Twenty-two percent of all data breaches begin with stolen credentials, making it the single most common attack vector (Verizon, 2025). The typical response to this is more friction: longer passwords, special characters, rotating credentials every 90 days, SMS codes that arrive 30 seconds after you’ve given up. Passkeys take the opposite approach. They eliminate the credential that can be stolen in the first place.
When we started building Skrid’s authentication system, we faced a choice that matters more than most product decisions: how do users prove they’re who they say they are? The answer affects both security and user experience, and those two things are usually in tension. Passkeys are the rare case where they aren’t.
The problem with shared secrets
Every traditional authentication method relies on the same basic model: you and the server share a secret, and you prove your identity by demonstrating you know it. Passwords work this way. SMS codes work this way. TOTP authenticator apps work this way. The server has to store something that, if stolen, lets an attacker impersonate you.
This creates an obvious attack surface. Check Point reported a 160% increase in compromised credentials in 2025 versus 2024. Verizon’s breach report found 2.8 billion passwords put up for sale on criminal forums last year alone. CyberNews analysis showed that 94% of passwords are reused or duplicated across accounts. The math isn’t complicated: if you use the same password on multiple sites and any one of them gets breached, attackers can try that credential everywhere else.
Phishing compounds the problem. Most cyberattacks begin with phishing, according to Keepnet’s research, with roughly 3.4 billion phishing emails sent daily. And these aren’t the obvious “Nigerian prince” emails anymore. AI-generated phishing emails achieved a 54% click-through rate in testing, compared to 12% for human-written ones (TechMagic, 2025).
Two-factor authentication was supposed to fix this. In December 2024, the FBI and CISA declared SMS authentication “not recommended” due to SS7 protocol vulnerabilities that allow interception. The UK saw a 1,055% increase in SIM-swap fraud reports that same year. TOTP codes are better, but they’re still phishable through real-time relay attacks where a fake login page captures your code and uses it immediately.
How passkeys actually work
Passkeys are built on public-key cryptography, the same mathematics that secures HTTPS connections. When you create a passkey for a site, your device generates a unique pair of cryptographic keys. The private key stays on your device, protected by your fingerprint, face scan, or device PIN. The public key gets sent to the server.
When you log in, the server sends a random challenge. Your device signs that challenge with the private key (after you authenticate locally with your biometric or PIN) and sends back the signature. The server verifies the signature using the public key it stored. At no point does your private key leave your device. There’s no password to steal from the server’s database because the server never had anything secret to begin with.
This eliminates entire categories of attacks. Credential stuffing doesn’t work because there’s no credential that works across sites. Database breaches expose only public keys, which are mathematically useless for impersonation. Phishing attacks that target credentials don’t work either, and this is the part that matters most.
Phishing resistance isn’t optional
Passkeys are cryptographically bound to specific domains. When you create a passkey for skrid.app, that key literally cannot authenticate to skr1d.app or skrid-login.com or any other lookalike domain. The binding happens at the protocol level, not through user vigilance. Even if you click a perfect phishing link, your browser won’t offer your passkey because the domain doesn’t match.
This is fundamentally different from passwords, where you can accidentally type your credentials into any convincing-looking page. It’s also different from SMS or TOTP codes, which you might enter on a fake site that relays them instantly to the real one. Apple made this point explicitly at FIDO Authenticate 2025: “Adding passkeys as an option doesn’t automatically make a system phishing-resistant. True phishing resistance requires eliminating all phishable authentication and recovery methods from an account.”
The technical standards behind this are WebAuthn (a W3C specification) and CTAP (from the FIDO Alliance), collectively called FIDO2. These aren’t new or experimental. They’ve been in development since 2013 and are now supported by every major browser and operating system.
The speed difference is real
Security improvements often come at the cost of user experience. Passkeys don’t.
Microsoft reported in 2024 that passkey login achieves a 98% success rate compared to 32% for passwords. Think about what that means: two-thirds of password login attempts fail (misremembered credentials, typos, capitalization errors, wrong account). Passkey authentication is three times faster than passwords alone and eight times faster than password plus MFA, according to the same Microsoft data.
The FIDO Alliance’s 2025 metrics put numbers on this: average passkey login takes 8.5 seconds versus 31.2 seconds for password plus MFA.
Real-world implementations confirm these patterns. Amazon reports 175 million passkey-enabled customers and describes login as “6x faster.” Air New Zealand saw over 30% opt-in rates, a 50% reduction in login abandonment, and 5-10% fewer support calls. eBay achieved a 102% increase in passkey adoption by adding auto-prompts.
Why this matters for Skrid specifically
Skrid is a screen time management app where users earn phone access by walking. Every interaction with the app reinforces (or undermines) the habit we’re trying to build. If logging in requires remembering a password, waiting for an SMS code that might not arrive, or resetting credentials because you forgot them, that friction directly competes with the behavior change we’re asking users to make.
A forgotten password or a failed login attempt doesn’t just cost a few seconds. It costs the entire session. The user doesn’t check their step balance, doesn’t see that they’ve earned screen time, doesn’t feel the feedback loop that makes the system work. For a wellness app, invisible authentication isn’t a nice-to-have. It’s structural.
The trust dimension matters too. Skrid handles sensitive data about users’ phone habits and physical activity patterns. Using phishing-resistant authentication signals that we take security seriously without making users jump through hoops to prove it.
The limitations worth knowing
Passkeys aren’t perfect, and pretending otherwise would be dishonest.
Cross-ecosystem portability remains limited. Apple’s iCloud Keychain syncs passkeys across Apple devices. Google Password Manager syncs across Android and Chrome. But if you create a passkey on your iPhone and then switch to Android, you’ll need to create a new passkey for that account. The FIDO Alliance is working on credential exchange protocols, but as of early 2026, moving passkeys between ecosystems isn’t straightforward.
Browser and platform support varies. On Windows and Linux, passkey creation often defaults to single-device credentials rather than synced ones, which means losing that device means losing access. QR code flows for cross-device authentication (scanning a code on your phone to log in on a laptop) create momentary confusion for users who haven’t encountered them before.
There was a WebAuthentication vulnerability (CVE-2024-9956) that allowed attackers to intercept mobile browser authentication via FIDO protocol intents. This was patched between October 2024 and February 2025 across major browsers. Session hijacking after authentication remains a concern, but that’s true regardless of how you log in.
The hardest challenge isn’t technical capability. It’s migrating existing users from passwords to passkeys without creating confusion or support burden.
The adoption curve
When we made this decision, passkeys were still emerging. The landscape has shifted considerably.
According to FIDO Alliance data from 2025, 48% of the top 100 websites now support passkeys. Andrew Shikiar, the FIDO Alliance’s Executive Director, announced that over 3 billion passkeys are now in active use globally, with more than 1 billion people having passkeys activated. About 70% of users have at least one passkey set up somewhere (Help Net Security, 2025).
Enterprise adoption is accelerating too. 87% of organizations are either deploying or have deployed passkeys, according to Dark Reading. Google reports 800 million accounts using passkeys with 2.5 billion total sign-ins. Microsoft saw 120% growth in passkey authentications after making them the default option.
This matters because network effects work in favor of passkey adoption. The more sites that support them, the more familiar users become with the flow, the more willing they are to use them elsewhere.
The business case beneath the security case
Authentication problems are expensive. IBM’s 2024 Cost of a Data Breach Report found the average breach costs $4.44 million, with credential-based breaches often exceeding $5 million. Gartner estimates that 30-50% of IT help desk calls are password resets. Forrester puts the cost at $87 per reset and $795 per employee per year in password-related support.
For consumer apps, the conversion cost is more direct. FIDO research found that 47% of consumers abandon purchases when they forget their password. For a subscription app like Skrid, a failed login during the critical early days of habit formation could mean a churned user.
Passkeys reduce support load, reduce breach risk, and increase successful logins. The security benefits and the business benefits point the same direction.
The decision
We chose passkeys for Skrid because they solve a real problem without creating new friction. They’re more secure than passwords because there’s nothing to steal. They’re more secure than SMS codes because there’s nothing to intercept. They’re faster because they work on the first try. And they’re ready now: the standards are mature, the platform support is broad, and the adoption curve has passed the early-adopter phase.
For users, this means logging into Skrid works the same way unlocking your phone does. Touch or face or PIN, and you’re in. No password to remember, no code to wait for, no security theater that makes you feel secure without actually being secure.
Authentication should be invisible. Passkeys are the first technology that actually makes that possible without compromising protection. That’s why we use them.