NCSC says passkeys should replace passwords as the preferred way to sign in
The UK’s National Cyber Security Centre (NCSC) has said passkeys should now be the first choice for consumer logins, marking a notable shift away from traditional passwords. The agency, part of GCHQ,...
The UK’s National Cyber Security Centre (NCSC) has said passkeys should now be the first choice for consumer logins, marking a notable shift away from traditional passwords. The agency, part of GCHQ, says the technology is now mature enough for broad use and offers a simpler, safer way to access online accounts.
Passkeys work differently from passwords. Instead of typing in a secret string of characters, users approve a sign-in on their device, often with a fingerprint, face scan or device unlock. The NCSC says this reduces the burden on users while making account takeover much harder for criminals.
The announcement was made alongside a new technical report released during CYBERUK in Glasgow. According to the NCSC, passkeys are at least as secure as, and usually more secure than, a strong password combined with two-step verification. The agency argues that this is especially important because many attacks on individuals begin with stolen or compromised login details.
Why the NCSC is backing passkeys
Less vulnerable to phishing: passkeys are designed to resist common tricks used to steal login credentials.
Faster sign-in: the NCSC says logging in with a passkey can be several times quicker than using a password and verification code.
Less password stress: users do not need to remember multiple complex passwords or change them regularly.
Potential cost savings: service providers can reduce reliance on SMS-based verification, which can be more expensive to operate.
Industry support has also expanded. Major services such as Google, eBay and PayPal already offer passkey support, and Google data cited by the NCSC suggests the UK is among the leading markets for adoption, with more than half of active Google users in the country having a passkey registered.
The NCSC said it had held back from recommending passkeys last year because of implementation issues, but believes those barriers have now eased. For services that do not yet support passkeys, the agency still recommends using a password manager to create strong passwords and enabling two-step verification.
The guidance reflects a broader government push to modernise digital authentication. The UK government has already announced plans to introduce passkeys across its own services as an alternative to SMS verification.
