The measured data reveals some key findings: Banks that support Passkey have a pass value of 18%; Runet SaaS with Passkey has a pass value of 7%; government services show a pass value of 2%; SMS OTP as the primary two-factor authentication has a pass value of 92%; and TOTP, specifically Google Authenticator, has a pass value of 43%. Full tables are provided below on this page.
Below: key findings, platform breakdown, implications, methodology, FAQ.
Free online tool — website security scanner: instant results, no signup.
| Metric | Pass/Value | Median | p75 |
|---|---|---|---|
| Banks with Passkey support | 18% | — | — |
| Runet SaaS with Passkey | 7% | — | — |
| Government services | 2% | — | — |
| SMS OTP as primary 2FA | 92% | — | — |
| TOTP (Google Authenticator) | 43% | — | — |
| Hardware FIDO2 keys | 4% | — | — |
| Passkey sync via iCloud/Google | 67% | — | — |
| Passkey login UX < 5s | 84% | — | — |
| Platform | Share | Detail | — |
|---|---|---|---|
| Banks (top-30) | 100% | Passkey: 18% | — |
| E-commerce retail | 25% | Passkey: 4% | — |
| SaaS B2B (Runet) | 15% | Passkey: 7% | — |
| Gosuslugi + services | 12% | Passkey: 2% | — |
| Crypto exchanges | 8% | Passkey: 38% | — |
Manual test of signup/login flows across 500 Runet sites. Detection via navigator.credentials.create() API availability + UI prompts. March 2026. Categorised via Semrush + SimilarWeb.
As of 2026, Passkey and WebAuthn adoption in Runet is projected to reach approximately 30% of online services, driven by increased security demands and regulatory pressures. Major web browsers like Chrome and Firefox have fully integrated WebAuthn, supporting FIDO2 standards, which facilitate passwordless authentication. This shift indicates a significant move towards enhanced user security and streamlined access across platforms.
Passkeys, based on the WebAuthn standard, represent a fundamental shift in user authentication, emphasizing security and user experience. WebAuthn, part of the FIDO2 project, allows users to authenticate using public key cryptography instead of traditional passwords. In 2026, we observe increasing adoption rates across various sectors, including e-commerce and online banking, where security is paramount.
According to recent statistics, as of early 2026, a small percentage of major online platforms in the US have implemented WebAuthn, with similar trends noted in EU markets. This is facilitated by the widespread support for the WebAuthn API across major browsers. In the banking sector, 18% of banks support Passkey, while e-commerce retail shows a lower adoption rate at 4%. Additionally, 67% of services offer Passkey sync via iCloud or Google, and a significant majority of users experience a login UX of under 5 seconds.
These integrations enable developers to easily implement passwordless login systems, reducing reliance on traditional password methods, which are often vulnerable to phishing attacks.
To implement WebAuthn in your applications, developers can utilize the following code snippet to initiate an authentication request:
const publicKey = { challenge: new Uint8Array(32), rp: { name: 'Example Corp.' }, user: { id: new Uint8Array(16), name: 'user@example.com', displayName: 'User' }, pubKeyCredParams: [{ type: 'public-key', alg: -7 }]}; navigator.credentials.create({ publicKey }).then((credential) => { // Handle successful authentication }).catch((error) => { // Handle errors });In this example, a challenge is generated, and the user is prompted to authenticate using a registered device. The parameters specified, such as rp, user, and pubKeyCredParams, are essential for establishing the relationship between the relying party (RP) and the user.
As the adoption of WebAuthn continues to rise, developers should focus on the following best practices:
By integrating WebAuthn, developers can enhance security while improving user experience, positioning their applications favorably in a competitive market.
The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.
Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.
TLS version, certificate expiry, chain of trust, HSTS support.
Finding exposed server versions, debug modes, open configs, and directories.
Detailed report explaining each issue with specific steps to fix it.
HTTP header audit
config verification
CSP & HSTS setup
compliance checks
Strict-Transport-Security.Server: Apache/2.4.52 helps attackers find exploits. Hide the version.DENY or SAMEORIGIN.nosniff, browsers may misinterpret file types (MIME sniffing).Content-Security-Policy-Report-Only, monitor violations, then enforce.Server, X-Powered-By, X-AspNet-Version from responses.Security check history and HTTP security header monitoring.
Sign up freeYes, Passkey fully replaces password. Authentication runs on local biometrics (Face ID, fingerprint) → private key → challenge response to server.
Cloud sync (iCloud / Google Password Manager) restores on a new device. Backup = separate Passkey on another device / hardware key.
Since 2022 Apple restricts new RU registrations. Existing ones work. Buying via App Store in another region — workaround.
Browser API is simple. Server side needs a FIDO2 library (simplewebauthn.js, py_webauthn). 1-2 weeks to production.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.