UK Cyber Agency Urges Public to Ditch Passwords for Secure Passkeys
The National Cyber Security Centre (NCSC) has issued a stark warning to the British public, advising them to abandon traditional passwords in favour of new, more secure passkey technology. The agency, which operates as part of GCHQ, states that this move represents a fundamental overhaul of decades-old digital security practices.
Why Passwords Are Now Deemed Inadequate
The NCSC highlights that most phishing attacks begin with criminals compromising or stealing login credentials. Passwords, stored on servers, are vulnerable to theft during data breaches, putting users at significant risk. In contrast, passkeys operate on a completely different principle, removing what experts call "entire classes of attacks" from hackers.
Chris Hosking from cybersecurity firm SentinelOne explained: "The reality is we all juggle dozens of logins. Expecting people to create and manage strong, unique passwords for each one isn't realistic. Inevitably, people reuse them or stick with the same ones for years. That's why so many major breaches start the same way."
How Passkeys Work and Their Advantages
Passkeys function as a "digital stamp" created and stored directly on a user's device—such as a smartphone, computer, or tablet. They typically utilise biometric data like fingerprints or facial recognition, or a device PIN, to authenticate access. This method offers several key benefits:
- Enhanced Security: Passkeys cannot be stolen from servers. Even if a website using passkeys is breached, hackers only access "public" keys, which are useless on their own.
- Convenience: Users no longer need to remember complex passwords or wait for time-sensitive codes via text message. IT experts estimate passkeys save approximately one minute per login.
- Resilience: The key remains on the device and cannot be easily intercepted, preventing third parties from accessing accounts from other devices.
Jonathon Ellison, NCSC Director for National Resilience, stated: "Passkeys provide a user-friendly alternative which provide stronger overall resilience. As we aim to accelerate the UK's cyber defences at scale, moving to passkeys is something all of us can do to improve security."
Government Adoption and Industry Progress
The UK government has already implemented passkeys across many digital services, including the NHS. Beyond securing sensitive health data, this shift has reportedly generated significant cost savings by eliminating the need for multi-factor authentication systems like SMS codes.
Major online platforms—including Google, Microsoft, PayPal, and eBay—have also adopted passkey technology. Google data indicates over half of its UK users are now registered with a passkey.
Dr Richard Horne, CEO of the NCSC, emphasised the urgency of this transition, particularly following the 2025 cyber attacks on retailers Marks and Spencer, the Co-op, and Harrods. He described Britain's cyber threat landscape as "diverse and dramatic," noting the NCSC managed over 200 incidents between September and March, with twice as many nationally significant incidents compared to the previous year.
Technical Assurance and Future Recommendations
The NCSC, which initially hesitated to endorse passkeys due to implementation concerns, now asserts that tech industry advancements have made them both secure and user-friendly. A forthcoming technical report will confirm that passkeys are as secure as, if not more secure than, the strongest possible password combined with two-step verification.
For services not yet supporting passkeys, the NCSC advises using password managers to generate robust passwords and maintaining two-step verification. This layered approach ensures continued protection as the digital landscape evolves.
Dr Horne concluded: "We are overhauling decades of practice. This is about preparing for modern and future cyber threats, making everyday digital services safer for everyone."
