such as social media [48,88].
It is also crucial not to overlook users with disabilities or non-standard access patterns, who may find it difficult to adopt passkeys. For instance, users with physical limitations that prevent them from using biometrics cannot utilize systems that rely on biometric authentication [89].
Gaining a complete understanding of user perception is a complex and multifaceted challenge. Current research is sparse, and existing studies often involve a limited number of participants, making it difficult to draw firm conclusions. However, to further explore user perception and how to influence it, psychological theories and models of technology acceptance—such as the Technology Acceptance Model (TAM) and the Unified Theory of Acceptance and Use of Technology (UTAUT)—can be employed to better understand how to enhance user perception and, in turn, increase user adoption [95,96].

6.2. Improvements

Current academic research also indicates that passkeys offer numerous benefits for user adoption, even in the face of challenges. We will outline these improvements using the same approach we used to discuss the challenges previously.

6.2.1. Technical Improvements

From a technical perspective, passkeys bring numerous improvements, both for individual users and for users in the context of enterprise environments [16]. First, because passkeys are based on public-key cryptography, they are considered more secure than classical passwords as they do not rely on the user choosing a secure and long password [4,14]. Instead, the generation of a secure and randomized private-public key pair is performed on the device that generates the passkey without any user choices involved in the key pair generation. This is much more secure than any password authentication, as long as the private key is kept secret [16]. It has been proven that using public-key cryptography (in this case, with passkeys) is a very secure form of authentication [93]. Current research has also already started the process of developing and standardizing FIDO2 implementations that use public-key cryptography that is quantum-secure and thus future-proof [97].
Since a corresponding website or service that wants to authenticate a user only obtains the public key, a user needs to put less trust in the respective service. A leak of this public key gives an adversary no kind of information and does not allow for retrieving any information about the private key counterpart [29]. Furthermore, current password authentication methods store hashed passwords, which are still vulnerable to cracking given enough computing power [56]. Users often choose weak or reused passwords, making this hash cracking more trivial [2,83]. Salting, peppering, or using slow hash functions provide some protection but do not fully address the trust issues with password-based authentication [98,99]. Using passkeys removes the need to trust the service provider completely. Furthermore, passkeys allow for the generation of a new unique key pair for every service that requires authentication, further strengthening passkey authentication [6].
Another critical point is that passkey authentication is achieved without sending the private key anywhere. The service sends a challenge to the user who wants to authenticate, which the user then solves and signs using the private key on the local device [8]. The challenge is then sent back to the service, which can then confirm the user’s authenticity using the corresponding public key. No private or secret information regarding the key pair is therefore leaked in a correctly implemented process [29]. Similarly to the previous point, this allows a user to put less trust in the service, as there is no need for trusting the service of handling secret information securely during the authentication process. For passwords, this is entirely different. While different protocols exist that do not require sending the password to the service, like, for example, Password-Authenticated Key Agreement (PAKE) in Ref. [100], the majority of corresponding services do not implement this [101]. Additionally, the user cannot quickly check if the service utilizes this form of password authentication or whether it was implemented correctly, etc. [102].
Passkeys bring another technical advantage from a user perspective as follows: since the authentication does not involve sharing the private key, phishing a user’s authentication credentials becomes a lot harder [39]. We note that there exist potential phishing attacks, for example, presented in [77,82] or [30], and a compromised device will still allow the private key pair to be stolen, but this involves a lot more technical steps from the attacker’s perspective [16]. Most importantly, however, it is no longer possible to set up a fake website that resembles a legitimate website and then attempt to trick users into entering their password, for example, by sending them a fraudulent email as the passkey is different for each website [82].
In addition to the aforementioned technical improvements, passkeys allow integration into existing SSO authentication solutions, thereby enhancing the security of the Single Sign-On (SSO) login by all the mentioned benefits for an end user [10]. Especially in the context of an enterprise, this is valuable, as this improves the security against phishing attacks, which are dangerous in the context of SSO, where one single login gives access to many different enterprise resources [13].

6.2.2. Usability Improvements

In the category usability, current academic research also shows many different improvements over traditional authentication methods. First, users no longer need to remember any textual password or passphrase, which is arguably one of the most essential inconveniences of passwords for many users [2]. Passkeys only require users to access their hardware key, password manager, device, or whatever other solution manages their passkeys. At the same time, especially in recent years, we have seen an increasing number of platforms, browsers, and operating systems integrating support for and advocating the use of passkeys. Some operating systems, such as iOS, and browsers like Google Chrome, now even offer to create and use passkeys by default if the corresponding service supports it [7]. It has, therefore, become a lot easier and seamless for a user to create and use passkeys. Some papers even suggest that since users often choose the path of least resistance, using passkeys has sometimes already become this path, and therefore, users choose it over old authentication methods [10,89]. Additionally, much research has focused on usability challenges in the setup and during the usage of passkeys. Hence, many improvements have already been researched or implemented in these steps, making them easier for non-technical users [11,45,70,88,91,94].

6.2.3. Perception Improvements

While there are still challenges regarding the user perception of passkeys, similar to the usability improvements, much work has been done by the major operating systems, browsers, and platform providers in communicating and educating about the benefits of passkeys. In combination with integrating them more deeply into existing authentication flows on operating systems and in browsers, these steps address the lack of knowledge and mistrust among end users about passkeys, therefore improving user perception [7,29,30].
It is, however, important to remark that it is not the passkeys themselves that directly bring improvements to the user perception of passkeys but rather the companies, organizations, and research projects that aim to educate and raise awareness about passkeys and their way of working [7].

6.3. Mapping of Challenges and Improvements

To obtain a clear view of the relationship between the identified challenges and improvements in the existing literature, Figure 5 has been created. It visualizes the mapping between identified passkey-related challenges and the corresponding improvements found in the literature. Challenges are listed on the left, and improvements are on the right, segmented by the following subcategories: technical improvements (blue), usability (green), and user perception (purple). Arrows between boxes represent direct mappings. Notably, several challenges remain unaddressed, suggesting areas for further research to enhance the strength of passkeys. Even though there exists literature addressing some of the identified challenges, more research can still be highly useful to further increase the strength of passkeys.

7. Lessons Learned and Discussion

As per RQ3, this paper aims to validate the possibility of deriving a relative number regarding the adoption of passkeys among end users for online authentication. Attempting to evaluate the current state of adoption for passkeys, we note that not much research has been completed in the area. Of the few papers that contain relevant data for this research question, all use some interview to gather data. Of the interviews, the two most notable are firstly a 94 participant user study from 2020 in [7], also mentioned in [39], which looks into the usability of passwordless authentication, and secondly, a study with 279 participants in [94], focusing on general authentication patterns. Both papers quantify to differing extents how users evaluate passkeys and what is hindering their adoption. Still, due to the low amount of current research on this area, it is impossible to put exact numbers on how many are using passwordless authentication and thereby evaluating the current adoption for users. Furthermore, since the few relevant studies still contain relatively few participants, this raises questions about the statistical significance of the results. The best estimate that can be found for describing the current adoption of passwordless authentication among end users is that 3 % of participants in Ref. [48] from 2021 used or had tried passwordless authentication.
Because of the limited data available, we try to give an indirect estimate based on the availability of passwordless authentication in the current landscape of online services, etc. This form of data regarding the support of companies for passwordless authentication is available in larger quantities through the effort of various communities trying to obtain an overview. Looking at a set of large corporations’ services, some of the major service providers are at the forefront of implementing FIDO2. A few examples of these are Google, the Bank of America, PayPal, and Cloudflare [8].
All of this suggests that the FIDO2 technology is at a point of higher adoption at large corporations and their services. In contrast, the little research that is available for measuring direct user adoption suggests that users are still reluctant to adopt the new technology, seeing some technical challenges and especially issues in the domain of user perception [39]. This is in line with the insights described in the detailed insights, where it can be seen that, due to the described challenges in the category of user perception, there is still a relatively slow adoption of FIDO2 support among companies and end users [27,39,48,103].
Having looked at the current academic research from both angles with challenges and improvements in three different categories, we argue that overall, the current state of academia suggests passkeys bring numerous benefits for end users, and therefore, have the potential to revolutionize the authentication system, while at the same time still seeing major challenges in the user perception of passkeys. This is reflected in the current adoption of this new technology, with more and more companies adding support for this form of authentication. At the same time, users are still slow to adopt the new authentication technology.
The technical improvements mainly reside around the fact that the ’human factor’ is taken out from many steps in the process since, for example, there is no need for creating a complex and long password. Apart from that, passkeys also do not require the end user to put trust in the service or website regarding the handling and storage of their authentication credentials. These improvements also lead to greater phishing protection, which allows for greater peace of mind from an end-user perspective, as it is no longer possible to accidentally type the password into the wrong website, etc.
Research, however, also suggests that some significant technical challenges still need to be addressed by enhanced standardization and/or more consistent and correct implementations to increase passkey adoption, especially in the enterprise environment. We note that these technical challenges highly affect usability from a user perspective. Still, they are only solvable from a technical perspective; therefore, we list them here in the technical category. These technical challenges are as follows:
  • Account sharing. Currently, only a few solutions allow for the sharing of passkeys among multiple people. Usually, they are either very technical and rely on a specific protocol implementation, like in [92], or require a more complex password manager setup and usage of all involved people of the respective password manager or the sharing of a hardware key, which also gives access to other accounts. Especially in the context of enterprises, where account sharing and delegation are crucial for day-to-day business, these issues need to be solved to achieve a higher adoption rate of passkeys. We, furthermore, note that resolving this issue needs to be achieved in a way that does not weaken the high protection of passkeys against phishing attacks.
  • Passkey recovery. Despite this being tied to the high-security guarantees of passkeys, research suggests that many people fear losing their passkey(s), and therefore, losing access to their accounts. While this is not directly solvable by changing the passkeys themselves, it can be achieved by building standardized and secure ways of synchronizing passkeys among different devices, potentially allowing for restoring passkeys to a new device. We note that recent research has already started to propose solutions for this, like in [31] or [72], and standards like [104] have been released, focusing on setting secure guidelines. Additionally, we note that it is important to solve this problem while keeping the next point in mind.
  • Transferability. Related to the previous point, another key challenge is the transferability of passkeys. While it is good from a security perspective that passkeys are often tied directly to a hardware key or the device, this is not practical for many end users, as they can lose or damage devices, lose keys, or want to transfer their passkeys easily to their new device or service. Therefore, there needs to be an easy, standardized, and secure way of exporting or transferring passkeys to another device or system. Similar to the account sharing challenge. This must be achieved without weakening the protection against phishing attacks.
In the category of usability, we also observe that the state of research suggests multiple improvements. Passkeys have become very easy to use through the recently added support for passkeys on many big operating systems and browsers, as well as the many research projects that identified usability challenges and proposed corresponding improvements. At the same time, they address the most significant issue of old authentication methods, like passwords, of having to remember some secret. The only challenges that could be identified in this area were mainly issues around the setup and the usage guidance of passkeys. However, we note that research also suggests that passkey providers, etc., are attentive to the academic results around usability and improving upon the challenges.
The area of user perception shows the most amount of challenges from a user-centric perspective. Simply put, research suggests that there is still room for improvement regarding user awareness, knowledge, and guidance about passkeys and their use. Many research projects show that users often think of passkeys as a black box and do not know what is happening behind the scenes. Furthermore, since passkeys are generally very simple to use during an authentication flow, users sometimes associate this ease with a less secure process. This might be because users associate more work with a more secure process and vice versa. At the same time, through the recent support of big operating systems and browsers for passkeys, it can be seen that a boost in awareness and guidance for end users has been achieved. We note, however, that while this is a good thing, the technical challenges, especially the transferability, must not be forgotten when relying on big tech companies to address this user perception issue. Suppose standards for the transferability of passkeys are lacking. In that case, these companies might use the opportunity to educate users and encourage them to create and use passkeys within their respective ecosystems while ensuring that transferring passkeys to another ecosystem is difficult. This could effectively lock end users within their respective ecosystems.
A general observation common to all three subcategories is the need for general standardization in the implementation and use of passkeys. Standardization not only facilitates more streamlined development and integration across diverse platforms and devices, but it also mitigates security risks and attack vectors by reducing the likelihood of misconfigurations and implementation errors. From the user’s perspective, standardized passkey experiences can ease the adoption process by minimizing the cognitive load associated with learning different user interface paradigms from multiple providers—an important consideration in the context of an already significant paradigm shift away from passwords. Similarly, for service providers, having agreed-upon conventions—like the common structures seen in login or sign-up pages—can simplify implementation, promote best practices, and foster greater interoperability within the authentication ecosystem. All aiding to a potential faster adoption, reduced confusion with privacy concerns, and increased security improvements by moving away from passwords. As seen with the nudging of users from larger corporations, it can be suggested that standardization highly relies on larger corporations such as Google, Meta, Microsoft, FIDO Alliance, etc., for an increased likelihood of adoption.
We note that as outlined in the improvements section, the technical and usability categories show great potential regarding improvements for an end user, with the potential to improve authentication processes in the long term. The same cannot, however, be said for the category of user perception since passkeys, from that perspective, do not bring many improvements and thus have a lower impact. We note that while multiple technical challenges exist from an end user’s perspective, many of them could be addressed through improved standardization and/or improved implementations from the respective providers.
To give a final overview of the impact of the identified challenges and improvements for the adoption of passkeys, we rate each category in terms of improvements and challenges with an importance factor from an end user’s perspective. The rating is based on a scale from one to three, with one being low and three being high impact. Figure 6 shows the ratings that were derived based on the detailed insights. The exact rating values are also shown in Table 6 for completion purposes.
Considering the immense positive impact regarding improvements in the technical category, we give a score of two for the technical category in the domain challenges and a score of three for the domain improvements. For the usability category, it can be noted that not all issues have been resolved. Still, much academic research and progress have already been conducted, greatly improving the challenges for an end user in this category. Therefore, we give a rating of one for the domain challenges and a rating of two for the domain improvements. The user perception category, however, is clearly the category with the highest challenges from an end-user perspective, as academic research suggests that much more progress is needed to address the lack of knowledge and awareness among end users. Therefore, we assign a rating of one for the domain improvements and three for the domain challenges.
The overall rating for both domains, plotted against each other, can be seen in the radar plot in Figure 6. This graphical overview highlights the clear gap of improvements in the category of user perception.

8. Future Research Directions

In this review, some key limitations have centered around the reasonably new introduction of passkeys as a concept. Most surveys have focused on enterprise settings, university employees, and students, meaning the contextual and longitudinal data is relatively limited.
With the rapid adoption and further development efforts for the passkey, FIDO2, and WebAuthn specifications pushed by large influential organizations such as Apple, Microsoft, and Google, the landscape of passwordless authentication is evolving at an unprecedented pace. This growth in development and deployment creates a seedbed for future research that widens the demographics surveyed and checks for similarities and differences in this area based on characteristics such as age, gender, nationality, socioeconomic background, etc. In particular, surveys need to be broadened to cover passkey adoption across more diverse user groups in different contexts based on parameters such as socioeconomic factors, age, and job collar.
Another focus area would be users’ technical challenges today, such as passkey recovery practices, account sharing capabilities, and cross-device synchronization/transferability. The papers consider these concepts to be key hindrances to the widespread adoption of passkeys. Therefore, this focus area should not be limited to technical feasibility alone; it should also consider the usability implications and potential security impacts to ensure a smoother transition.
Another perspective that has been found significant during this literature review is the perception of security and how the user feels secure. Some results suggested that passkeys and other FIDO2 authenticators, such as security keys, were adopted too quickly, which, together with the lack of knowledge of the under-the-hood workings of the specification and the technical application of the same, showed signs of users lacking the needed trustworthiness for the technology. A survey in this direction should aim to bridge the division between perceived and actual security, ultimately ending in a more favorable attitude towards passkey adoption.

9. Conclusions

For the research questions, it was found for RQ1 that passkeys face challenges concerning users’ perceptions of them, slowing the adoption rate. For RQ2, even though the technology improves the security of user authentication, in doing so it provides a unique value proposition for users and corporations. For RQ3, determining the current level of adoption was not possible, as studies were found to be lacking in terns of the number of participants.
We conclude by coming back to our initial defined research questions and answering them explicitly as follows:
  • RQ1: What are the main challenges that hinder passkey adoption for end users?
    The main challenges we see from the current academic research are, firstly, the user perception of passkeys. The passkey technology itself cannot directly address this; instead, it must be improved by improving user awareness and knowledge of the passkey technology. Secondly, despite significant improvements, current academia suggests there are key technical challenges regarding the account recovery, sharing, delegation, and transferability of passkeys. These challenges are especially relevant to the business adoption of passkeys and also negatively impact usability. Lastly, another aspect that can contribute to hindering passkey adoption is the lack of standardization, which can make it more troubling to implement passkeys from a technical perspective, and for users whose cognitive load associated with learning different user interface paradigms from multiple providers is further overwhelmed.
  • RQ2: What are the main potential improvements to enhance passkey adoption among end users?
    Despite the challenges, we see clear improvements in passkeys that can enhance adoption. Passkeys offer superior technical security over existing authentication methods, like passwords, while achieving high usability. Furthermore, through numerous research studies in the usability domain, passkeys have already made significant progress and improved their setup and usability during authentication processes. These aspects are critical for the user-centric considerations of the adoption of passkeys.
  • RQ3: Is it possible to derive a relative number regarding the adoption of passkeys among end users for online authentication, and if so, what is the adoption rate?
    The first part of this research question can be answered with a tendency towards no. While some academic research tries to estimate the adoption rate among end users, we conclude that they do not provide enough evidence of being statistically significant. Other community-driven resources give at least an idea of the possibility of adopting passkeys from a user perspective, highlighting that more and more companies are offering support for this form of authentication.
Overall, we note that passkeys do indeed have the potential to revolutionize the authentication processes in today’s digital world. However, there is still a long way to go before the mass adoption of this new technology. While the current literature already focuses on solving the mentioned technical challenges, we see a clear need for more academic research focusing on effective strategies for enhancing the user perception of passkeys. In combination with the further expansion of passkey support among online services and companies, we believe that this will help increase the adoption rate of passkeys, ultimately leading to a more secure digital world that benefits both end users and companies.

Author Contributions

Conceptualization, A.M., A.R., M.B., O.H., M.P., G.C. and N.D.; methodology, A.M., A.R., M.B., O.H., M.P., G.C. and N.D.; validation, A.M., A.R., M.B., O.H., M.P., G.C. and N.D.; investigation, A.M., A.R., M.B. and O.H.; resources, A.M., A.R., M.B. and O.H.; data curation, A.M., A.R., M.B. and O.H.; writing—original draft preparation, A.M., A.R., M.B., O.H., M.P., G.C. and N.D.; writing—review and editing, M.P., G.C. and N.D.; visualization, A.M., A.R., M.B., O.H., M.P., G.C. and N.D.; supervision, M.P., G.C. and N.D.; project administration, M.P., G.C. and N.D.; funding acquisition, N.D. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Data Availability Statement

Data available in a publicly accessible repository. The code we used is publicly accessible here: https://github.com/art-r/Passkey-Survey (accessed on 13 April 2025).

Conflicts of Interest

The authors declare no conflicts of interest.

Abbreviations

The following abbreviations are used in this manuscript:
CTAPClient to Authenticator Protocol
CISOChief Information Security Officer
DAADirect Anonymous Attestation
DTUTechnical University of Denmark
FIDOFast Identity Online
FIDO2Fast Identity Online 2
IAMIdentity and Access Management
LDALatent Dirichlet Allocation
OSINTOpen-Source Intelligence
OTPOne Time Password
PAKEPassword-Authenticated Key Agreement
SSOSingle Sign-On
TEETrusted Execution Environment
TOTPTime based One Time Passwords
TPMTrusted Platform Module
U2FUniversal 2nd Factor
UFAUniversal Authentication Framework
UXUser Experience
W3CWorld Wide Web Consortium

Appendix A

Overview of the Search Terms

Table A1. Overview of the used search terms. The term AND allows for a more loose search of the terms, i.e., not requiring the two (or more) terms to appear directly after each other.
Table A1. Overview of the used search terms. The term AND allows for a more loose search of the terms, i.e., not requiring the two (or more) terms to appear directly after each other.
No.Search Keyword(s)
1Passkeys
2Passkeys AND user
3Passkeys AND user AND challenges
4Passkeys AND user AND difficulties
5Passkeys AND user AND improvements
6Passkeys AND effects
7Passkeys AND security
8Passkeys AND security AND effect
9Passkeys AND security improvements
10Passkeys AND secrecy
11Passkeys AND implications
12Passwords AND user AND challenges
13Passwords AND user AND difficulties
14Passwords AND user AND improvements
15Passkeys vs. Passwords
16passkeys AND end-user AND business end-user
17passkeys AND challenges AND ecosystem lock-in AND portability
18passkeys AND security constraints
19passkeys AND security constraints AND adoptability
20passkeys AND adoptability
21passkeys AND awareness AND understanding
22passkeys AND security effects AND phishing mitigation AND authentication methods
23passkeys AND cross-service implications AND password leaking
24passkeys AND enrollment AND passwords
25passkeys AND recovery AND backup
26passkeys AND adoptions AND google AND apple
27passkeys AND integration AND authentication methods
28passkeys AND end-user
29passkeys AND business end-user
30passkeys AND improvements
31passkeys AND passwords
32passkeys AND challenges AND ecosystem lock-in
33passkeys AND challenges AND portability
34passkeys AND security constraints AND adoptability
35passkeys AND awareness
36passkeys AND understanding
37passkeys AND security effects AND phishing mitigation
38passkeys AND cross-service implications AND password leaking
39passkeys AND enrollment
40passkeys AND recovery
41passkeys AND backup
42passkeys AND adoptions AND google
43passkeys AND adoptions AND apple
44passkeys AND integration AND authentication methods

References

  1. Papathanasaki, M.; Maglaras, L.; Ayres, N. Modern Authentication Methods: A Comprehensive Survey. AI Comput. Sci. Robot. Technol. 2022, 2022, 1–24. [Google Scholar] [CrossRef]
  2. Pearman, S.; Thomas, J.; Naeini, P.E.; Habib, H.; Bauer, L.; Christin, N.; Cranor, L.F.; Egelman, S.; Forget, A. Let us Go in for a Closer Look: Observing Passwords in Their Natural Habitat. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS ’17, Dallas, TX, USA, 30 October–3 November 2017; pp. 295–310. [Google Scholar] [CrossRef]
  3. Herley, C.; van Oorschot, P.C.; Patrick, A.S. Passwords: If We’re So Smart, Why Are We Still Using Them? In Proceedings of the Financial Cryptography and Data Security; Dingledine, R., Golle, P., Eds.; Springer: Berlin/Heidelberg, Germany, 2009; pp. 230–237. [Google Scholar] [CrossRef]
  4. Bosnjak, L.; Brumen, B. Rejecting the Death of Passwords: Advice for the Future. Comput. Sci. Inf. Syst. 2019, 16, 313–332. [Google Scholar] [CrossRef]
  5. Wash, R.; Rader, E.; Berman, R.; Wellmer, Z. Understanding Password Choices: How Frequently Entered Passwords Are Re-used across Websites. In Proceedings of the Twelfth Symposium on Usable Privacy and Security (SOUPS 2016), Denver, CO, USA, 22–24 June 2016; pp. 175–188. [Google Scholar]
  6. George, D.A.S. The Dawn of Passkeys: Evaluating a Passwordless Future. Partners Univers. Innov. Res. Publ. 2024, 2, 202–220. [Google Scholar] [CrossRef]
  7. Ghorbani Lyastani, S.; Schilling, M.; Neumayr, M.; Backes, M.; Bugiel, S. Is FIDO2 the Kingslayer of User Authentication? A Comparative Usability Study of FIDO2 Passwordless Authentication. In Proceedings of the 2020 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 18–21 May 2020; pp. 268–285. [Google Scholar] [CrossRef]
  8. Angelogianni, A.; Politis, I.; Xenakis, C. How Many FIDO Protocols Are Needed? Analysing the Technology, Security and Compliance. ACM Comput. Surv. 2024, 56, 1–51. [Google Scholar] [CrossRef]
  9. Younis Mostafa, E.; Mohammed, S.J. THE LANDSCAPE OF AUTHENTICATION SYSTEMS: A COMPREHENSIVE SURVEY. MINAR Int. J. Appl. Sci. Technol. 2023, 5, 1–16. [Google Scholar] [CrossRef]
  10. Bicakci, K.; Uzunay, Y. Is FIDO2 Passwordless Authentication a Hype or for Real?: A Position Pape. In Proceedings of the 2022 15th International Conference on Information Security and Cryptography (ISCTURKEY), Ankara, Turkey, 19–20 October 2022; pp. 68–73. [Google Scholar] [CrossRef]
  11. Keil, M.; Markert, P.; Dürmuth, M. “It’s Just a Lot of Prerequisites”: A User Perception and Usability Analysis of the German ID Card as a FIDO2 Authenticator. In Proceedings of the 2022 European Symposium on Usable Security (EuroUSEC ’22), Karlsruhe, Germany, 29–30 September 2022; pp. 172–188. [Google Scholar] [CrossRef]
  12. Prasad, A. A Comparative Study of Passwordless Authentication. TechRxiv 2024. [Google Scholar] [CrossRef]
  13. Chaudhari, A.; Pawar, A.; Pawar, A.; Pawar, A.; Pawar, G. A Comprehensive Study on Authentication Systems. In Proceedings of the 2023 7th International Conference On Computing, Communication, Control Furthermore, Automation (ICCUBEA), Pune, India, 18–19 August 2023; pp. 1–5. [Google Scholar] [CrossRef]
  14. Arabo, A.; Oduguwa, T. A Review of Password-less User Authentication Schemes. Authorea 2023. [Google Scholar] [CrossRef]
  15. Putz, F.; Schön, S.; Hollick, M. Future-Proof Web Authentication: Bring Your Own FIDO2 Extensions. In Proceedings of the Emerging Technologies for Authorization and Authentication; Saracino, A., Mori, P., Eds.; Springer: Cham, Switzerland, 2021; pp. 17–32. [Google Scholar] [CrossRef]
  16. Kuchhal, D.; Saad, M.; Oest, A.; Li, F. Evaluating the Security Posture of Real-World FIDO2 Deployments. In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, Copenhagen, Denmark, 26–30 November 2023; pp. 2381–2395. [Google Scholar] [CrossRef]
  17. Reynolds, J.; Smith, T.; Reese, K.; Dickinson, L.; Ruoti, S.; Seamons, K. A Tale of Two Studies: The Best and Worst of YubiKey Usability. In Proceedings of the 2018 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 20–24 May 2018; pp. 872–888. [Google Scholar] [CrossRef]
  18. Al Kabir, M.A.; Elmedany, W. An Overview of the Present and Future of User Authentication. In Proceedings of the 2022 4th IEEE Middle East and North Africa COMMunications Conference (MENACOMM), Amman, Jordan, 6–8 December 2022; pp. 10–17. [Google Scholar] [CrossRef]
  19. Kizza, J.M. Authentication. In Guide to Computer Network Security; Kizza, J.M., Ed.; Springer International Publishing: Cham, Switzerland, 2024; pp. 215–238. [Google Scholar] [CrossRef]
  20. Newhouse, W.; Bartock, M.; Cichonski, J.; Ferraiolo, H.; Souppaya, M.; Brown, C.; Dog, S.E.; Prince, S.; Sexton, J. Derived Personal Identity Verification (PIV) Credentials: Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B); and How-to Guides (C); Technical Report NIST SP 1800-12; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2019. [CrossRef]
  21. EUR-Lex-02018R0389-20230912-EN-EUR-Lex. Available online: https://eur-lex.europa.eu/eli/reg_del/2018/389/2023-09-12 (accessed on 1 March 2025).
  22. Boopathy, D.; Sundaresan, M. Framework Model and Algorithm of Request Based One Time Passkey (ROTP) Mechanism to Authenticate Cloud Users in Secured Way. In Proceedings of the 10th Indiacom—2016 3rd International Conference on Computing for Sustainable Global Development, New Delhi, India, 16–18 March 2016; Hoda, M.N., Ed.; pp. 3898–3903. [Google Scholar]
  23. Biggio, B.; Akhtar, Z.; Fumera, G.; Marcialis, G.; Roli, F. Security Evaluation of Biometric Authentication Systems under Real Spoofing Attacks. IET Biom. 2012, 1, 11–24. [Google Scholar] [CrossRef]
  24. Ryu, R.; Yeom, S.; Herbert, D.; Dermoudy, J. The Design and Evaluation of Adaptive Biometric Authentication Systems: Current Status, Challenges and Future Direction. ICT Express 2023, 9, 1183–1197. [Google Scholar] [CrossRef]
  25. Pagnin, E.; Mitrokotsa, A. Privacy-Preserving Biometric Authentication: Challenges and Directions. Secur. Commun. Netw. 2017, 2017, 1–9. [Google Scholar] [CrossRef]
  26. Arora, S.S.; Badrinarayanan, S.; Raghuraman, S.; Shirvanian, M.; Wagner, K.; Watson, G. Avoiding Lock Outs: Proactive FIDO Account Recovery Using Managerless Group Signatures. 2022. Available online: https://eprint.iacr.org/2022/1555 (accessed on 1 March 2025).
  27. Das, S.; Dingman, A.; Camp, L.J. Why Johnny Doesn’t Use Two Factor A Two-Phase Usability Study of the FIDO U2F Security Key. In Proceedings of the Financial Cryptography and Data Security; Meiklejohn, S., Sako, K., Eds.; Springer: Berlin/Heidelberg, Germany, 2018; pp. 160–179. [Google Scholar] [CrossRef]
  28. Ciolino, S.; Parkin, S.; Dunphy, P. Of Two Minds about Two-Factor: Understanding Everyday FIDO U2F Usability through Device Comparison and Experience Sampling. In Proceedings of the Fifteenth USENIX Conference on Usable Privacy and Security (SOUPS’19), Santa Clara, CA, USA, 11–13 August 2019; pp. 339–356. [Google Scholar]
  29. Kepkowski, M.; Hanzlik, L.; Wood, I.; Kaafar, M.A. How Not to Handle Keys: Timing Attacks on FIDO Authenticator Privacy. arXiv 2022. [Google Scholar] [CrossRef]
  30. Kim, D.; Kim, S.; Ryu, G.; Choi, D. Session Replication Attack Through QR Code Sniffing in Passkey CTAP Registration. In Proceedings of the ICT Systems Security and Privacy Protection; Pitropakis, N., Katsikas, S., Furnell, S., Markantonakis, K., Eds.; Springer: Cham, Switzerland, 2024; pp. 294–307. [Google Scholar] [CrossRef]
  31. Mitra, A.; Ghosh, A.; Sethuraman, S.C. TUSH-Key: Transferable User Secrets on Hardware Key. arXiv 2023. [Google Scholar] [CrossRef]
  32. Lyastani, S.G.; Backes, M.; Bugiel, S. A Systematic Study of the Consistency of Two-Factor Authentication User Journeys on Top-Ranked Websites. In Proceedings of the Proceedings 2023 Network and Distributed System Security Symposium, San Diego, CA, USA, 27 February–3 March 2023. [Google Scholar] [CrossRef]
  33. ISO-9241-11:2018; Ergonomics of Human-System Interaction. ISO: Geneva, Switzerland, 2018.
  34. Abraham, S.; Chengalur-Smith, I. An Overview of Social Engineering Malware: Trends, Tactics, and Implications. Technol. Soc. 2010, 32, 183–196. [Google Scholar] [CrossRef]
  35. Daza, D.R.M.; Tabuco, F.C.A.; Naval, P.C. Phishing Detection Using Ensemble of Classifiers. In Recent Challenges in Intelligent Information and Database Systems; Nguyen, N.T., Chbeir, R., Manolopoulos, Y., Fujita, H., Hong, T.P., Nguyen, L.M., Wojtkiewicz, K., Eds.; Springer Nature: Singapore, 2024; Volume 2144, pp. 39–50. [Google Scholar] [CrossRef]
  36. CFCS (Authority). The Cyber Threat from Phishing Mails. 2020. Available online: https://www.cfcs.dk/en/cybertruslen/threat-assessments/phishing/ (accessed on 1 March 2025).
  37. Thomopoulos, G.A.; Lyras, D.P.; Fidas, C.A. A Systematic Review and Research Challenges on Phishing Cyberattacks from an Electroencephalography and Gaze-Based Perspective. Pers. Ubiquitous Comput. 2024, 28, 449–470. [Google Scholar] [CrossRef]
  38. Peng, P.; Xu, C.; Quinn, L.; Hu, H.; Viswanath, B.; Wang, G. What Happens After You Leak Your Password: Understanding Credential Sharing on Phishing Sites. In Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security (Asia CCS ’19), Auckland New, Zealand, 9–12 July 2019; pp. 181–192. [Google Scholar] [CrossRef]
  39. Bock, M. Measuring Adoption of Phishing-Resistant Authentication Methods on the Web. 2023. Available online: https://hdms.bsz-bw.de/frontdoor/index/index/docId/7038 (accessed on 1 March 2025).
  40. Qualys SSL Labs-SSL Pulse. Available online: https://www.ssllabs.com/ssl-pulse/ (accessed on 1 March 2025).
  41. Baier, E. The Evolution of SSL and TLS|DigiCert.Com. 2015. Available online: https://www.digicert.com/blog/evolution-of-ssl (accessed on 1 March 2025).
  42. Furuberg, I.L.; Øseth, M. From Password to Passwordless: Exploring User Experience Obstacles to the Adoption of FIDO2 Authentication. Master’s Thesis, NTNU, Ålesund, Norway, 2023. [Google Scholar]
  43. Ometov, A.; Bezzateev, S.; Mäkitalo, N.; Andreev, S.; Mikkonen, T.; Koucheryavy, Y. Multi-Factor Authentication: A Survey. Cryptography 2018, 2, 1. [Google Scholar] [CrossRef]
  44. Arthur, W.; Challener, D.; Goldman, K. A Practical Guide to TPM 2.0: Using the New Trusted Platform Module in the New Age of Security; Springer Nature: Singapore, 2015. [Google Scholar] [CrossRef]
  45. Das, S.; Russo, G.; Dingman, A.C.; Dev, J.; Kenny, O.; Camp, L.J. A Qualitative Study on Usability and Acceptability of Yubico Security Key. In Proceedings of the 7th Workshop on Socio-Technical Aspects in Security and Trust (STAST ’17), Orlando, FL, USA, 5 December 2017; pp. 28–39. [Google Scholar] [CrossRef]
  46. Frykholm, N.; Juels, A. Error-Tolerant Password Recovery. In Proceedings of the 8th ACM Conference on Computer and Communications Security (CCS ’01), Philadelphia, PA, USA, 5–8 November 2001; pp. 1–9. [Google Scholar] [CrossRef]
  47. Forget, A.; Chiasson, S.; van Oorschot, P.C.; Biddle, R. Improving Text Passwords through Persuasion. In Proceedings of the 4th Symposium on Usable Privacy and Security (SOUPS ’08), Pittsburgh, PA, USA, 23–25 July 2008; pp. 1–12. [Google Scholar] [CrossRef]
  48. Owens, K.; Anise, O.; Krauss, A.; Ur, B. User Perceptions of the Usability and Security of Smartphones as FIDO2 Roaming Authenticators. In Proceedings of the Seventeenth USENIX Conference on Usable Privacy and Security (SOUPS’21), Virtual Event, 9–10 August 2021; pp. 57–76. [Google Scholar]
  49. Tam, L.; Glassman, M.; Vandenwauver, M. The Psychology of Password Management: A Tradeoff between Security and Convenience. Behav. Inf. Technol. 2010, 29, 233–244. [Google Scholar] [CrossRef]
  50. Kim, B.C.; Park, Y.W. Security versus Convenience? An Experimental Study of User Misperceptions of Wireless Internet Service Quality. Decis. Support Syst. 2012, 53, 1–11. [Google Scholar] [CrossRef]
  51. Walia, K.S.; Shenoy, S.; Cheng, Y. An Empirical Analysis on the Usability and Security of Passwords. In Proceedings of the 2020 IEEE 21st International Conference on Information Reuse and Integration for Data Science (IRI), Las Vegas, NV, USA, 11–13 August 2020; pp. 1–8. [Google Scholar] [CrossRef]
  52. Seitz, T.; Hartmann, M.; Pfab, J.; Souque, S. Do Differences in Password Policies Prevent Password Reuse? In Proceedings of the 2017 CHI Conference Extended Abstracts on Human Factors in Computing Systems, Denver, CO, USA, 6–11 May 2017; pp. 2056–2063. [Google Scholar] [CrossRef]
  53. Uzonyi, D.G.; Pitropakis, N.; McKeown, S.; Politis, I. OPSEC VS Leaked Credentials: Password Reuse in Large-Scale Data Leaks. In Proceedings of the 2023 IEEE 28th International Workshop on Computer Aided Modeling and Design of Communication Links and Networks (CAMAD), Edinburgh, UK, 6–8 November 2023; pp. 74–79. [Google Scholar] [CrossRef]
  54. Zimmermann, V.; Marky, K.; Renaud, K. Hybrid Password Meters for More Secure Passwords—a Comprehensive Study of Password Meters Including Nudges and Password Information. Behav. Inf. Technol. 2023, 42, 700–743. [Google Scholar] [CrossRef]
  55. Umejiaku, A.P.; Dhakal, P.; Sheng, V.S. Balancing Password Security and User Convenience: Exploring the Potential of Prompt Models for Password Generation. Electronics 2023, 12, 2159. [Google Scholar] [CrossRef]
  56. Fernando, W.P.K.; Dissanayake, D.A.N.P.; Dushmantha, S.G.V.D.; Liyanage, D.L.C.P.; Karunatilake, C. Challenges and Opportunities in Password Management: A Review of Current Solutions. Sri Lanka J. Soc. Sci. Humanit. 2023, 3, 9–20. [Google Scholar] [CrossRef]
  57. Hall, R.C.; Hoppa, M.A.; Hu, Y.H. An Empirical Study of Password Policy Compliance. J. Colloq. Inf. Syst. Secur. Educ. 2023, 10, 8. [Google Scholar] [CrossRef]
  58. Arias-Cabarcos, P.; Marin, A.; Palacios, D.; Almenarez, F.; Diaz-Sanchez, D. Comparing Password Management Software: Toward Usable and Secure Enterprise Authentication. IT Prof. 2016, 18, 34–40. [Google Scholar] [CrossRef]
  59. Hien, T.N.T.; Sangsongfa, A.; Amm-Dee, N. Discovering Personal Data Security Issues: Insights from “Have I Been Pwned”. In Advances in Computing and Data Sciences; Singh, M., Tyagi, V., Gupta, P.K., Flusser, J., Ören, T., Cherif, A.R., Tomar, R., Eds.; Springer Nature: Cham, Switzerland, 2025; Volume 2194, pp. 259–269. [Google Scholar] [CrossRef]
  60. Rahman, T.; Rohan, R.; Pal, D.; Kanthamanon, P. Human Factors in Cybersecurity: A Scoping Review. In Proceedings of the 12th International Conference on Advances in Information Technology, Bangkok, Thailand, 29 June–1 July 2021; pp. 1–11. [Google Scholar] [CrossRef]
  61. Naqvi, B.; Perova, K.; Farooq, A.; Makhdoom, I.; Oyedeji, S.; Porras, J. Mitigation Strategies against the Phishing Attacks: A Systematic Literature Review. Comput. Secur. 2023, 132, 103387. [Google Scholar] [CrossRef]
  62. Chowdhury, N.H.; Adam, M.T.P.; Skinner, G. The Impact of Time Pressure on Cybersecurity Behaviour: A Systematic Literature Review. Behav. Inf. Technol. 2019, 38, 1290–1308. [Google Scholar] [CrossRef]
  63. Grobler, M.; Gaire, R.; Nepal, S. User, Usage and Usability: Redefining Human Centric Cyber Security. Front. Big Data 2021, 4, 583723. [Google Scholar] [CrossRef]
  64. Petersen, K.; Vakkalanka, S.; Kuzniarz, L. Guidelines for Conducting Systematic Mapping Studies in Software Engineering: An Update. Inf. Softw. Technol. 2015, 64, 1–18. [Google Scholar] [CrossRef]
  65. Webster, J.; Watson, R. Analyzing the Past to Prepare for the Future: Writing a Literature Review. MIS Q. 2002, 26, xiii–xxiii. [Google Scholar]
  66. Wohlin, C. Guidelines for Snowballing in Systematic Literature Studies and a Replication in Software Engineering. In Proceedings of the 18th International Conference on Evaluation and Assessment in Software Engineering, London, UK, 13–14 May 2014; pp. 1–10. [Google Scholar] [CrossRef]
  67. Tay, A. How to Write a Superb Literature Review. Nature 2020, d41586-020-03422-x. [Google Scholar] [CrossRef]
  68. Stanton, J.M.; Stam, K.R.; Mastrangelo, P.; Jolton, J. Analysis of End User Security Behaviors. Comput. Secur. 2005, 24, 124–133. [Google Scholar] [CrossRef]
  69. Rahman, B. Conflicts Between Passkeys and European E-ID Scheme. 2024. Available online: https://urn.fi/URN:NBN:fi-fe2024083067275 (accessed on 1 March 2025).
  70. Corella, F. Overcoming the UX Challenges Faced by FIDO Credentials in the Consumer Space. In Proceedings of the HCI for Cybersecurity, Privacy and Trust; Moallem, A., Ed.; Springer: Cham, Switzerland, 2023; pp. 447–466. [Google Scholar] [CrossRef]
  71. Alqubaisi, F.; Wazan, A.S.; Ahmad, L.; Chadwick, D.W. Should We Rush to Implement Password-less Single Factor FIDO2 Based Authentication? In Proceedings of the 2020 12th Annual Undergraduate Research Conference on Applied Computing (URC), Dubai, United Arab Emirates, 15–16 April 2020; pp. 1–6. [Google Scholar] [CrossRef]
  72. Shiraishi, M.; Shinagawa, T. Toward Cloud-Based FIDO Authentication with Secure Credentials Recovery. Available online: https://www.os.is.s.u-tokyo.ac.jp/papers/posters/2023-acsac-shiraishi-abstract.pdf (accessed on 1 March 2025).
  73. Lassak, L.; Pan, E.; Ur, B.; Golla, M. Why Aren’t We Using Passkeys? Obstacles Companies Face Deploying {FIDO2} Passwordless Authentication. In Proceedings of the 33rd USENIX Security Symposium (USENIX Security 24), Philadelphia, PA, USA, 14–16 August 2024; pp. 7231–7248. [Google Scholar]
  74. Blei, D.; Ng, A.; Jordan, M. Latent Dirichlet Allocation. In Proceedings of the Advances in Neural Information Processing Systems; MIT Press: Cambridge, MA, USA, 2001; Volume 14. [Google Scholar]
  75. Hoffman, M.D.; Blei, D.M.; Bach, F. Online learning for Latent Dirichlet Allocation. In Proceedings of the 24th International Conference on Neural Information Processing Systems (NIPS’10), Red Hook, NY, USA, 6–9 December 2010; Volume 1, pp. 856–864. [Google Scholar]
  76. Chuang, J.; Manning, C.D.; Heer, J. Termite: Visualization Techniques for Assessing Textual Topic Models. Adv. Vis. Interfaces 2012, 74–77. [Google Scholar] [CrossRef]
  77. Chen, P. Vulnerability Testing for WebAuthn. Ph.D. Thesis, University of Twente, Enschede, The Netherlands, 2024. [Google Scholar]
  78. Domingues, P.; Frade, M.; Negrao, M. Digital Forensic Artifacts of FIDO2 Passkeys in Windows 11. In Proceedings of the 19th International Conference on Availability, Reliability and Security (ARES ’24), Vienna, Austria, 30 July–2 August 2024; pp. 1–10. [Google Scholar] [CrossRef]
  79. Georgiadis, E. FIDO2 Overview, Use Cases, and Security Considerations. Ph.D. Thesis, School of Information Sciences and Technology Department of Informatics, Athens, Greece, 2023. [Google Scholar] [CrossRef]
  80. Guirat, I.B.; Halpin, H. Formal Verification of the W3C Web Authentication Protocol. In Proceedings of the 5th Annual Symposium and Bootcamp on Hot Topics in the Science of Security, Raleigh, NC, USA, 10–11 April 2018; pp. 1–10. [Google Scholar] [CrossRef]
  81. Schrempp, L. Formal Verification of FIDO2 with Human Interaction. Master’s Thesis, Information Security Group, Swiss Federal Institute of Technology (ETH) Zurich, Zurich, Switzerland, 2023; 91p. [Google Scholar] [CrossRef]
  82. Ulqinaku, E.; Assal, H.; Abdou, A.; Chiasson, S.; Čapkun, S. Is Real-time Phishing Eliminated with FIDO? Social Engineering Downgrade Attacks Against FIDO Protocols. 2020. Available online: https://eprint.iacr.org/2020/1298 (accessed on 1 March 2025).
  83. Blessing, J.; Hugenroth, D.; Anderson, R.J.; Beresford, A.R. SoK: Web Authentication in the Age of End-to-End Encryption. arXiv 2024. [Google Scholar] [CrossRef]
  84. Farke, F.M.; Lorenz, L.; Schnitzler, T.; Markert, P.; Dürmuth, M. {“You} Still Use the Password after {all”}—Exploring {FIDO2} Security Keys in a Small Company. In Proceedings of the Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020), Online, 7–11 August 2020; pp. 19–35. [Google Scholar]
  85. Kepkowski, M.; Machulak, M.; Wood, I.; Kaafar, D. Challenges with Passwordless FIDO2 in an Enterprise Setting: A Usability Study. In Proceedings of the 2023 IEEE Secure Development Conference (SecDev), Atlanta, GA, USA, 18–20 October 2023; pp. 37–48. [Google Scholar] [CrossRef]
  86. Marky, K.; Ragozin, K.; Chernyshov, G.; Matviienko, A.; Schmitz, M.; Mühlhäuser, M.; Eghtebas, C.; Kunze, K. “Nah, It’s Just Annoying!” A Deep Dive into User Perceptions of Two-Factor Authentication. ACM Trans. Comput.-Hum. Interact. 2022, 29, 1–32. [Google Scholar] [CrossRef]
  87. Reese, K.; Smith, T.; Dutson, J.; Armknecht, J.; Cameron, J.; Seamons, K. A Usability Study of Five Two-Factor Authentication Methods. In Proceedings of the Fifteenth USENIX Conference on Usable Privacy and Security (SOUPS’19), Santa Clara, CA, USA, 11–13 August 2019; pp. 357–370. [Google Scholar]
  88. Würsching, L.; Putz, F.; Haesler, S.; Hollick, M. FIDO2 the Rescue? Platform vs. Roaming Authentication on Smartphones. In Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems (CHI ’23), Hamburg Germany, 23–28 April 2023; pp. 1–16. [Google Scholar] [CrossRef]
  89. Esberg, L. Exploring How UX Design Can Influence Users to Behave More Securely. 2024. Available online: https://www.divaportal.org/smash/record.jsf?pid=diva2%3A1867602&dswid=2574 (accessed on 1 March 2025).
  90. Lassak, L.; Hildebrandt, A.; Golla, M.; Ur, B. “It’s Stored, Hopefully, on an Encrypted Server”: Mitigating Users’ Misconceptions About {FIDO2} Biometric {WebAuthn}. In Proceedings of the 30th USENIX Security Symposium (USENIX Security 21), Virtual Event, 11–13 August 2021; pp. 91–108. [Google Scholar]
  91. Bandre, S.R. Design and Implementation of Smartphone Authentication System Based on Color-Code. In Proceedings of the 2015 International Conference on Pervasive Computing (ICPC), Pune, India, 8–10 January 2015; pp. 1–5. [Google Scholar] [CrossRef]
  92. Luke, K.; Kondo, T.; Kai, S.; Mayes, K.; Tezuka, S. Using Secret Sharing to Improve FIDO Attack Resistance for Multi-Device Credentials. In Proceedings of the 2023 8th International Conference on Information and Network Technologies (ICINT), Tokyo, Japan, 19–21 May 2023; pp. 49–56. [Google Scholar] [CrossRef]
  93. Nishith, D.; Samanta, I. Intelligent Authentication Gateway: Bridging the Gap Between Traditional and FIDO2 Security Through AI/ML Enhancement. Available online: https://engrxiv.org/preprint/download/3699/6576/5295 (accessed on 1 March 2025).
  94. Amft, S.M. On the Usability of Authentication Security Communication. Doctoral Thesis, Institutionelles Repositorium der Leibniz Universität Hannover, Hannover, Germany, 2024. [Google Scholar] [CrossRef]
  95. Venkatesh, V. Determinants of Perceived Ease of Use: Integrating Control, Intrinsic Motivation, and Emotion into the Technology Acceptance Model. Inf. Syst. Res. 2000, 11, 342–365. [Google Scholar] [CrossRef]
  96. Venkatesh, V.; Morris, M.G.; Davis, G.B.; Davis, F.D. User Acceptance of Information Technology: Toward a Unified View. MIS Q. 2003, 27, 425–478. [Google Scholar] [CrossRef]
  97. Ghinea, D.; Kaczmarczyck, F.; Pullman, J.; Cretin, J.; Kölbl, S.; Misoczki, R.; Picod, J.M.; Invernizzi, L.; Bursztein, E. Hybrid Post-Quantum Signatures in Hardware Security Keys. In Applied Cryptography and Network Security Workshops; Springer: Cham, Switzerland, 2023. [Google Scholar]
  98. Bonneau, J.; Herley, C.; van Oorschot, P.C.; Stajano, F. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, San Francisco, CA, USA, 20–23 May 2012; pp. 553–567. [Google Scholar] [CrossRef]
  99. Itoh, K.; Kanaoka, A. Survey of Services That Store Passwords in a Recoverable Manner. In Proceedings of the HCI for Cybersecurity, Privacy and Trust; Moallem, A., Ed.; Springer: Cham, Switzerland, 2023; pp. 68–77. [Google Scholar] [CrossRef]
  100. Hao, F.; Ryan, P.Y.A. Password Authenticated Key Exchange by Juggling. In Proceedings of the Security Protocols XVI; Christianson, B., Malcolm, J.A., Matyas, V., Roe, M., Eds.; Springer: Berlin/Heidelberg, Germany, 2011; pp. 159–171. [Google Scholar] [CrossRef]
  101. Jarecki, S.; Krawczyk, H.; Xu, J. OPAQUE: An Asymmetric PAKE Protocol Secure Against Pre-computation Attacks. In Advances in Cryptology— EUROCRYPT 2018; Nielsen, J.B., Rijmen, V., Eds.; Springer International Publishing: Cham, Switzerland, 2018; Volume 10822, pp. 456–486. [Google Scholar] [CrossRef]
  102. Lancrenon, J. On Password-Authenticated Key Exchange Security Modeling. In Technology and Practice of Passwords; Stajano, F., Mjølsnes, S.F., Jenkinson, G., Thorsheim, P., Eds.; Springer International Publishing: Cham, Switzerland, 2016; Volume 9551, pp. 120–143. [Google Scholar] [CrossRef]
  103. Lassak, L.; Markert, P.; Golla, M.; Stobert, E.; Dürmuth, M. A Comparative Long-Term Study of Fallback Authentication Schemes. In Proceedings of the CHI Conference on Human Factors in Computing Systems, Honolulu, HI, USA, 11–16 May 2024; pp. 1–19. [Google Scholar] [CrossRef]
  104. Regenscheid, A.; Temoshok, D.; LaSalle, C. Incorporating Syncable Authenticators into NIST SP 800-63B: Digital Identity Guidelines—Authentication and Lifecycle Management; Technical Report NIST SP 800-63Bsup1; National Institute of Standards and Technology (U.S.): Gaithersburg, MD, USA, 2024. [CrossRef]
Figure 1. Overview of the amount of literature throughout each step. The underlined number is the final amount of literature included in the literature review.
Figure 1. Overview of the amount of literature throughout each step. The underlined number is the final amount of literature included in the literature review.
Applsci 15 04414 g001
Figure 2. Word cloud of all the text data from all collected papers. Stop and filling words were removed before generating the word cloud.
Figure 2. Word cloud of all the text data from all collected papers. Stop and filling words were removed before generating the word cloud.
Applsci 15 04414 g002
Figure 3. Results of the LDA analysis with 10 topics. The left side shows the topic clusters, and the right side shows the top 30 most salient terms [76].
Figure 3. Results of the LDA analysis with 10 topics. The left side shows the topic clusters, and the right side shows the top 30 most salient terms [76].
Applsci 15 04414 g003
Figure 4. Results of the LDA analysis with three topics. The left side shows the topic clusters, and the right side shows the top 30 most salient terms [76].
Figure 4. Results of the LDA analysis with three topics. The left side shows the topic clusters, and the right side shows the top 30 most salient terms [76].
Applsci 15 04414 g004
Figure 5. Illustration of the mapping between the identified challenges and existing proposed improvements in the literature. Furthermore, it highlights the gaps in the existing literature where only challenges have been identified with no proposed improvement.
Figure 5. Illustration of the mapping between the identified challenges and existing proposed improvements in the literature. Furthermore, it highlights the gaps in the existing literature where only challenges have been identified with no proposed improvement.
Applsci 15 04414 g005
Figure 6. Overview of the identified impact of the Improvement and Challenge Categories.
Figure 6. Overview of the identified impact of the Improvement and Challenge Categories.
Applsci 15 04414 g006
Table 1. Overview of related work and this work and the aspects it covers, ’x’ indicates the respective property is covered in the listed related work.
Table 1. Overview of related work and this work and the aspects it covers, ’x’ indicates the respective property is covered in the listed related work.
LiteratureLiterature
Survey
Passkey
Focus
Technical
Focus
Protocol
Focus
Usability
Focus
[1] x
[9] x
[12] x
[13]xxx
[14]xx x
[15] x
[8]xxxx
[16] x
[7] x x
[17] x
[18] x
Our workxxxxx
Table 2. Identified key papers after the initial search.
Table 2. Identified key papers after the initial search.
No.Citation
1[14]
2[68]
3[69]
4[42]
5[39]
6[70]
Table 3. Further identified key papers after filtering. The first six identified key papers are listed in Table 2.
Table 3. Further identified key papers after filtering. The first six identified key papers are listed in Table 2.
No.Citation
7[71]
8[6]
9[72]
10[73]
Table 4. Table overview of which papers touch upon passkey challenges with three subcategories for further specification.
Table 4. Table overview of which papers touch upon passkey challenges with three subcategories for further specification.
CategoryReferences
Technical[6,13,15,26,29,30,71,73,77,78,79,80,81,82]
Usability[6,8,11,12,13,17,27,28,42,45,48,69,71,79,82,83,84,85,86,87,88]
User Perception[7,11,16,27,42,48,73,79,80,82,84,86,88,89,90]
Table 5. Table overview of which papers touch upon passkey improvements with three subcategories for further specification.
Table 5. Table overview of which papers touch upon passkey improvements with three subcategories for further specification.
CategoryReferences
Technical[8,16,26,31,39,72,77,91,92,93]
Usability[10,27,45,70,94]
User Perception[7,14,89]
Table 6. Impact rating of each category for the areas of improvements and challenges from a user perspective, with one being low and three being high impact.
Table 6. Impact rating of each category for the areas of improvements and challenges from a user perspective, with one being low and three being high impact.
CategoryImprovementChallenges
Technical32
Usability31
User Perception13
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Matzen, A.; Rüffer, A.; Byllemos, M.; Heine, O.; Papaioannou, M.; Choudhary, G.; Dragoni, N. Challenges and Potential Improvements for Passkey Adoption—A Literature Review with a User-Centric Perspective. Appl. Sci. 2025, 15, 4414. https://doi.org/10.3390/app15084414

AMA Style

Matzen A, Rüffer A, Byllemos M, Heine O, Papaioannou M, Choudhary G, Dragoni N. Challenges and Potential Improvements for Passkey Adoption—A Literature Review with a User-Centric Perspective. Applied Sciences. 2025; 15(8):4414. https://doi.org/10.3390/app15084414

Chicago/Turabian Style

Matzen, Alexander, Artur Rüffer, Marcus Byllemos, Oliver Heine, Maria Papaioannou, Gaurav Choudhary, and Nicola Dragoni. 2025. "Challenges and Potential Improvements for Passkey Adoption—A Literature Review with a User-Centric Perspective" Applied Sciences 15, no. 8: 4414. https://doi.org/10.3390/app15084414

APA Style

Matzen, A., Rüffer, A., Byllemos, M., Heine, O., Papaioannou, M., Choudhary, G., & Dragoni, N. (2025). Challenges and Potential Improvements for Passkey Adoption—A Literature Review with a User-Centric Perspective. Applied Sciences, 15(8), 4414. https://doi.org/10.3390/app15084414

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop