A New Website Is Shaming Tech Giants for Ignoring Passkeys

Security researcher Scott Helme has a simple theory: nobody wants to be on a list that highlights their failure to protect users. This week, he launched whynopasskeys.com, a public tracker that catalogs which major apps and services have yet to adopt the industry’s new gold standard for account security.

The data is stark. Despite the clear security advantages of passkeys—which eliminate the need for passwords by using device-bound biometrics like Face ID or Touch ID—one in four major services still refuses to offer them. The list of holdouts includes household names like Netflix, Spotify, and Instagram.

Why Passkeys Are the New Standard

Passwords are a relic of a pre-phishing era. They are easily stolen, frequently reused, and constantly targeted by automated credential-stuffing attacks. Passkeys, by contrast, are generated by your device and tied specifically to the service you are accessing. Because they rely on local authentication, they are virtually immune to the phishing tactics that compromise millions of traditional passwords every year.

"A list is a surprisingly effective motivator," Helme wrote in a blog post announcing the site. By creating a public scoreboard, he is attempting to apply the kind of industry pressure that often moves the needle faster than internal security audits or user complaints. The site categorizes services by their support status, creating a clear divide between companies that have prioritized user safety and those that have not.

The Inconsistency of Big Tech

Perhaps the most frustrating aspect of the current landscape is the inconsistency within individual tech conglomerates. Take Meta, for example. While the company has rolled out passkey support for Facebook and WhatsApp, Instagram remains a notable exclusion. Users can technically use a passkey on Instagram, but only if their account is tethered to a Facebook login that already has the feature enabled. It is a convoluted workaround for a feature that should be standard.

This fragmentation suggests that the delay is not a technical hurdle, but a product prioritization issue. When asked for comment, Meta did not immediately explain why the implementation remains so uneven across its portfolio. Similarly, streaming giants like Netflix and Spotify have yet to provide a clear timeline for when they might join the ranks of Apple, Google, and Microsoft, all of which have fully embraced the technology.

What This Means for Users

For the average user, the lack of passkeys means continuing to rely on password managers or, worse, memory. While password managers are a significant step up from manual entry, they still rely on a master password that can be phished or leaked. Passkeys remove that single point of failure entirely.

If you are wondering why your favorite app still forces you to type in a password, the answer is likely that they haven't felt enough pressure to change. Helme’s project is designed to change that calculus. By making the lack of support visible, he is betting that public perception will eventually outweigh the friction of implementation.

Key Takeaways

• The Security Gap: One in four major internet services still does not offer passkeys, leaving users vulnerable to traditional phishing and credential theft.
• Public Pressure: The new website whynopasskeys.com aims to force companies to prioritize security by publicly shaming those that lag behind industry standards.
• Inconsistent Adoption: Even within large tech firms like Meta, support is fragmented, with some platforms offering passkeys while others, like Instagram, remain behind.

As the industry moves toward a passwordless future, the companies on Helme’s list will face increasing scrutiny. The next time these services update their security roadmaps, they will have to decide whether they want to remain on the list or finally give their users the security they deserve.