In certain instances, we may earn revenue when a reader makes a purchase or completes a form through our pages or on a partner’s website. We adhere to a strict 
Passwordless authentication has picked up in recent years. But the method drawing the most interest in security circles is physical security keys based on the FIDO2 standard.
These USB or NFC keys offer something beyond the usual passwordless methods, like synced device passkeys or biometric logins. Here, you’re not relying on cloud-stored credentials or browser memory. Instead, everything depends on holding the key and verifying it with something only you know, like a PIN or fingerprint.
This shift to hardware security keys is gaining momentum across industries. Dashlane, for instance, has just rolled out an update that enables users to make a FIDO2 key their main passwordless login for unlocking credential vaults.
In this article, we explore where passwordless authentication stands today, what makes physical keys different, and how platforms are handling the hard parts like recovery, usability, and long-term security.
Key Takeaways
- Passwordless authentication is gaining traction among younger users and security-conscious platforms.
- Passkeys and FIDO2 keys reduce phishing risks by removing shared secrets.
- Dashlane’s FIDO2 implementation uses local encryption key generation with PRF.
- Recovery plans must avoid reintroducing old risks like email-based reset links.
- Full support for hardware security keys across devices and browsers is still a work in progress.
Passkeys Are Good, but Phishing Still Finds a Way
Available data shows there’s a steady rise in passwordless authentication. The market is set to grow from $22.14 billion in 2025 to $61.45 billion by 2032, according to Coherent Market Insights. The hardware token market, now used by 19% of government agencies, is projected to double to $1.3 billion by 2033.
However, despite these healthy market projections, phishing remains a highly effective attack vector. IBM’s 2024 Data Breach Report projects that the average cost of a phishing-related breach will reach $4.88 million in 2025. Many of these attacks succeed not by breaking encryption, but by tricking users into handing over access.
A recent Google and Morning Consult survey supports this discrepancy. It found that while Gen Z users are starting to adopt passkey authentication and social sign-ins at higher rates, the majority of people still rely on passwords or basic two-factor authentication.
As phishing tactics grow more sophisticated, the gap between available technology and actual user protection remains a concern. This highlights one of the key benefits of passwordless authentication – its potential to close this gap.
That’s why hardware-backed options like FIDO2 keys are starting to take center stage in the shift toward passwordless authentication.
What Is FIDO2 Key & What Makes It Phishing-Resistant?
In a chat with Techopedia, Rew Islam, Dashlane’s Director of Product Innovation, noted the company adopted FIDO2 keys as the primary authentication factor because of their technical strength, not trend value.
He said:
“FIDO2 keys work because the private key never leaves the device, and they only respond to legitimate origin domains. That alone closes off a lot of phishing vectors.”
This explains how passwordless authentication works to provide such strong protection. Islam added that the system relies on two core standards: WebAuthn and CTAP.
- WebAuthn handles the communication between the browser and the service requesting authentication
- CTAP, short for Client to Authenticator Protocol, manages how devices like security keys interact with the browser or operating system (OS)
Dashlane and some other credential management platforms are building on this with WebAuthn PRF (pseudo-random function). So, instead of relying on a server to issue or decrypt secrets, PRF allows the encryption key to be derived directly on the user’s device.
Islam explained:
“When PRF is not supported, our plan is to use our existing passwordless device-to-device secret transfer. In this case, we can still use WebAuthn for the phishing protection, and couple that with our passwordless device-to-device transfer for the encryption keys.”
What Happens When the Key Is Lost?
No security model is complete without a recovery plan. That’s where hardware passwordless solutions still face some of their biggest usability tests.
It’s fair to assume that for many people, they worry about what happens when a security key is lost or damaged. What if the device storing the passkey is no longer accessible?
Islam said the best way to prepare for this is to support multiple keys per account so users can have a backup. He told Techopedia:
“Users will be able to register multiple keys, so in case of loss or damage, they have a backup for account recovery. The aim is to avoid phishable recovery options.”
However, many hardware keys still fall back on recovery via email or SMS, which subverts the authentication process.
Even recovery codes can be mishandled. The UK’s National Cyber Security Centre has noted that while passkeys improve security, the industry is still figuring out how to help users who fall out of sync with their devices or lose access entirely.
One proposed solution is key escrow through new browser APIs, but adoption is still limited. Islam said:
“We may lean into the Digital Credentials API to escrow an encryption key, but broader adoption of Digital Credentials is not there yet, so we’re still years away.”
The Bottom Line
Passwordless authentication through physical keys has come to stay, and it’s being deployed at scale by credential managers such as Yubico, Nitrokey, and Google through Titan Security Keys.
While there is great momentum forming around hardware keys, many are still worried about compatibility, usability, device loss, and recovery. These are grey areas that, when addressed, could boost wider adoption.
While device-based passkeys enjoy wider current adoption due to convenience, the robust, phishing-resistant nature of physical FIDO2 keys makes them a critical component for the future of truly secure authentication, especially as passwordless MFA becomes standard.
FAQs
What is passwordless authentication?
How to implement passwordless authentication?
Is passwordless safer than 2FA?
What are the disadvantages of passwordless authentication?
Which technology is commonly used in passwordless authentication?
References
- Passwordless Authentication Market Size Insights 2025-2032 (COHERENTMI)
- Passwordless Authentication Adoption Trends in 2025 (Jumpcloud)
- Cost of a data breach 2024 (IBM)
- Scams and Protections June 2025 (Google | MorningConsult)
- FIDO2: Passwordless Authentication Standard (FIDO Alliance)
- Passkeys: they’re not perfect but they’re getting better (NCSC.GOV.UK)
- Baron Capital Supports Elon Musk’s 2018 Compensation Contract (BaronFunds)
