NCSC to recommend passkeys as preferred sign-in method where available

The UK National Cyber Security Centre has said it will begin advising people to use passkeys wherever online services support them, with two-step verification (2SV) remaining the fallback option when...

The UK National Cyber Security Centre has said it will begin advising people to use passkeys wherever online services support them, with two-step verification (2SV) remaining the fallback option when passkeys are not available. The change was announced at CYBERUK 2026 in Glasgow and will be rolled into the agency’s guidance over time rather than introduced in a single step.

The NCSC said the update follows extensive work with website operators, app developers, technology companies and the FIDO Alliance, as well as technical and social research into how people actually use login systems.

Why the guidance is changing

In a paper released alongside the announcement, the agency compared common login methods from the perspective of an individual user. It looked at the full lifecycle of credentials, including creation, storage, use, synchronisation, recovery and revocation, and assessed the kinds of attacks most often seen in real incidents.

The NCSC said traditional forms of multi-factor authentication, such as passwords plus SMS codes, email codes, app-generated one-time passwords, hardware tokens and push approvals, are still vulnerable to phishing. By contrast, FIDO2 credentials, including passkeys, resist the common attacks used against accounts in the wild.

What the NCSC says about passkeys

  • Passkeys and other FIDO2 credentials are at least as secure as traditional MFA for common threats.
  • When user verification is required, FIDO2 can count as multi-factor authentication.
  • Because passkeys cannot be easily copied or relayed, large-scale phishing-style attacks are far less effective.
  • Where passkeys are supported, they should generally be the first choice for users.

The agency also addressed concerns about synchronised passkeys, noting that many people already rely on cloud-based syncing for password managers, email and authenticator apps. It said the main issue is whether the account used to protect that synchronisation is well secured.

The NCSC added that traditional 2SV still matters as a backup for services that have not adopted passkeys. But for websites and apps that do support them, the agency believes passkeys offer a practical way to raise the bar against account compromise and phishing.