Sabrina - stock.adobe.com
NCSC heralds end of passwords for consumers and pushes secure passkeys
UK National Cyber Security Centre is urging consumers to replace passwords and two-factor authentication with passkeys, following a technical study that shows they are more secure and easier to use
Consumers are being urged to replace passwords with passkeys as a simpler, more secure method of accessing online services.
The National Cyber Security Centre (NCSC), part of the signals intelligence agency GCHQ, said today that it would no longer recommend that individuals use passwords for logging on where passkeys are available as an alternative.
Passkeys, which are securely stored on people’s phones, computers, or in third-party credential managers, are quicker and easier to use than passwords and offer stronger security.
The NCSC’s recommendation follows a technical study that shows passkeys are at least as secure – and generally more secure – than a password combined with two-factor authentication, such as an authorisation code sent by SMS.
Resilience against phishing
The agency claims that a move to passkeys would boost the UK’s resilience to phishing attacks and other hacking attempts, the majority of which rely on criminals stealing or compromising login details.
The UK government announced last year that it would roll out passkey technology for digital services as an alternative to current SMS-based verification systems, which incur additional costs for sending SMS messages.
The NHS became one of the first government organisations in the world to use passkeys to give patients secure access to hospital and pharmacy websites.
Online service providers, including Google, eBay and PayPal, also support passkeys. According to Google, over 50% of active Google users in the UK have a registered passkey – the highest uptake. Microsoft is also introducing passkeys for Hotmail.
Read more from CyberUK 2026
- CyberUK ’26: UK lagging on legal protections for cyber pros: Ahead of next week's CyberUK conference, the CyberUp Campaign for reform of the UK's hacking laws proposes a four-pillar framework that would protect cyber professionals from prosecution
- Nation states responsible for ‘nationally significant’ cyber attacks against UK, says NCSC chief: The UK is facing four nationally significant cyber attacks a week, the majority from hostile states, NCSC chief, Richard Horne, will warn at the CyberUK conference.
- UK to build ‘national cyber shield’ to protect against AI cyber threats: Security minister Dan Jarvis calls for artificial intelligence companies to work with government to develop AI-driven cyber defences
Better security than 2FA
Passkeys offer a greater level of security than passwords and SMS two-factor authentication (2FA), both of which can be compromised by hackers.
They allow people to log into websites securely, using their own mobile phones, tablets or laptops to verify their identity by entering a PIN or using facial recognition.
The use of passwords with two-factor authentication for SMS can be vulnerable to “SIM swapping” attacks, where criminals allocate a victim’s phone number to a phone SIM card to intercept authentication keys.
The NCSC said that it stopped short of endorsing passkeys last year because there were still key implementation challenges.
However, it said that progress with the technology over the past year, including the ability to move passkeys between Android and Apple phones, has now made the technology viable.
Passkeys not yet recommended for business
The centre said it can now recommend passkey technology to the public as a more secure and user-friendly login method, and to businesses as the default authentication option for consumers.
The NCSC is not yet recommending passkeys for business applications, which will take longer to phase in. Many organisations rely on old IT systems that do not support passkeys or two-factor authentication.
The NCSC said that where services do not support passkeys, it advises consumers to create strong passwords and use two-factor authentication.
Jonathon Ellison, director for national resilience at the NCSC, said moving to passkeys would accelerate the UK’s resilience against cyber attacks.
“The headaches that remembering passwords have caused us for decades no longer need to be a part of logging in, where users migrate to passkeys – they are a user-friendly alternative, which provides stronger overall resilience,” he said.
Phasing out passwords will be gradual, with the first step being for people to become comfortable with using passkeys. Big banks are expected to phase in the technology over the next three to five years.
How passkeys work
When people sign up for accounts using passkeys, their device creates a private key, which remains on the device, and a public key, which is stored by the service they wish to access.
The device will prove to the website that it has the correct private key when the owner signs into a service, without disclosing the private key to the service provider.
Passkeys are designed to synchronise across different devices, so a passkey stored on an iPhone would be automatically shared with the owner’s iPad.
If a person loses a device and does not have a copy of the passkey on a second device, they will be able to recover it by going through an account recovery process.
Unlike passwords, passkeys are cryptographically generated and do not need to be changed regularly to remain secure.
They are stored in a “secure enclave” on phones and computers, which means they cannot be accessed if the device is compromised or lost.
Read more on Web application security
-
![]()
Cyber Essentials closes the MFA loophole but leaves some organisations adrift
-
![]()
UK government websites to replace passwords with secure passkeys
By: Bill Goodwin
-
![]()
Google rolls out passkeys in service of passwordless future
By: Alexander Culafi
-
![]()
Good Friday Agreement key to growth of Northern Ireland cyber hub
By: Alex Scroxton
