About Why No Passkeys?

Passkeys are a phishing-resistant way to sign in, built on the WebAuthn standard. They can't be reused, leaked in a breach, or handed to a fake login page — whether they replace a password or add a strong second factor on top. Yet many of the world's biggest websites still don't offer them.

This site names the most popular sites that haven't adopted passkeys — to make the gap visible and nudge them to act. New to passkeys? Start with Passkeys 101: an introduction to passkeys and how they work.

Who's behind this

This is a project by Scott Helme, a security researcher, and is sponsored by Report URI. Pushing the web towards phishing-resistant authentication has been a long-running theme — first getting sites onto HTTPS, and now onto passkeys.

Passkeys are a huge step forward, but they're not the whole story. They protect the login; they don't protect what happens in the browser afterwards, where client-side attacks like XSS can still hijack a session or abuse the passkey flow. That's why Report URI offers passkey protection. Naming the sites that haven't adopted passkeys, and helping the ones that have secure them properly, are two sides of the same goal.

Where the data comes from

Global list & the United States: from Cloudflare Radar Domain Rankings (the successor to the retired Alexa list), filtered to genuine sign-in destinations.
Per-country lists: from the Tranco top-1M ranking, with each site assigned to a country by its national domain (ccTLD) — e.g. .uk → United Kingdom — so these pages show each country's own popular sites, not just the global brands everyone uses.
Passkey support: from passkeys.directory, the community-maintained index run by 2factorauth.

Currently tracking 360 passkey-supporting domains across 187 country reports. Data generated 2026-06-22 13:35 UTC.

Which sites are listed

For the global and US lists, raw popularity rankings are full of infrastructure no one signs in to — CDNs, ad and analytics endpoints, API and telemetry hosts (gstatic.com, doubleclick.net, amazonaws.com…). We drop those using Cloudflare Radar's domain categories (Content Servers, Advertisements, APIs) plus a denylist, then take the top 25 genuine destinations. Per-country (ccTLD) lists are filtered with the same denylist plus a check for DNS/hosting infrastructure.

Why the split? Cloudflare Radar's per-country rankings are dominated by the same global giants everywhere, while ccTLD attribution surfaces genuinely local sites. The US is the exception — US sites mostly use .com, which can't be attributed by domain — so it falls back to Radar popularity.

How a site is classified

For each site we collapse its domain to its registrable form (e.g. mail.google.com → google.com) and check it against passkeys.directory. If it's listed, we show Passkeys; if not, we show No passkeys.

Spotted a site that does support passkeys? The "No passkeys" label means the site isn't in passkeys.directory yet. The best fix helps everyone: add it to passkeys.directory ↗ and it'll show up here on the next build.

Caveats

Passkey support can't be reliably detected automatically — registration happens behind login flows — so this site relies on the curated directory. A site marked "No passkeys" may have shipped support that the directory hasn't catalogued yet. Matching is by registrable domain, so passkey support on any subdomain counts for the whole domain.

← Back to the list