UK Government Sets Timeline to Replace Passwords With Passkeys

The UK government has unveiled plans to roll out passkey technology across its digital services as it seeks to reduce the risk of cyber-attacks to people’s GOV.UK accounts. 

Announced during the CYBERUK 2025 conference in Manchester, this initiative aims to replace the current SMS-based two-factor verification system across government accounts by the end of 2025.

GOV.UK services, which cover critical areas including benefit claims, childcare support, and tax credits, will transition to this more secure authentication method, positioning the UK as a global leader in passwordless technology adoption.

Passkeys: A New Era of Secure Authentication

Passkeys are cryptographic credentials tied to a user’s account on a website or application. Unlike traditional passwords, which can be guessed, stolen, or phished, passkeys leverage public-key cryptography to create a more secure authentication system.

When implementing passkeys, a private key is stored on the user’s device and used to create cryptographic authentication signatures. Meanwhile, a public key is stored on the server to verify these signatures. 

Authentication is enabled through biometric sensors such as fingerprint or facial recognition, eliminating the need for users to remember complex passwords.

The WebAuthn API, an extension of the Credential Management API, enables this strong authentication with public key cryptography. 

When registering a new passkey, the browser communicates with an authenticator to create credentials that are subsequently stored on the server.

Passkeys offer significant advantages over traditional password authentication:

• Phishing resistance: Passkeys work only on their registered websites and apps, making them virtually impossible to phish.
• Time efficiency: It is estimated that passkeys save approximately one minute per login when compared to entering a username, password, and SMS code.
• Cost reduction: Eliminating SMS-based verification will reduce operational costs for government services.
• No more password resets: Since passkeys cannot be forgotten or mistyped, the cumbersome process of password resets is eliminated.

UK Government’s Move to Passkeys

AI and Digital Government Minister Feryal Clark emphasized the importance of this transition: “This shift will not only save users valuable time when interacting with the government online, but it will reduce fraud and phishing risks that damage our economic growth”.

The National Health Service (NHS) has already pioneered this approach, becoming one of the first government organizations globally to offer passkeys for user accounts. 

During a special session at CYBERUK 2025, NHS representatives shared their experiences and lessons learned from this implementation.

Accompanying the announcement, the National Cyber Security Centre (NCSC) revealed it is developing passkey support for its own myNCSC platform, with availability expected later this year. 

Additionally, the UK government has joined the FIDO Alliance, an open industry association dedicated to shaping password-free authentication standards.

NCSC Chief Technical Officer, Ollie Whitehouse, urged all UK organizations to develop strategies to move beyond traditional password and multi-factor authentication solutions, stating they protect against common cyber threats such as phishing and credential stuffing.

“We strongly advise all organizations to implement passkeys wherever possible to enhance security, provide users with faster, frictionless logins and to save significant costs on SMS authentication,” he said.

The government’s membership in the FIDO Alliance will enable it to play an active role in the evolution of passkey standards, ensuring the UK maintains its position at the forefront of cybersecurity innovation.

Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points – Free Webinar