Hardware-bound passkeys offer AAL3 assurance, but synced passkeys dominate consumer adoption. Here’s why distribution and UX matter more. Hardware-bound passkeys have a market problem, not a crypto problem Hardware-bound passkeys are the strongest consumer passkey model on paper. The private key stays inside a physical secure element, which is why they can reach NIST AAL3, while synced passkeys are capped at AAL2. But consumer adoption tells a different story. The FIDO Alliance Authentication Barometer 2024 shows that hardware-bound passkey activation in consumer banking is still below 5 percent in 2025. That is the core tension: the highest-assurance option exists, standards are mature, and yet almost nobody uses it at scale in consumer apps. The reason is not weak hardware. It is distribution and default UX. Apple and Google control over 99 percent of mobile share, and they decide which passkey option users see first.…