“Leave passwords in the past: passkeys are the future” urges NCSC

Overhauling decades’ worth of security practice, the NCSC – itself a part of GCHQ – has taken the decision to no longer recommend individuals use passwords where passkeys are available as passwords “lack the relative resilience” to modern cyber threats.

Passkeys are a newer method for logging into online accounts. They do much of the heavy lifting for users, only requiring user approval rather than needing to input a password. This makes passkeys quicker and easier to use and harder for cyber attackers to compromise.

A new technical report, published on Day Two of CYBERUK (the UK Government’s flagship cyber security event that ran in Glasgow) shows passkeys are at least as secure as – and, generally, more secure than – pairing the strongest password with two-step verification.

The majority of cyber harms to individuals start with criminals stealing or compromising login details, making the adoption of passkeys a huge leap forward in boosting the UK’s resilience to phishing attacks.

A number of popular online service providers (among them Google, eBay and PayPal) already support passkeys. Indeed, new data from Google shows that the UK already leads on the global adoption of passkeys, with just over 50% of active Google services users in the UK having one registered.

The NCSC stopped short of endorsing the adoption of passkeys last year due to some key implementation challenges. However, progress within industry means that they can now be recommended to the public as the more secure and user-friendly login method and to businesses as the default authentication option that can be offered to consumers. 

Supporting uptake 

Jonathon Ellison, director for national resilience at the NCSC, stated: “Adopting passkeys wherever possible is a strong step towards a safer and simpler login experience. I’m pleased that we can now support their uptake.”

Ellison continued: “The headaches that remembering passwords have caused us for decades no longer need to be a part of logging in where users migrate to passkeys. They are a user-friendly alternative, which also provide stronger overall resilience.”  

In conclusion, Ellison noted: “As we aim to accelerate the UK’s cyber defences at scale, moving to passkeys is something all of us can do to improve the security of everyday digital services and be prepared for modern and future cyber threats.”

Where a particular service doesn’t support passkeys, the NCSC’s Best Practice advice to consumers is to use a password manager to create stronger passwords and keep using two-step verification.

Making passkeys the default authentication recommendation is a critical step towards revolutionising the way in which individuals use and access their online identities.

Key benefits

The key benefits of passkeys include the following:

Easy to use

Fast, frictionless passkey logins can be completed up to eight times faster than signing in with a username, password and two‑step verification code

Harder to compromise

Passkeys are highly resistant to phishing attacks and cannot be intercepted, reused or guessed

Reduced password fatigue

Users no longer need to meet additional requirements, such as creating complex passwords or even remembering them at all. This prevents weak points and patterns from developing across a given user’s online presence

Security that pays off

Safety and savings can go hand in hand for online service providers that make passkeys available for customers, replacing SMS-based verification systems which incur additional costs

Last year, the Government announced that it would roll out passkey technology for its digital services as an alternative to the current SMS-based verification system, offering a more secure and cost-effective solution that could save several million pounds on an annual basis.

Industry viewpoint

Andy Ward, senior vice-president for international business at Absolute Security, commented: “Traditional security measures such as passwords are being made obsolete due to the fact that the threat landscape is moving so quickly, largely driven by Artificial Intelligence and agents. Once a cyber criminal cracks a password and gains access to a device or application, then they can often breach the wider network, steal sensitive customer and personal data and cause as much as two weeks’ worth of downtime for IT systems.”

Ward continued: “The challenge is the delay from the NCSC’s warning and people upgrading from traditional passwords to more secure passkeys, giving malicious actors a window to exploit weak defences. It’s therefore vital that organisations bolster their cyber security posture in order to recover from attacks when, and not if, they happen. Security teams need remote restoration and recovery capabilities to bounce back from a breach and minimise the downtime suffered from systems being offline.”

In conclusion, Ward observed: “As stated, some organisations can experience up to two weeks’ worth of downtime from cyber attacks and software failure. Organisations cannot let that situation be due to a weak password.”

*Further information is available online at www.ncsc.gov.uk