The National Cyber Security Centre (NCSC) has formally advised organisations and consumers to move away from passwords where passkeys are available as traditional passwords no longer provide sufficient resilience against modern cyber threats
In new guidance released at the CYBERUK conference in Glasgow, the NCSC - part of GCHQ - said that passwords should not be used where passkey-based authentication is an option. The guidance represents a significant change in position from the government’s technical authority on cyber security, which had previously stopped short of recommending passkeys because of implementation and interoperability challenges.
Passkeys are a relatively new method of signing into online services that replaces passwords with cryptographic credentials stored on a user’s device. Instead of typing a password, users authenticate using biometrics such as a fingerprint or facial recognition, or a device PIN.
According to the NCSC, this approach makes passkeys faster and easier for users while significantly reducing the risk of phishing, credential theft and password reuse, all of which remain leading causes of cyber incidents affecting individuals and organisations.
A technical report published alongside the announcement concludes that passkeys are at least as secure as, and generally more secure than, strong passwords combined with two‑step verification (2SV).
The NCSC is encouraging organisations to make passkeys the default authentication option where possible, with passwords retained only where passkeys cannot yet be supported. The NCSC said earlier concerns about industry readiness had largely been addressed, with major technology providers now offering broad support for passkeys. Platforms cited include Google, eBay and PayPal.
Data published with the guidance shows that just over half of UK Google users already have at least one passkey registered, suggesting growing public familiarity with the technology.
The NCSC stressed that where passkeys are not available, organisations should continue to use strong, unique passwords combined with 2SV, ideally managed through password managers.
Jonathan Ellison, Director for National Resilience at the NCSC, said that the move towards passkeys marked a decisive step away from decades of reliance on passwords as the primary means of authentication. Passkeys remove “the headaches that remembering passwords have caused us for decades”, he said, while providing stronger protection against current and emerging cyber threats.
