The UK’s National Cyber Security Centre (NCSC) has officially endorsed passkeys as the default authentication standard, marking the first time the agency has told consumers to move away from passwords entirely.
New official guidance states that passwords should not be used where passkeys are available, overturning decades of conventional advice. A technical report, released today at the NCSC’s annual CYBERUK conference, concludes passkeys “are at least as secure as, and generally more secure than” a password and two-step verification (2SV) combo.
The agency had considered this move last year, but held off until some “implementation challenges” were addressed by the industry, including inconsistent passkey naming across platforms, unreliable device support, and limited credential manager compatibility. Those gaps have since narrowed enough to act.
Google, eBay, and PayPal were named by NCSC as three major platforms that made it easier for users to adopt passkeys, with around 50 percent of UK Google users registering at least one. Microsoft made passkeys the default standard nearly a year ago.
Where passkeys aren’t available, the signals intelligence agency advises consumers and businesses to keep using the password+2SV combo, but use a password manager so those passwords remain complex and unique to each service.
As Reg readers know, keeping passwords unique means that if – for example – they end up in an infostealer dump, they can’t be used to access several accounts. Using 2SV on top of that adds another layer of protection in case a cybercrim successfully gathers the correct username-password pair.
Jonathon Ellison, director for national resilience at the NCSC, said:
“The headaches that remembering passwords have caused us for decades no longer need to be a part of logging in where users migrate to passkeys – they are a user-friendly alternative that provides stronger overall resilience.
“As we aim to accelerate the UK’s cyber defenses at scale, moving to passkeys is something all of us can do to improve the security of everyday digital services and be prepared for modern and future cyber threats.”
Passkeys work by creating a cryptographic key pair between a user’s device and the protected account. They can’t be guessed or phished, are up to eight times faster to use than passwords, and eliminate the fatigue of creating and remembering credentials.
For years, passkeys were widely considered to be the eventual killers of the password. Promoting passkey adoption is another step the NCSC is taking to boost the state of UK security.
Richard Horne, the agency’s CEO, said this week the number of nationally significant cyberattacks hitting Britain is hovering around similar levels as October, when the NCSC said it witnessed four every week.
Factoring in the current state of geopolitics and the ever-sophisticated frontier AI models threatening defenders, Horne urged organizations to prioritize security hygiene as the country enters a period of “tumultuous uncertainty.” ®