Passkey Adoption Reality Check: Did Finance Really Switch?
By the end of 2024, passkeys were technically available across most major banking platforms. Mobile apps supported them. Web flows allowed them. Documentation explained them. Yet login behaviour barely moved.Â
For financial institutions, this disconnect created a quiet operational problem. Fraud metrics did not improve. Support volumes did not fall. Passwords remained the default behaviour, even where passkeys were fully deployed. The technology worked. Adoption did not.
The reasons were not mysterious. Customers did not clearly understand why switching mattered. Desktop login experiences introduced friction that mobile flows avoided. Password fallbacks remained too convenient to abandon. Availability solved engineering readiness, not user habits.
So, why did passkey adoption stall after rollout, and what actually drives behavioural change in financial services?
Where consumer platforms pulled ahead
Consumer platforms moved quickly. Retail and e-commerce users adopted passkeys because shopping apps prioritise speed and rarely trigger lockout anxiety. Amazon dominates passkey traffic because checkout friction directly affects revenue. Users experiment freely when account recovery feels low-risk.
Financial services moved differently. Banks enabled passkeys, but users retained passwords as the default. Nothing forced a switch. The FIDO Alliance Passkey Index 2025 shows passkey adoption in financial services lags significantly behind retail, despite comparable technical readiness. Banks face longer adoption curves because account lockouts trigger regulatory scrutiny, legacy systems resist change, and conservative policies prioritise recovery over innovation.
Across multiple banking deployments, post-launch data shows the same pattern: enrolment remains in single digits months after enablement. Technical systems function as designed, but customer behaviour does not shift without deliberate intervention. Availability alone does not change authentication behaviour.
What adoption looks like across sectors
Adoption patterns diverge sharply by sector, largely based on how much friction users tolerate and how strongly platforms enforce change.
| Sector | Adoption Pattern | Core Friction | Timeline to Scale |
| E-commerce | Fast, voluntary | Cart abandonment fears | 3–6 months |
| Cryptocurrency | Forced, rapid | High-stakes security culture | 1–3 months |
| Retail banking | Slow, optional | Desktop confusion, legacy browsers | 12–18+ months |
| Fintech apps | Moderate, nudged | Mobile-first design | 4–8 months |
Cryptocurrency platforms such as Gemini drove adoption by making passkeys mandatory. Traditional banks preserved choice, and users defaulted to familiar workflows. Fintech platforms landed between these extremes because mobile-first designs reduced friction without enforcing migration.
First Credit Union illustrates what a deliberate strategy can deliver: over half of all authentications now use passkeys following a targeted rollout. PayPal reported a near-direct correlation between increased passkey usage and reduced fraud costs.
Subscribe to our bi-weekly newsletter
Get the latest trends, insights, and strategies delivered straight to your inbox.
Success emerged when authentication was treated as a product experience rather than a background security infrastructure.Â
Why banking adoption moves differently
Financial services operate under constraints that consumer apps avoid. Account recovery errors trigger regulatory incidents and customer panic. Many institutions preserve passwords as a safety net to prevent lockout scenarios that erode trust and create compliance exposure.Â
Legacy systems amplify friction. Call centres, older browsers, and shared workstations still rely on password workflows. Customers who move between mobile apps and desktop portals encounter inconsistent authentication experiences and revert to passwords for reliability. These operational realities shape adoption more than cryptographic strength or phishing resistance.
Security data strongly favours passkeys. Passkeys eliminate phishing entirely. Authsignal’s 2025 research shows passkeys achieve a 93% login success rate compared to 63% for traditional methods. Google reported that passkey sign-ins perform four times better than password-based authentication.
Yet users rarely think in threat models. Many compare passkeys to authenticator apps instead. Authenticators feel familiar. Passkeys feel invisible and abstract. Without clear guidance, users choose comfort over technical superiority.
Where passkeys work and where they struggle
Mobile-first banking apps achieve the highest success rates. Device-bound credentials paired with biometrics feel intuitive. Login speed improves noticeably. ABANCA reported that 42% of mobile banking users now authorise transactions using passkeys, leveraging device unlock behaviours that customers already trust.Â
Desktop environments remain challenging. Cross-device sign-in confuses users. Shared machines raise trust concerns. Recovery paths feel opaque.
Across wealth management and retail banking platforms, adoption consistently skews toward mobile channels. Desktop usage remains materially lower over the same period, reflecting differences in device trust and environmental control rather than technical limitations.
How teams that succeed approach migration
Organisations that achieve meaningful passkey adoption treat migration as a behavioural challenge, not a deployment milestone.
Common success patterns include:
- Make passkeys the default, not optional. Microsoft increased adoption by setting passkeys as the default for new accounts. Gemini required passkeys entirely. Optional adoption consistently stalls.
- Time prompts strategically. Platforms such as Uber and eBay saw sharp increases when biometric prompts appeared during login and checkout rather than in settings menus.
- Reduce password convenience deliberately. Gradually removing fallback paths increases enrolment as passwords become less attractive. Apple’s automatic passkey upgrades convert credentials silently during trusted logins.
- Emphasise speed over security. Users respond more strongly to faster logins than security messaging. KAYAK reported higher adoption when convenience led the message.
What security leaders must solve before ROI arrives
Partial adoption introduces complexity that security teams often underestimate. Supporting both passwords and passkeys expands testing scope, documentation, and training. Help desk workflows branch. Operational overhead increases before savings materialise.
Wells Fargo and PenFed Credit Union moved decisively among U.S. banks to enable passkeys. Most major institutions proceeded cautiously, balancing convenience, regulatory exposure, and device diversity.
Liminal’s Passkey Adoption Study 2025 surveyed 200 organisations deploying passkeys. 63% ranked passkeys as their top authentication investment priority. Among deployed organisations, 85% reported strong satisfaction. ROI emerged when migration aligned with user workflows rather than assuming passive adoption.
Distilled
The passkey adoption reality check exposes a simple truth: banks successfully shipped technology, but users did not change login habits because availability alone never drives behaviour change in financial services.
Security gains from passkeys arrive only when passkeys become the default behaviour through deliberate migration strategies, not optional features buried in account settings. Authentication must be treated as a product experience, not a compliance checkbox.
The question is no longer whether passkeys work. Their security benefits are proven. The real decision is whether financial institutions will invest in migration strategies that change user behaviour or continue measuring enablement while fraud costs and support volumes remain unchanged. One path delivers ROI. The other delivers press releases.
