Singapore’s Passkey Momentum Exposes Cracks in Asia’s Password Defenses

Singapore’s Singpass passkey rollout and Visa’s India launch highlight accelerating adoption across APAC. FIDO data shows 93% success rates, 73% faster logins and billions of active credentials. Yet hardware gaps and legacy systems reveal that execution matters more than intent. Real security gains emerge only with disciplined deployment.
Singapore’s Passkey Momentum Exposes Cracks in Asia’s Password Defenses
Written by Ava Callegari

Singapore is moving fast on passwordless logins. Its government digital identity platform now lets citizens use passkeys for Singpass access. The change turns mobile devices into cryptographic keys that resist phishing. Yet the shift also spotlights persistent gaps in how organizations across Asia Pacific handle authentication.

Passkeys rely on public-key cryptography. A private key stays locked on the user’s device. The server holds only the public counterpart. When a user signs in, the device signs a challenge. No secret crosses the network. Attackers cannot steal what was never sent. TechRepublic detailed how this architecture underpins both Singpass and enterprise tools such as Windows Hello for Business.

The region’s governments have noticed. Singapore’s GovTech rolled out passkeys to make phishing scams useless against the national digital ID system. Similar efforts appear elsewhere. Japan’s NTT DOCOMO features in early adopter data. Indian banks just began testing Visa Payment Passkeys with IDFC FIRST Bank. Users authenticate card transactions with a fingerprint, face scan or device PIN instead of waiting for SMS OTPs. Recent X posts from accounts like @SavingsSimpl and @business_today captured the excitement around this rollout in early July 2026.

Numbers tell a story of accelerating uptake. The FIDO Alliance’s Passkey Index, released in October 2025, drew from nine major organizations including Amazon, Google, Microsoft, PayPal, Target and TikTok. On average 93 percent of accounts proved eligible for passkeys. More than a third had one enrolled. Over a quarter of all sign-ins now use them. Success rates hit 93 percent compared with 63 percent for other methods. Sign-in time dropped 73 percent to an average of 8.5 seconds. Help-desk incidents tied to logins fell 81 percent. FIDO Alliance.

Andrew Shikiar, CEO of the FIDO Alliance, put it plainly. “The data in the Passkey Index marks the first time we have been able to measure the actual utilization and performance of passkeys. Thanks to this data from several early-adopting organizations, we can confidently say that passkeys are available, being used, and providing quantifiable benefits to deploying organizations.” He added that reducing reliance on passwords delivers tangible gains in success rates, user experience and risk reduction.

Global consumer awareness has climbed higher since. The FIDO Alliance’s State of Passkeys report for 2026 found 90 percent of people now recognize the technology. Seventy-five percent have enabled a passkey on at least one account. Five billion passkeys sit in active use worldwide. Organizational momentum follows. Descope’s analysis showed 45 percent of companies have deployed passkeys in at least one application. Another 27 percent plan to do so within two years. Forty-eight percent of the top 100 websites offer them, more than double the share in 2022. Descope.

Microsoft’s own rollout data reinforces the pattern. Users signing in with passkeys succeed at three times the rate of password flows. Sign-ins run eight times faster. The company registers more than one million passkeys daily across its services. Google reported 800 million accounts using passkeys and more than 2.5 billion sign-ins over two years. These platform defaults drive volume. Microsoft made passkeys the default option in May 2025 and saw 120 percent growth in usage. Crypto exchange Gemini mandated them the same month and recorded a 269 percent surge.

But adoption does not equal flawless execution. Singapore offers a cautionary case study. Windows 11 runs on 78.48 percent of desktops there, according to Statcounter data cited by TechRepublic. That OS version typically meets TPM 2.0 requirements needed for strong hardware isolation. Even so, older devices, disabled TPM chips, inconsistent provisioning and lingering legacy policies create hidden weaknesses. Organizations may think they run phishing-resistant authentication when the underlying hardware does not back it up.

Windows Hello for Business stores keys inside a Trusted Platform Module when configured correctly. The chip isolates credentials from the operating system. Without that protection the user experience looks identical yet delivers less security. Predictable PINs compound the issue. Users often pick birthdays or repeated digits because the credential never leaves the device. The short length works for local unlocking but fails against physical access attacks.

Layered defenses therefore remain essential. Hardware-backed credentials form one pillar. Conditional Access policies, risk signals, phishing-resistant multifactor methods and user training form others. No single control suffices when identity attacks grow more sophisticated. AI tools now generate convincing phishing sites, deepfake voice calls and tailored lures at scale. Singapore authorities have warned about this trend even as overall phishing incidents declined.

The FIDO Alliance chose Singapore for its first Authenticate APAC conference, set for June 2026 at the Grand Hyatt. Organizers pointed to the region’s rising influence. Government digital identity programs and commercial passkey deployments there help set global standards. Andrew Shikiar noted “tremendous innovation happening across APAC” and the need for a dedicated forum where local and global leaders can collaborate on secure, user-friendly authentication. FIDO Alliance.

Enterprise interest runs high in finance, aviation and payments. JAL Digital presenters plan to discuss massive-scale passkey deployment in the airline industry at the conference. Visa will address trust in agentic commerce and autonomous payments. Cathay Pacific added passkeys to its Asia Miles loyalty program in 2025, letting members sign in with biometrics or PIN instead of passwords. These moves signal that customer-facing sectors see both security and friction reduction as competitive advantages.

Challenges persist beyond hardware. Account recovery, credential sharing and delegation still trip up users and administrators. Research papers highlight misaligned perceptions. Many consumers overestimate password strength and underestimate passkey complexity during initial setup. Enterprises worry about legacy system integration and the cost of migrating millions of accounts. Descope found that 87 percent of organizations still rely on passwords for customer authentication. Only 2 percent believe passwords strike the right balance between security and experience. Competing priorities, limited in-house expertise and legacy modernization hurdles slow progress for nearly half of identity projects.

Hybrid strategies have emerged as the practical path. Many organizations pilot passkeys on secondary flows such as account recovery or low-risk logins. They keep password fallback options while gradually expanding phishing-resistant paths. Risk-based signals trigger step-up authentication when needed. A/B testing helps tune prompts and user education. The data shows clear payoffs once deployment matures. Higher completion rates translate into fewer abandoned sessions. Lower support tickets cut operational expense. Reduced fraud exposure protects both revenue and reputation.

Asia Pacific sits at an inflection point. High smartphone penetration, aggressive digital government programs and dense fintech activity create fertile ground. India’s UPI ecosystem already delivers frictionless payments. Adding Visa passkeys removes another weak link in the card transaction chain. Singapore’s Smart Nation initiative treats digital identity as infrastructure. Japan and South Korea push similar biometric and cryptographic standards in public and private systems.

Yet uneven device capabilities across markets complicate regional rollouts. Rural users in parts of Southeast Asia and India may rely on older phones without secure enclaves. Enterprise fleets contain mixed Windows, macOS and Linux endpoints. Cloud identity providers must therefore support synchronized passkeys across ecosystems while warning about the risks of over-reliance on synced credentials. If a device is compromised, a synced passkey could expose multiple services unless proper hardware isolation and monitoring stay in place.

Regulators watch closely. Updated guidelines increasingly favor phishing-resistant methods. NIST’s SP 800-63-4, finalized in 2025, recognizes passkeys as compliant for higher assurance levels. Similar thinking appears in APAC data protection and cybersecurity rules. Organizations that treat passkey migration as a compliance checkbox rather than a strategic security upgrade risk missing the operational gains.

The road ahead looks incremental but unstoppable. Billions of accounts already hold passkeys. Major platforms default to them. Early adopters report dramatic improvements in both security metrics and user satisfaction. Singapore’s experience demonstrates that government leadership can accelerate consumer familiarity. Enterprise deployments in travel, banking and retail prove the model scales.

Passwords will not vanish overnight. They still serve as recovery mechanisms and fallback options. The meaningful change lies in removing reusable secrets from the primary authentication path. When that happens, phishing loses its favorite target. Help desks field fewer reset requests. Users move through digital services with less friction. The data from FIDO, Microsoft, Google and others shows those benefits have moved beyond theory.

Security leaders in APAC now face a clearer choice. They can continue patching password policies and hope detection keeps pace with AI-powered attacks. Or they can invest in device-bound credentials, proper hardware configuration and layered controls that make stolen credentials useless. The second path demands more upfront attention to deployment quality. It delivers measurably better outcomes. Singapore’s progress and the region’s conference focus suggest many organizations have already started down that road.

Subscribe for Updates

CybersecurityUpdate Newsletter

The CybersecurityUpdate Email Newsletter is your essential source for the latest in cybersecurity news, threat intelligence, and risk management strategies. Perfect for IT security professionals and business leaders focused on protecting their organizations.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us