A new website is putting some of the Internet's most recognisable names on notice over their continued reliance on passwords. Whynopasskeys.com, created by security researchers Scott Helme and Troy Hunt, ranks the world's most popular websites by whether they offer passkey support, a phishing-resistant alternative to traditional passwords.

The site's launch-day findings make for uncomfortable reading for several major brands. Of the top 25 most-visited websites globally, seven, around 28 per cent, offer no passkey support whatsoever. That list includes household names such as Instagram, Netflix, Spotify, Samsung, Roblox and Baidu, platforms that between them serve hundreds of millions, and in some cases billions, of user accounts protected by little more than a password and, at best, multi-factor authentication.

Passkeys work differently to passwords. They are generated by a user's own device and tied to both that device and the website they were created for, often relying on biometric methods such as Face ID or Touch ID, or a physical security key. Because there is nothing to type or remember, and nothing stored centrally that can be stolen in a breach, passkeys are considered significantly harder to phish than conventional credentials.

Helme, who previously built the similarly themed whynohttps.com with Hunt back in 2017 to push websites towards HTTPS adoption, said the new project follows the same logic. Writing on his blog, he explained that the goal is not really about shaming companies but about giving the public a clear, shareable picture of where the industry stands. "A list is a surprisingly effective motivator," he wrote, adding that the aim is to shift the conversation inside companies from whether they should adopt passkeys to why they have not already done so.

The site draws its rankings from Cloudflare Radar and the Tranco list to identify popular domains, while passkey adoption data comes from passkeys.directory, a community-maintained resource. Helme has acknowledged this is the project's main limitation, since passkey support cannot be automatically detected the way HTTPS could, meaning the list's accuracy depends on that underlying directory. Any site listed incorrectly can be corrected via a submission to passkeys.directory.

Notably, the site distinguishes between full passwordless passkey support and tools that only allow passkeys as a secondary authentication factor. Instagram, for instance, does technically allow passkey login, but only when the account is linked to a Facebook account that already has one enabled, an inconsistency given that Meta's other platforms, including Facebook and WhatsApp, support passkeys directly.