Security researcher Scott Helme's whynopasskeys.com names apps that still won't let you log in with a passkey, a device bound credential you unlock with your face, fingerprint, or a security key.
A new website is publicly naming the apps that still force you to log in with a password. The list at whynopasskeys.com, built by security researcher Scott Helme, reads like a roll call of apps already on your phone: Instagram, Netflix, Spotify. TechCrunch reports that, by Helme's count, roughly one in four major apps and services on the internet still do not offer passkeys, the device-bound login that uses your face, fingerprint, or a physical security key instead of something to memorise.
That gap is the news, and the list is the mechanism. Passkeys have been available since at least 2022; Apple, Google, and Microsoft have built the plumbing. The bottleneck was never the technology. It was that big platforms had no reason to bother, and individual users had no way to make them.
Helme's framing of his own project is blunt: a list, he says, is a "surprisingly effective motivator. Nobody wants to be on the list." That logic only holds if being on the list actually moves the platform. The early evidence is mixed. Meta has rolled out passkeys for Facebook but not, as of Helme's count, for Instagram; Netflix and Spotify have not announced timelines. The companion site passkeys.directory already tracks sites that do support the standard, which gives the shame list a positive counterpart and a benchmark the laggards can be measured against.
For anyone who has seen the passkey prompt and skipped it: a passkey is a credential generated by your phone or computer and bound to that device and the originating website. You unlock it with the same Face ID, Touch ID, or screen lock you already use, and the website never sees a password at all. There is nothing to memorise, nothing to type into the wrong form, and nothing for a phisher to steal unless they also have your unlocked phone.
The friction that holds back adoption is the right friction to be tracking. On a platform the size of Instagram, the cost of changing how hundreds of millions of people log in is real. So is the cost of not doing it: every account takeover that starts with a stolen or reused password is a cost Helme's list now names publicly. Whether that pressure produces movement on the holdouts above the fold is the test of the next 60 to 90 days.
What to watch. The list is now public, the major holdouts are named, and the industry has the technical plumbing. The test of the next 60 to 90 days is whether any of the named holdouts announce a passkey rollout. If at least one does, Helme's premise is confirmed and the rest of the list becomes the new roadmap. If none move, the list becomes a case study in what public exposure cannot do at this scale.
What readers can do today. Use passkeys where they are available, mostly through the password manager already on your phone or browser. On holdouts like Instagram, Netflix, and Spotify, the option simply is not there yet, which is the point of the list. It does not unlock anyone's account. It makes the gap visible, and turns a security default the industry says is ready into a public benchmark the largest platforms now have to answer to.