Passkey Adoption in Runet 2026
Enterno.io checked Passkey (WebAuthn/FIDO2) support in the 500 largest Runet services (March 2026). 18% of banks offer Passkey (Sber, Tinkoff, Alfa — yes; VTB, Gazprom — no). 7% of SaaS (including Skyeng, Bitrix24). 2% of government services (only Gosuslugi Passkey beta). SMS OTP remains primary 2FA (92%). Google/Apple Passkey sync is limited — needs an un-blocked iCloud/GPA account.
Below: key findings, platform breakdown, implications, methodology, FAQ.
Key Findings
| Metric | Pass/Value | Median | p75 |
|---|---|---|---|
| Banks with Passkey support | 18% | — | — |
| Runet SaaS with Passkey | 7% | — | — |
| Government services | 2% | — | — |
| SMS OTP as primary 2FA | 92% | — | — |
| TOTP (Google Authenticator) | 43% | — | — |
| Hardware FIDO2 keys | 4% | — | — |
| Passkey sync via iCloud/Google | 67% | — | — |
| Passkey login UX < 5s | 84% | — | — |
Breakdown by Platform
| Platform | Share | Detail | — |
|---|---|---|---|
| Banks (top-30) | 100% | Passkey: 18% | — |
| E-commerce retail | 25% | Passkey: 4% | — |
| SaaS B2B (Runet) | 15% | Passkey: 7% | — |
| Gosuslugi + services | 12% | Passkey: 2% | — |
| Crypto exchanges | 8% | Passkey: 38% | — |
Why It Matters
- Passkey 10x safer than SMS OTP (phishing-resistant by definition). Migration cuts account takeover by 99%
- UX faster: ~3s login vs ~30s SMS OTP. Mobile login conversion +25%
- Lower cost: no SMS gateway fees (1-3₽ per SMS × million users/mo = huge)
- Runet barrier: iCloud Keychain sync only works with non-RU Apple ID. Android+Google — also limited
- Hardware FIDO2 keys (YubiKey, Titan) — work offline but cost $25-50
Methodology
Manual test of signup/login flows across 500 Runet sites. Detection via navigator.credentials.create() API availability + UI prompts. March 2026. Categorised via Semrush + SimilarWeb.
Why teams trust us
How it works
Enter site URL
Security headers analyzed
Get grade A–F
What Does the Security Analysis Check?
The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.
Header Analysis
Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.
SSL Check
TLS version, certificate expiry, chain of trust, HSTS support.
Leak Detection
Finding exposed server versions, debug modes, open configs, and directories.
Report with Recommendations
Detailed report explaining each issue with specific steps to fix it.
Who uses this
Security teams
HTTP header audit
DevOps
config verification
Developers
CSP & HSTS setup
Auditors
compliance checks
Common Mistakes
Strict-Transport-Security.Server: Apache/2.4.52 helps attackers find exploits. Hide the version.DENY or SAMEORIGIN.nosniff, browsers may misinterpret file types (MIME sniffing).Best Practices
Content-Security-Policy-Report-Only, monitor violations, then enforce.Server, X-Powered-By, X-AspNet-Version from responses.Get more with a free account
Security check history and HTTP security header monitoring.
Sign up freeLearn more
Frequently Asked Questions
Passkey = password-less?
Yes, Passkey fully replaces password. Authentication runs on local biometrics (Face ID, fingerprint) → private key → challenge response to server.
What if I lose the phone with Passkey?
Cloud sync (iCloud / Google Password Manager) restores on a new device. Backup = separate Passkey on another device / hardware key.
Does an Apple ID from Russia work?
Since 2022 Apple restricts new RU registrations. Existing ones work. Buying via App Store in another region — workaround.
Implementation complexity?
Browser API is simple. Server side needs a FIDO2 library (simplewebauthn.js, py_webauthn). 1-2 weeks to production.