Back in 2017, Troy Hunt and I built a little website called whynohttps.com. The idea was simple: take the most popular sites on the internet, check which ones still weren't redirecting visitors to HTTPS, and put the laggards on a list for everyone to see. No lecture, no 40-page report, just a leaderboard of who hadn't done the thing yet. It turned out that a list is a surprisingly effective motivator. Nobody wants to be on the list.
We're at exactly the same moment again, but this time the technology is passkeys. So, Troy provided the domain, and I've built the obvious sequel: whynopasskeys.com
We've already had the passkeys argument
Don't worry, I'm not going to tread the same ground again. I've written plenty about passkeys already, from Passkeys 101 covering how they actually work, to the sharper edges of the threat model that nobody seems to be talking about. The short version is the part that matters here: passkeys are phishing-resistant by design. They're hard to phish, they can't leak in a breach, and they can't be replayed. Whether a passkey replaces your password entirely, or just backs a password up as a 2FA mechanism, it removes a whole category of attacks that we've been fighting, and losing, for decades.
The technology works and it's widely supported. We aren't waiting on engineering, we're waiting on adoption. And just like HTTPS in 2017, the thing standing between users and a meaningfully more secure internet is a long list of websites that haven't gotten around to it yet.
That's the gap I want to make visible.
What the site shows
whynopasskeys.com takes the world's most popular websites and tells you which ones support passkeys and which ones don't. There's a global Top 25, and there are per-country lists so you can see how your own corner of the internet is doing, covering well over a hundred countries.
The launch-day headline number is the whole reason this site exists:
7 of the top 25 sites globally still have no passkey support. That's 28% of the most-visited destinations on the internet.
If they do not support passkeys, passkeys still feel optional everywhere else, and these aren't small shops without a security team. The current no-passkeys list at the top end includes names like Instagram, Netflix, Spotify, Samsung, Roblox and Baidu. Sites with hundreds of millions, in some cases billions, of accounts, all still protected by nothing more than a password and possibly MFA. These are the sites that shape user expectations.
I've also tried to be honest in the other direction, because "supports passkeys" is doing a lot of work as a phrase. A site that lets you log in with a passkey and skip the password entirely is in a very different place to one that only allows a passkey as a second factor on top of your existing password. So where I can, the list distinguishes between passwordless passkey support and MFA-only support.
How it's built
People asked the same thing about whynohttps.com all those years ago, so let me get ahead of it: how do you know?
For ranking the sites I use Cloudflare Radar for the global and US lists, which is about as good a successor to the old Alexa rankings as we have, and the Tranco list for per-country rankings, attributing sites to countries by their national domain so you get that country's popular sites rather than the same handful of global giants on every page. There's a fair bit of unglamorous plumbing to strip out the CDNs, ad networks and API endpoints that clog up raw rankings, because nobody needs to know whether an analytics beacon supports passkeys.
The passkey support data itself comes from passkeys.directory, the excellent community-maintained list run by the folks at 2factorauth. This is the honest limitation of the whole project, and I'd rather say it out loud than have someone "gotcha" me with it: passkey support cannot be reliably auto-detected. WebAuthn lives behind a login flow, so there's no header to scan and no endpoint to probe the way there was with HTTPS. The list is therefore only as complete as the directory it draws from.
Which leads nicely to the most important feature.
If a site is wrong, you can fix it!
Every "No passkeys" entry on the site links straight to a way to correct it. If a site does support passkeys and we've got it wrong, the fix is to submit it to passkeys.directory, which improves the data for the whole community, not just my little list. I would genuinely love for this site to get less accurate over time, in the sense that I have to keep moving names from the red column to the green one.
Because that's the actual goal. whynohttps.com wasn't really about the shaming, satisfying as it was. It was about giving people a clear, sharable, undeniable picture of where we were, so that the conversation inside these companies shifted from "should we?" to "why are we on this list?". HTTPS went from a 'nice-to-have' to being 'essential' in a remarkably short space of time, and a bit of friendly public accountability was part of that.
Passkeys are at the same crossroads now. The sites at the top of these lists set the tone for everyone else. When the biggest names make passkeys popular, it stops being exotic and starts being expected.
A note for the sites doing the work
If you're rolling passkeys out, brilliant. It's harder than it looks to do well, and the threat model has subtleties that bite you precisely because passkeys are so strong everywhere else, which is the whole reason we had our own implementation independently security tested before we shipped it. If you're standing up passkeys and want visibility into what's actually happening in your users' browsers during sign-in, that's exactly the kind of thing Report URI is built to watch. The best time to know your auth flow is misbehaving is before your users tell you.
Go and have a look
whynopasskeys.com is live. Go and find your favourite sites, find your country, and if there's a name on there that really ought to know better, share it with them. The fastest way to get a site off the list is for enough of its users to ask why it's on there in the first place.
And if you run one of these sites: you already know what to do. Let's get you off the list.