In a decisive move that could reshape how users log in online, the National Cyber Security Centre (NCSC) is urging consumers to abandon passwords in favour of passkeys, positioning them as the future of authentication.
“Passkeys should become consumers’ first choice for logging into digital services,” NCSC said. Overhauling decades of security guidance, the agency will no longer recommend passwords where passkeys are available, citing their weaker resistance to current cyber threats.
Since most breaches start with stolen or compromised login details, adopting passkeys is viewed as a reliable defence against phishing attacks.
“This is not a decision taken lightly,” the agency noted. “It is based on extensive engagement with websites, app developers, technology vendors and the FIDO Alliance, alongside significant technical and sociotechnical research carried out by the agency.”
NCSC had planned this move last year but abandoned it due to what it described as “some key implementation challenges.”
Alongside the recommendation, the agency also published a new technical report outlining the benefits of passkeys, the risks associated with passwords, and guidance for organizations on how to implement passkeys securely.
“As with any security control, passkeys are most effective when implemented and used sensibly. Users still depend on the security of their devices and credential managers, and services should give users clear ways to manage and remove credentials and to set up recovery options,” noted Dave Chismon, NCSC CTO for Architecture.
Where a service does not support passkeys, NCSC advises consumers to use a password manager to generate stronger passwords and continue using two-step verification.
“Adopting passkeys wherever you can is a strong step towards a safer, simpler login experience, and I am pleased that we can support their uptake,” said Jonathon Ellison, NCSC Director for National Resilience.
“The headaches of remembering passwords no longer need to be part of logging in where users move to passkeys. They are a user-friendly alternative that provide stronger overall resilience.”
According to Sophos, organizations do not need to build passkey infrastructure from scratch, as providers such as Microsoft, Google and Okta already support passkeys within their authentication platforms. The priority is enabling and enforcing passkeys within existing identity systems.
“Organizations also need to consider where passkeys will be stored (e.g., directly on the user’s laptop, in a cloud-based password manager, on a physical token such as a YubiKey) and how to restore access if a passkey is lost, deleted, or corrupted,” Sophos added.
