UK Cyber Centre Says Use Passkeys Instead of Passwords
UK Cyber Centre Says Use Passkeys Instead of Passwords
Introduction
The UK's National Cyber Security Centre (NCSC) now tells people to use passkeys. Passkeys are a new way to log in. They are better than passwords.
Main Body
A passkey is a digital key on your phone or computer. You use your face or finger to log in. No one can steal it from far away. Each passkey works for only one website. Apple, Google, and X support passkeys. Many people in the UK use them. The UK government also uses passkeys. The NCSC says the technology is now ready. Experts say passkeys are faster and safer. But they are not perfect. If you lose your phone, you may have problems. Keep your PIN secret. A family member should not know it. If you cannot use a passkey, use a password manager. Do not use simple passwords like "123456" or "password". Always update your apps and phone. Do not click on strange links.
Conclusion
The NCSC says passkeys are the future. They are safer and easier. Use them when you can. For other times, follow good safety rules.
Vocabulary Learning
Sentence Learning
UK National Cyber Security Centre Recommends Passkeys as Replacement for Passwords
Introduction
The UK's National Cyber Security Centre (NCSC) has updated its advice. It now recommends that users adopt passkeys as the main method of authentication for digital services. This effectively means the NCSC no longer supports the use of traditional passwords where passkeys are available. The change reflects the agency's assessment that passwords are not strong enough to resist modern cyber threats.
Main Body
The NCSC made the announcement on Thursday. It marks a clear change from decades of using passwords for security. The agency stated that passkeys – a way to log in without a password – should be the first choice for users on all digital platforms. Passkeys are digital credentials stored on a user's device. They are created using public key cryptography. Unlike passwords, they cannot be stolen through phishing attacks because no secret information is sent during login. Instead, the user's device checks their identity using biometric methods, such as facial recognition or fingerprint scanning, or a device PIN. Each passkey is unique to a specific website or app. Even if a service's database is hacked, the private key stored on the device stays safe from attackers. Major platforms are already adopting passkeys. Apple, Google, and X support the technology. Google reported that just over 50% of its UK users have registered a passkey. The Fido Alliance, an industry group that promotes passwordless authentication, said that passkeys are now supported on all major operating systems, browsers, and by third-party providers. The UK Government also added passkeys to its digital services last year. The NCSC admitted that it had previously avoided supporting passkeys because of implementation problems and uneven support, but now believes those issues are mostly solved. Experts have given careful comments on this change. Dave Chismon, a senior technical expert at the NCSC, pointed out that passwords have never been perfect. Extra security measures, like two-factor authentication, make things harder for users and are still at risk from phishing. He said passkeys are faster and easier for users. Jonathan Ellison, the NCSC's director for national resilience, described passkeys as a user-friendly alternative. They provide stronger overall security and reduce the mental effort of remembering passwords. However, some cybersecurity experts have warned that passkeys are not a perfect solution. Daniel Card from the BCS, the Chartered Institute for IT, noted that losing a device or losing access to it can make passkey setup difficult. Alan Woodward, a professor of cybersecurity at the University of Surrey, said that although facial recognition has improved with liveness detection, risks still exist. For example, a family member or partner might know a device's PIN. He stressed that keeping the PIN private is an obvious way to protect yourself. The NCSC also repeated its general cybersecurity advice. Where passkeys are not available, users should use a password manager to create and store strong, unique passwords, and turn on multi-factor authentication. Other advice includes updating apps and operating systems regularly, avoiding suspicious emails and links, and never using the same password on different sites. The fact that weak passwords like '123456' and 'password' are still common was highlighted as a continuing weakness. This shows why moving to passkeys is important.
Conclusion
The NCSC's recommendation is a major change in how we think about logging in. It puts passkeys first as a more secure and user-friendly option than passwords. Although there are limitations – for example, you need access to your device and broad support from platforms – the growing use by big tech companies and government services suggests that passkeys will become common. Users are advised to use passkeys where possible and to keep good cybersecurity habits in all other situations.
Vocabulary Learning
Sentence Learning
UK National Cyber Security Centre Recommends Passkeys as Replacement for Passwords
Introduction
The UK's National Cyber Security Centre (NCSC) has issued a revised recommendation advising users to adopt passkeys as the primary method of authentication for digital services, effectively deprecating the use of traditional passwords where passkeys are available. This change reflects an assessment that passwords are insufficiently resilient against contemporary cyber threats.
Main Body
The NCSC's announcement, made on Thursday, marks a deliberate departure from decades of reliance on password-based security. The agency stated that passkeys—a form of passwordless authentication—should be the first choice for consumers across all digital platforms. Passkeys function as a digital credential stored on a user's device, generated through public key cryptography. Unlike passwords, they cannot be stolen via phishing attacks because no secret information is transmitted during login. Instead, authentication is performed at the device level using biometric methods (e.g., facial recognition or fingerprint scanning) or a device PIN. Each passkey is unique to the specific website or application, and even if a service's database is breached, the private key held on the device remains inaccessible to attackers. Adoption of passkeys has been growing across major platforms. Apple, Google, and X already support the technology, and Google reported that just over 50% of its UK users have registered a passkey. The Fido Alliance, an industry association promoting passwordless authentication, stated that passkeys are now supported across all major operating systems, browsers, and by third-party providers. The UK Government also integrated passkeys into its digital services last year. The NCSC acknowledged that it had previously refrained from endorsing passkeys due to implementation challenges and uneven support, but now considers those obstacles largely resolved. Expert commentary on the shift has been measured. Dave Chismon, a senior technical expert at the NCSC, noted that passwords have never been a perfect solution because additional security measures—such as two-factor authentication—increase user burden while remaining vulnerable to phishing. He described passkeys as quicker and simpler for users. Jonathan Ellison, the NCSC's director for national resilience, characterized passkeys as a user-friendly alternative that provides stronger overall resilience and alleviates the cognitive load of remembering passwords. However, some cybersecurity professionals have cautioned that passkeys are not a panacea. Daniel Card of the BCS, the Chartered Institute for IT, observed that losing a device or losing access to it can complicate passkey configuration. Alan Woodward, a professor of cybersecurity at the University of Surrey, noted that while facial recognition has improved with liveness detection, risks remain—for example, a family member or partner knowing a device's PIN. He emphasized that keeping the PIN private is an obvious defense. The NCSC also reiterated broader cybersecurity hygiene recommendations. Where passkeys are not supported, users should employ a password manager to generate and store strong, unique passwords, and enable multi-factor authentication. Other advice includes regularly updating apps and operating systems, avoiding suspicious emails and links, and never reusing passwords across sites. The persistence of weak passwords—such as "123456" and "password"—was highlighted as a continuing vulnerability, underscoring the rationale for transitioning to passkeys.
Conclusion
The NCSC's recommendation represents a significant evolution in authentication strategy, prioritizing passkeys as a more secure and user-friendly alternative to passwords. While not without limitations—such as dependency on device access and the need for broad platform support—the growing adoption by major technology firms and government services suggests a trajectory toward widespread implementation. Users are advised to adopt passkeys where available and to maintain robust cyber hygiene practices in all other contexts.