Passkeys -- discoverable WebAuthn credentials synchronised across devices are widely promoted as the future of passwordless authentication. Built on the FIDO2 standard, they eliminate shared secrets and resist phishing while offering usability through platform credential managers. Since their introduction in 2022, major vendors have integrated passkeys into operating systems and browsers, and prominent websites have announced support. Yet the true extent of adoption across the broader web remains unknown. Measuring this is challenging because websites implement passkeys in heterogeneous ways. Some expose explicit ``Sign in with passkey'' buttons, others hide options under multi-step flows or rely on conditional mediation, and many adopt external mechanisms such as JavaScript libraries or OAuth-based identity providers. There is no standardised discovery endpoint, and dynamic, JavaScript-heavy pages complicate automated detection. This paper makes two contributions. First, we present Fidentikit, a browser-based crawler implementing 43 heuristics across five categories -- UI elements, DOM structures, WebAuthn API calls, network patterns, and library detection developed through iterative refinement over manual examination of 1,500 sites. Second, we apply Fidentikit to the top 100,000 Tranco-ranked domains, producing the first large-scale census of passkey adoption. Our results show adoption strongly correlates with site popularity and often depends on external identity providers rather than native implementations.

翻译：通行密钥——一种可在设备间同步的、可被发现的WebAuthn凭证——被广泛宣传为无密码认证的未来发展方向。基于FIDO2标准构建的通行密钥消除了共享密钥的使用，能够抵御钓鱼攻击，并通过平台凭证管理器提供良好的可用性。自2022年推出以来，主流厂商已将其集成到操作系统和浏览器中，许多知名网站也宣布提供支持。然而，通行密钥在整个互联网范围内的实际采用程度仍然未知。由于各网站以异构方式实现通行密钥功能，其采用规模的测量面临挑战：部分网站提供显式的“使用通行密钥登录”按钮，有些则将选项隐藏在多步骤流程中或依赖条件式调停机制，还有许多网站采用JavaScript库或基于OAuth的身份提供商等外部机制。目前缺乏标准化的发现端点，且动态化、重度依赖JavaScript的页面结构使得自动化检测变得复杂。本文作出两项贡献：首先，我们提出了Fidentikit——一个基于浏览器的爬虫工具，通过对1,500个网站的人工检查进行迭代优化，最终形成了涵盖界面元素、DOM结构、WebAuthn API调用、网络流量模式和第三方库检测五大类别的43种启发式规则。其次，我们将Fidentikit应用于Tranco排名前10万的域名，首次完成了通行密钥采用情况的大规模普查。研究结果表明：通行密钥的采用率与网站流行度呈强相关性，且多数实现依赖于外部身份提供商而非原生方案。