Ory Homepage

Passkeys, WebAuthn & Ory: Future-proofing user authentication in the wake of a massive credential breach

After a 16B credential breach, secure your users. Learn how Ory, Passkeys, and WebAuthn future-proof authentication and eliminate password risks.

Picture of Justin Dolly
Justin Dolly

Chief Customer and Security Officer

Article
Cybersecurity
Authentication
Jun 26, 2025

Last week, security researchers uncovered a staggering breach: over 16 billion stolen credentials—including passwords for Apple, Google, Facebook, and more—were found circulating in underground forums. This is the largest credential dump ever discovered, and it underscores a painful truth that passwords are a liability.

They are easily stolen, reused across services, phished, guessed, and leaked. And as long as passwords remain the cornerstone of authentication, users and businesses will stay exposed to large-scale compromise. It’s time to evolve. Passkeys and WebAuthn offer a modern, secure alternative—and with Ory, implementing them is easier than ever.

What happened in the breach?

The breach—first reported here includes credentials stolen from thousands of services over the past decade, compiled into a “Mother of All Breaches.” Many of the leaked passwords are still active and in use today.

This breach is the latest in a long line of wake-up calls: traditional login methods are no longer good enough.

Why passwords keep failing

Despite better password policies and password managers, breaches like this keep happening. Why?

  • Users reuse passwords across sites
  • Phishing and credential stuffing remain effective
  • Stolen passwords are sold, reused, and exploited instantly

No amount of password hygiene can fully mitigate these systemic issues. It’s time to consider moving away from passwords entirely—especially when modern standards and user-friendly alternatives are available to organizations.

The solution: WebAuthn & passkeys

WebAuthn is a web standard developed by the FIDO Alliance and W3C. It allows apps and websites to authenticate users using cryptographic credentials stored securely on a user’s device.

Passkeys are the user-friendly implementation of WebAuthn:

  • They replace passwords with public-private key pairs
  • They’re protected by biometric authentication (e.g. Face ID, fingerprint)
  • They sync across devices via iCloud Keychain or Google Password Manager
  • They are phishing-resistant by design

Passkeys are already supported by Apple, Google, Microsoft, and leading browsers. Adoption is accelerating—and the recent breach shows why it can’t happen fast enough.

How Ory enables passwordless authentication

At Ory, we’ve built native support for WebAuthn and Passkeys into our identity engine, Ory Kratos, so organizations can move to passwordless authentication without compromising flexibility, performance, or security.

With Ory, you get:

  • Turnkey support for WebAuthn: Register, authenticate, and manage passkeys securely
  • Open standards: No vendor lock-in, full interoperability
  • Scalable identity APIs: Handle millions of users globally, with performance built-in
  • Composable architecture: Integrate seamlessly into your app stack—your way (frontend, mobile, backend)

Ory also supports fallback mechanisms like TOTP or magic links, allowing you to offer passkeys without excluding users on legacy devices.

Why it matters now

Organizations using Ory have already begun migrating to passkey-first authentication. Some of our enterprise customers have recently enabled passkeys across their consumer-facing applications:

  • Authentication speed improved by 40%
  • Credential-related (e.g. password reset) support tickets dropped dramatically
  • Attack surface for credential stuffing was eliminated

In light of this breach, delaying a passwordless adoption is no longer just a risk—it’s simply—a liability.

The path forward

Credential breaches won’t stop. But your users—your business—don’t need to be caught in the crossfire.

With passkeys and Ory, you can:

  • Eliminate passwords from your authentication flow
  • Protect users from phishing, reuse, and theft
  • Build on open standards supported by the global security community
  • Deploy at global scale, on your terms
  • Improve adoption of multi-factor authentication (i.e. MFA, 2FA)

Ready to Migrate?

If you're still using passwords in 2025, you're taking unnecessary risks. With tools like Ory Kratos, migration to passkeys is not only possible—it’s easier than ever.

Contact us to start your passwordless journey with Ory

Further reading

Artificial Intelligence
June 12, 2025

The future of Identity: How Ory and Cockroach Labs are building infrastructure for agentic AI

Lani Leuthvilay
Lani Leuthvilay

Ory and Cockroach Labs announce partnership to deliver the distributed identity and access management infrastructure required for modern identity needs and securing AI agents at global scale.

Artificial Intelligence
May 27, 2025

Ory + MCP: How to secure your MCP servers with OAuth2.1

Jeff Hickman
Jeff Hickman

Learn how to implement secure MCP servers with Ory and OAuth 2.1 in this step-by-step guide. Protect your AI agents against unauthorized access while enabling standardized interactions.

<- Back to Blog