A new website is putting some of the Internet’s most recognisable names on notice over their continued reliance on passwords. Whynopasskeys.com, created by security researchers Scott Helme and Troy Hunt, ranks the world’s most popular websites by whether they offer passkey support, a phishing-resistant alternative to traditional passwords.

The site’s launch-day findings make for uncomfortable reading for several major brands. Of the top 25 most-visited websites globally, seven, around 28 per cent, offer no passkey support whatsoever. That list includes household names such as Roblox and Baidu, platforms that between them serve hundreds of millions, and in some cases billions, of user accounts protected by little more than a password and, at best, multi-factor authentication.

Passkeys work differently to passwords. They are generated by a user’s own device and tied to both that device and the website they were created for, often relying on biometric methods such as Face ID or Touch ID, or a physical security key. Because there is nothing to type or remember, and nothing stored centrally that can be stolen in a breach, passkeys are considered significantly harder to phish than conventional credentials.

The site draws its rankings from Cloudflare Radar and the Tranco list to identify popular domains, while passkey adoption data comes from passkeys.directory, a community-maintained resource. Helme has acknowledged this is the project’s main limitation, since passkey support cannot be automatically detected the way HTTPS could.