Info Gov

The National Cyber Security Centre (NCSC) has formally advised organisations and consumers to move away from passwords where passkeys are available as traditional passwords no longer provide sufficient resilience against modern cyber threats

In new guidance released at the CYBERUK conference in Glasgow, the NCSC - part of GCHQ - said that passwords should not be used where passkey-based authentication is an option. The guidance represents a significant change in position from the government’s technical authority on cyber security, which had previously stopped short of recommending passkeys because of implementation and interoperability challenges.

Passkeys are a relatively new method of signing into online services that replaces passwords with cryptographic credentials stored on a user’s device. Instead of typing a password, users authenticate using biometrics such as a fingerprint or facial recognition, or a device PIN.

According to the NCSC, this approach makes passkeys faster and easier for users while significantly reducing the risk of phishing, credential theft and password reuse, all of which remain leading causes of cyber incidents affecting individuals and organisations.

A technical report published alongside the announcement concludes that passkeys are at least as secure as, and generally more secure than, strong passwords combined with two‑step verification (2SV).

The NCSC is encouraging organisations to make passkeys the default authentication option where possible, with passwords retained only where passkeys cannot yet be supported. The NCSC said earlier concerns about industry readiness had largely been addressed, with major technology providers now offering broad support for passkeys. Platforms cited include Google, eBay and PayPal.

Data published with the guidance shows that just over half of UK Google users already have at least one passkey registered, suggesting growing public familiarity with the technology.

The NCSC stressed that where passkeys are not available, organisations should continue to use strong, unique passwords combined with 2SV, ideally managed through password managers.

Jonathan Ellison, Director for National Resilience at the NCSC, said that the move towards passkeys marked a decisive step away from decades of reliance on passwords as the primary means of authentication. Passkeys remove “the headaches that remembering passwords have caused us for decades”, he said, while providing stronger protection against current and emerging cyber threats.

Also in this section

Jul 16, 2026

Scattered Spider pair jailed over TfL hack

Two members of the Scattered Spider hacking collective have each been jailed for five and a half years at Woolwich Crown Court on 16 July over a 2024 cyber attack on Transport for London that compromised the personal data of millions of customers and cost the transport authority £39 million.
Jul 15, 2026

Government introduces mandatory data breach reporting protocol

The Cabinet Office has published a Model Action Plan setting out a single cross-government framework that all departments and arms-length bodies must follow when responding to significant personal data breaches, introducing mandatory central reporting of such incidents for the first time.
Jun 29, 2026

"Five eyes" warn on accelerating cyber security threat from AI

The National Cyber Security has called on organisational leaders to treat cyber resilience as a core business and governance responsibility rather than a technical matter in the light of a report by the Five Eyes intelligence alliance on the "fundamental" impact of AI on the speed and scale of cyber threats.
Jun 15, 2026

Government AI hackathons uncover 407 vulnerabilities across nine departments, including critical remote code execution flaw

A pilot programme using frontier AI models to scan public-sector code repositories has identified 407 security findings across nine government organisations, including a critical vulnerability that could have allowed an external attacker to execute arbitrary code on a key digital service, the Department for Science, Innovation and Technology (DSIT) and the National Cyber Security Centre (NCSC)…

InfoGov Masthead Newsletter 800