FidentiKit

Passkeys are discoverable WebAuthn credentials synchronized across devices, widely promoted as the future of passwordless authentication. Built on the FIDO2 standard, they eliminate shared secrets and resist phishing while offering superior usability through platform credential managers. Passkeys use public-key cryptography where each credential consists of a public key stored on the server and a private key stored securely on the user's device. Authentication happens through cryptographic proof of possession of the private key, typically via biometrics (fingerprint, face recognition) or device PIN. Since their introduction in 2022, major vendors including Apple, Google, and Microsoft have integrated passkeys into operating systems and browsers, enabling seamless cross-device synchronization and authentication.

FidentiKit is an open-source browser-based crawler that implements 43 heuristics across five categories—UI elements, DOM structures, WebAuthn API calls, network patterns, and library detection—to detect passkey adoption across the web. It continuously iterates over websites, determines their login pages, and checks whether they support passkey authentication. FidentiKit uses detection techniques such as virtual authenticators to capture WebAuthn implementation parameters, making it the first large-scale measurement tool capable of comprehensively analyzing passkey adoption.

The passkey archive will be our central collection and long-term storage of artifacts and data, including every component of this website that lets you explore or download our archived data. FidentiKit is the tool that generates the data that is fed into our passkey archive. You can think of our passkey archive as the Tranco Top Sites Ranking and the Internet Archive's Wayback Machine but for passkey adoption research.

FidentiKit executes the following steps to determine login pages of websites:

1. It navigates to the website and checks whether it is reachable.
2. It scans the website for login pages using the following techniques:
   • it crawls the website for links pointing the login page (with Playwright)
   • it tests well-known paths like shop.com/login or subdomains like login.shop.com
   • it scans the website's sitemap (with Playwright)
   • it scans the website's homepage (with Playwright)

FidentiKit executes the following steps to detect passkey support on login pages:

1. It navigates to the login page and checks whether it is reachable.
2. It scans the login page for passkey authentication using multiple detection techniques:
   • UI Element Detection: Searches for passkey-related buttons, biometric icons, and text patterns like "Sign in with passkey", "Use your passkey", or biometric indicators in the DOM and accessibility tree
   • JavaScript API Instrumentation: Hooks the navigator.credentials.create and navigator.credentials.get APIs to detect WebAuthn calls
   • Enterprise Pattern Detection: Identifies passkey implementations from major providers (Microsoft, Google, Apple, Adobe, BestBuy) using domain-specific patterns and CSS selectors
   • Keyword Scanning: Scans visible page text and titles for passkey-related keywords
   • Virtual Authenticator: Uses Chrome DevTools Protocol to set up a virtual FIDO2 authenticator and capture WebAuthn implementation parameters including create/get options, credentials, and CDP events
   • Metadata Detection: Checks for .well-known/passkey-endpoints and other well-known metadata files
3. It stores snapshots in our passkey archive, including detection methods, indicators, element coordinates, WebAuthn parameters, screenshots, and implementation details.

FidentiKit detects multiple authentication mechanisms:

• Passkey Authentication: Using 43 heuristics across UI elements, JavaScript APIs, enterprise patterns, and virtual authenticator capture
• Multi-Factor Authentication (MFA): Detects OTP input fields, MFA-related text, and QR codes
• Password-Based Authentication: Identifies username/email and password input fields
• Identity Providers (IDPs): Uses SSO-Monitor inspired detection techniques to detect buttons for Apple, Google, Microsoft, GitHub, and Facebook

FidentiKit also captures detailed WebAuthn implementation parameters including create/get options, credentials, and CDP events when passkeys are detected (Under development)

Yes, FidentiKit also detects username and password logins by integrating the LastPass password manager. Password managers already use sophisticated algorithms to find username and password fields. These algorithms go beyond checking the type attributes of <input> fields. Lastpass is the most downloaded password manager with over 10 million users in the Chrome web store and has been extensively studied in academic research. The extension injects a uniquely identifiable icon into all username and password fields, allowing FidentiKit to identify all fields.

Passkey adoption measurement is crucial for understanding the transition from passwords to passwordless authentication. Large-scale measurements of passkey adoption are challenging because websites implement passkeys in heterogeneous ways—some expose explicit "Sign in with passkey" buttons, others hide options under multi-step flows or rely on conditional mediation, and many adopt external mechanisms such as JavaScript libraries or OAuth-based identity providers. There is no standardized discovery endpoint, and dynamic, JavaScript-heavy pages complicate automated detection. FidentiKit addresses these challenges with 43 heuristics developed through manual iterative refinement over sites. We see our open-source passkey archive and the FidentiKit tool as a baseline for future passkey adoption research. FidentiKit's extensible architecture and (upcoming - virtual authenticator) capabilities enable comprehensive analysis of WebAuthn implementations, capturing not just detection but also detailed implementation parameters for security researchers.

Yes, FidentiKit is open-source and will be actively maintained for research purposes. Our passkey archive contains all data and is provided throughout this website in various formats, i.e., as downloadable JSON files or via APIs that can be filtered with queries. The archive includes detection results, WebAuthn implementation parameters, screenshots, and all artifacts captured during the analysis process.