UK National Cyber Security Centre Recommends Passkeys as Replacement for Passwords

Apr 24, 2026, 14:40

Introduction

The UK's National Cyber Security Centre (NCSC) has issued a revised recommendation advising users to adopt passkeys as the primary method of authentication for digital services, effectively deprecating the use of traditional passwords where passkeys are available. This change reflects an assessment that passwords are insufficiently resilient against contemporary cyber threats.

Main Body

The NCSC's announcement, made on Thursday, marks a deliberate departure from decades of reliance on password-based security. The agency stated that passkeys—a form of passwordless authentication—should be the first choice for consumers across all digital platforms. Passkeys function as a digital credential stored on a user's device, generated through public key cryptography. Unlike passwords, they cannot be stolen via phishing attacks because no secret information is transmitted during login. Instead, authentication is performed at the device level using biometric methods (e.g., facial recognition or fingerprint scanning) or a device PIN. Each passkey is unique to the specific website or application, and even if a service's database is breached, the private key held on the device remains inaccessible to attackers. Adoption of passkeys has been growing across major platforms. Apple, Google, and X already support the technology, and Google reported that just over 50% of its UK users have registered a passkey. The Fido Alliance, an industry association promoting passwordless authentication, stated that passkeys are now supported across all major operating systems, browsers, and by third-party providers. The UK Government also integrated passkeys into its digital services last year. The NCSC acknowledged that it had previously refrained from endorsing passkeys due to implementation challenges and uneven support, but now considers those obstacles largely resolved. Expert commentary on the shift has been measured. Dave Chismon, a senior technical expert at the NCSC, noted that passwords have never been a perfect solution because additional security measures—such as two-factor authentication—increase user burden while remaining vulnerable to phishing. He described passkeys as quicker and simpler for users. Jonathan Ellison, the NCSC's director for national resilience, characterized passkeys as a user-friendly alternative that provides stronger overall resilience and alleviates the cognitive load of remembering passwords. However, some cybersecurity professionals have cautioned that passkeys are not a panacea. Daniel Card of the BCS, the Chartered Institute for IT, observed that losing a device or losing access to it can complicate passkey configuration. Alan Woodward, a professor of cybersecurity at the University of Surrey, noted that while facial recognition has improved with liveness detection, risks remain—for example, a family member or partner knowing a device's PIN. He emphasized that keeping the PIN private is an obvious defense. The NCSC also reiterated broader cybersecurity hygiene recommendations. Where passkeys are not supported, users should employ a password manager to generate and store strong, unique passwords, and enable multi-factor authentication. Other advice includes regularly updating apps and operating systems, avoiding suspicious emails and links, and never reusing passwords across sites. The persistence of weak passwords—such as "123456" and "password"—was highlighted as a continuing vulnerability, underscoring the rationale for transitioning to passkeys.

Conclusion

The NCSC's recommendation represents a significant evolution in authentication strategy, prioritizing passkeys as a more secure and user-friendly alternative to passwords. While not without limitations—such as dependency on device access and the need for broad platform support—the growing adoption by major technology firms and government services suggests a trajectory toward widespread implementation. Users are advised to adopt passkeys where available and to maintain robust cyber hygiene practices in all other contexts.

Vocabulary Learning

alleviates (v.)

Relieve / To make something less severe or burdensome減輕 / 使（負擔、問題）變得不那麼嚴重

Example:Passkeys alleviate the cognitive load of remembering complex passwords.

deprecating (v.)

Disapprove / To recommend against the use of something, often marking it as outdated貶抑 / 正式建議停止使用（尤指技術上淘汰）

Example:The NCSC is effectively deprecating traditional passwords in favor of passkeys.

panacea (n.)

Cure-all / A solution or remedy believed to solve all problems萬靈丹 / 被認為能解決所有問題的解決方案

Example:Cybersecurity professionals have cautioned that passkeys are not a panacea for all security issues.

resilient (adj.)

Robust / Able to resist or recover quickly from adverse conditions具韌性 / 能夠抵禦或迅速恢復

Example:The assessment concluded that passwords are insufficiently resilient against contemporary cyber threats.

trajectory (n.)

Path / The course or direction of development軌跡 / 發展的方向或路徑

Example:The growing adoption by major firms suggests a trajectory toward widespread implementation.

Sentence Learning

The NCSC's announcement, made on Thursday, marks a deliberate departure from decades of reliance on password-based security.

Reduced Relative Clause & Nominalization: The sentence uses a reduced relative clause ("made on Thursday") which omits the relative pronoun and auxiliary verb ("which was made"), creating a compact participial phrase. Additionally, the nouns "departure" and "reliance" are nominalizations, converting actions into abstract nouns, which increases lexical density and formality.本句使用了簡化關係子句（"made on Thursday"），省略了關係代名詞和助動詞（"which was made"），形成緊湊的分詞片語。此外，"departure" 和 "reliance" 是名詞化用法，將動作轉化為抽象名詞，增加了詞彙密度和正式感。

The NCSC acknowledged that it had previously refrained from endorsing passkeys due to implementation challenges and uneven support, but now considers those obstacles largely resolved.

Complex Subordination & Object Complement: The sentence features a complex subordinate clause introduced by "that", containing past perfect tense ("had refrained") to indicate prior action. The main clause uses an object complement structure: "considers those obstacles largely resolved" where "largely resolved" complements the object "those obstacles", describing its state. This construction is typical of formal writing.本句包含由 "that" 引導的複雜從屬子句，使用過去完成式（"had refrained"）表示先前的動作。主句使用了受詞補語結構："considers those obstacles largely resolved"，其中 "largely resolved" 補充說明受詞 "those obstacles" 的狀態。此結構常見於正式寫作。

Jonathan Ellison, the NCSC's director for national resilience, characterized passkeys as a user-friendly alternative that provides stronger overall resilience and alleviates the cognitive load of remembering passwords.

Appositive Phrase & Relative Clause: The sentence begins with an appositive phrase ("the NCSC's director for national resilience") that renames the subject, providing additional information without a separate clause. It then uses a relative clause ("that provides... and alleviates...") to modify "alternative", embedding two parallel verb phrases. This adds complexity and detail.本句以同位語片語（"the NCSC's director for national resilience"）開頭，重新說明主詞，無需獨立子句即可提供額外資訊。接著使用關係子句（"that provides... and alleviates..."）修飾 "alternative"，嵌入兩個平行動詞片語，增加了複雜性和細節。

Daniel Card of the BCS, the Chartered Institute for IT, observed that losing a device or losing access to it can complicate passkey configuration.

Appositive Phrase & Gerund as Subject: The sentence includes an appositive ("the Chartered Institute for IT") specifying the organization. The subordinate clause uses gerund phrases ("losing a device or losing access to it") as the subject of the verb "can complicate". Gerund subjects are a hallmark of advanced English, allowing actions to be treated as nouns.本句包含同位語（"the Chartered Institute for IT"）具體說明組織名稱。從屬子句使用動名詞片語（"losing a device or losing access to it"）作為動詞 "can complicate" 的主詞。動名詞主詞是高階英語的特徵，允許將動作視為名詞。

While not without limitations—such as dependency on device access and the need for broad platform support—the growing adoption by major technology firms and government services suggests a trajectory toward widespread implementation.

Concessive Phrase & Complex Subject with Nominalization: The sentence opens with a concessive phrase ("While not without limitations") that acknowledges a counterpoint, followed by a dash-enclosed example. The main subject is a complex noun phrase ("the growing adoption by major technology firms and government services") containing nominalization ("adoption") and prepositional phrases. This structure allows dense information packing typical of C2 level.本句以讓步片語（"While not without limitations"）開頭，承認一個反論點，隨後以破折號插入舉例。主詞是一個複雜的名詞片語（"the growing adoption by major technology firms and government services"），包含名詞化（"adoption"）和介詞片語。此結構允許密集的資訊包裝，是C2等級的典型特徵。