UK National Cyber Security Centre Recommends Passkeys as Replacement for Passwords
Introduction
The UK's National Cyber Security Centre (NCSC) has updated its advice. It now recommends that users adopt passkeys as the main method of authentication for digital services. This effectively means the NCSC no longer supports the use of traditional passwords where passkeys are available. The change reflects the agency's assessment that passwords are not strong enough to resist modern cyber threats.
Main Body
The NCSC made the announcement on Thursday. It marks a clear change from decades of using passwords for security. The agency stated that passkeys – a way to log in without a password – should be the first choice for users on all digital platforms. Passkeys are digital credentials stored on a user's device. They are created using public key cryptography. Unlike passwords, they cannot be stolen through phishing attacks because no secret information is sent during login. Instead, the user's device checks their identity using biometric methods, such as facial recognition or fingerprint scanning, or a device PIN. Each passkey is unique to a specific website or app. Even if a service's database is hacked, the private key stored on the device stays safe from attackers. Major platforms are already adopting passkeys. Apple, Google, and X support the technology. Google reported that just over 50% of its UK users have registered a passkey. The Fido Alliance, an industry group that promotes passwordless authentication, said that passkeys are now supported on all major operating systems, browsers, and by third-party providers. The UK Government also added passkeys to its digital services last year. The NCSC admitted that it had previously avoided supporting passkeys because of implementation problems and uneven support, but now believes those issues are mostly solved. Experts have given careful comments on this change. Dave Chismon, a senior technical expert at the NCSC, pointed out that passwords have never been perfect. Extra security measures, like two-factor authentication, make things harder for users and are still at risk from phishing. He said passkeys are faster and easier for users. Jonathan Ellison, the NCSC's director for national resilience, described passkeys as a user-friendly alternative. They provide stronger overall security and reduce the mental effort of remembering passwords. However, some cybersecurity experts have warned that passkeys are not a perfect solution. Daniel Card from the BCS, the Chartered Institute for IT, noted that losing a device or losing access to it can make passkey setup difficult. Alan Woodward, a professor of cybersecurity at the University of Surrey, said that although facial recognition has improved with liveness detection, risks still exist. For example, a family member or partner might know a device's PIN. He stressed that keeping the PIN private is an obvious way to protect yourself. The NCSC also repeated its general cybersecurity advice. Where passkeys are not available, users should use a password manager to create and store strong, unique passwords, and turn on multi-factor authentication. Other advice includes updating apps and operating systems regularly, avoiding suspicious emails and links, and never using the same password on different sites. The fact that weak passwords like '123456' and 'password' are still common was highlighted as a continuing weakness. This shows why moving to passkeys is important.
Conclusion
The NCSC's recommendation is a major change in how we think about logging in. It puts passkeys first as a more secure and user-friendly option than passwords. Although there are limitations – for example, you need access to your device and broad support from platforms – the growing use by big tech companies and government services suggests that passkeys will become common. Users are advised to use passkeys where possible and to keep good cybersecurity habits in all other situations.